Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spring Security 인증/인가 구조 개편 및 GUEST 로그인 도입 완료 #456

Merged
merged 11 commits into from
Aug 12, 2024
Merged

Spring Security 인증/인가 구조 개편 및 GUEST 로그인 도입 완료 #456

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
cd9ce8b
feat(Role): 회원 권한에 GUEST를 추가함
limehee Aug 11, 2024
b16881b
refactor(RedisToken): PK를 UUID로 변경(중복 로그인을 허용하기 위함)
limehee Aug 11, 2024
9e91a42
refactor(JWT Filter): ADMIN 이상 권한을 가진 사용자에 대해서만 네트워크 변경을 감지하도록 변경. US…
limehee Aug 11, 2024
04a9966
chore: .gitignore 수정
limehee Aug 11, 2024
8fa28ef
feat(Login): Guest 로그인 API 추가
limehee Aug 11, 2024
a1748c0
refactor(Member): UserDetails 기본 설정값을 오버라이딩하지 않도록 변경
limehee Aug 11, 2024
20e9cf4
refactor(JWT): JWT 페이로드에 접두사 "ROLE_"이 포함되지 않도록 변경
limehee Aug 11, 2024
c3a4a8d
refactor(Security): authorizeRequests 마이그레이션
limehee Aug 11, 2024
ec20c87
feat(Security): RoleHierarchy 설정 추가
limehee Aug 11, 2024
a7cea01
refactor(Security): 권한 검사 방식 변경(@Secured -> @PreAuthorize)
limehee Aug 11, 2024
a61063e
refactor(API Access): GUEST 유저에게 일부 조회 API에 대한 접근 권한 부여
limehee Aug 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions src/main/java/page/clab/api/domain/auth/login/domain/RedisToken.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
package page.clab.api.domain.auth.login.domain;

import jakarta.persistence.Column;
import jakarta.persistence.Id;
import lombok.AccessLevel;
import lombok.AllArgsConstructor;
Expand Down Expand Up @@ -51,6 +50,6 @@ public boolean isSameIp(String ip) {
}

public boolean isAdminToken() {
return role == Role.ADMIN || role == Role.SUPER;
return role.isHigherThan(Role.ADMIN);
}
}
4 changes: 4 additions & 0 deletions src/main/java/page/clab/api/domain/memberManagement/member/domain/Role.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,8 @@ public Long toRoleLevel() {
case SUPER -> 3L;
};
}

public boolean isHigherThan(Role role) {
return this.toRoleLevel() > role.toRoleLevel();
}
}
10 changes: 6 additions & 4 deletions src/main/java/page/clab/api/global/auth/filter/JwtAuthenticationFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,14 +64,18 @@ private boolean verifyIpAddressAccess(HttpServletResponse response, String clien

private boolean authenticateToken(HttpServletRequest request, HttpServletResponse response, String clientIpAddress) throws IOException {
String token = jwtTokenProvider.resolveToken(request);

// 토큰이 존재하고 유효한 경우
if (token != null && jwtTokenProvider.validateToken(token)) {
RedisToken redisToken = jwtTokenProvider.isRefreshToken(token) ? externalManageRedisTokenUseCase.findByRefreshToken(token) : externalManageRedisTokenUseCase.findByAccessToken(token);
if (redisToken == null) {
log.warn("존재하지 않는 토큰입니다.");
ResponseUtil.sendErrorResponse(response, HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
if (!redisToken.getIp().equals(clientIpAddress)) {

// 관리자 토큰이고, 토큰 발급 IP와 다른 IP에서 접속한 경우 토큰 삭제
limehee marked this conversation as resolved.
Show resolved Hide resolved
if (redisToken.isAdminToken() && !redisToken.isSameIp(clientIpAddress)) {
externalManageRedisTokenUseCase.deleteByAccessToken(token);
sendSecurityAlertSlackMessage(request, redisToken);
log.warn("[{}] 토큰 발급 IP와 다른 IP에서 접속하여 토큰을 삭제하였습니다.", clientIpAddress);
Expand All @@ -80,10 +84,8 @@ private boolean authenticateToken(HttpServletRequest request, HttpServletRespons
}
Authentication authentication = jwtTokenProvider.getAuthentication(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
return true;
} else {
limehee marked this conversation as resolved.
Show resolved Hide resolved
return true;
}
return true;
}

private void sendSecurityAlertSlackMessage(HttpServletRequest request, RedisToken redisToken) {
Expand Down