[CowAPI] 8-2. SpringBoot Security

qawesdxcยท2022๋…„ 6์›” 4์ผ
0

์˜ค๋Š˜์˜ Cow

๋ชฉ๋ก ๋ณด๊ธฐ
13/45
post-thumbnail

๐Ÿ˜Ž 1. [CowAPI]Notice


  • ์š”๊ตฌ์‚ฌํ•ญ์— ๋”ฐ๋ผ ๊ณต์ง€์— ๋Œ€ํ•ด ์œ ์ €์˜ Role์„ ๊ด€๋ฆฌํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

  • ํ”„๋กœํ† ํƒ€์ž…์œผ๋กœ User DB์˜ isAdmin ์œผ๋กœ if๋ฌธ์„ ๊ฑธ์–ด์„œ ๊ตฌํ˜„์„ ํ–ˆ์Šต๋‹ˆ๋‹ค.

  • Springboot security๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์‚ฌ์šฉ์ž์˜ ๊ถŒํ•œ์„ ๊ด€๋ฆฌ๋ฅผ ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

  • ์•„๋ž˜์˜ Springboot security๋Š” Notice๋ฅผ ๊ธฐ์ค€์œผ๋กœ ์„ค๋ช…ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

  • ์ถ”ํ›„์—๋Š” JWT๋ฅผ ์ ์šฉํ•  ์˜ˆ์ •์ž…๋‹ˆ๋‹ค.


2. StringBoot Security


  • Springboot Security๋Š” authentication, authorization ๊ณผ common attack๋“ค์— ๋Œ€ํ•ด์„œ ๋ณดํ˜ธ๋ฅผ ์ œ๊ณตํ•˜๋Š” ํ”„๋ ˆ์ž„์›Œํฌ ์ž…๋‹ˆ๋‹ค.

dependencies

dependencies {
	implementation "org.springframework.boot:spring-boot-starter-security"
}

3. Code reivew


๐ŸŽƒ ํ˜„์žฌ๋Š” ์ฝ”๋“œ๋ฅผ ์ˆ˜์ •ํ–ˆ์œผ๋ฉฐ ์—ฌ๊ธฐ์—์„œ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ˜Ž ํ๋ฆ„๊ณผ ์„ค๋ช…

  • UserAuthenticationConfig : SecurityConfigurerAdapter๋ฅผ extends ํ•˜๋ฉฐ UsernamePasswordAuthenticationFilter ์ด์ „์— UserAuthenticationFilter๋ฅผ ์ ์šฉํ•ฉ๋‹ˆ๋‹ค.
  • UserAuthenticationFilter : UsernamePasswordAuthenticationFilter๋ฅผ extends ํ•˜๋ฉฐ doFilter๋ฅผ ์ˆ˜ํ–‰ํ•ฉ๋‹ˆ๋‹ค.
  • UserAuthenticationProvider : Authentication Provider๋ฅผ implements ํ•˜๋ฉฐ Role์„ ๋ถ€์—ฌํ•ฉ๋‹ˆ๋‹ค.
  • UserAuthenticationConverter : AuthenticationConverter๋ฅผ implements ํ•˜๋ฉฐ http request๋ฅผ Authentication์œผ๋กœ convert ํ•˜๋Š” ํด๋ž˜์Šค ์ž…๋‹ˆ๋‹ค.
  • UserauthenticationService : UserDetailService๋ฅผ implementsํ•œ Dao ์ž…๋‹ˆ๋‹ค.
  • User : UserDetail์„ implements ํ•œ Entity ์ž…๋‹ˆ๋‹ค.

SecurityConfig


    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
        		// csrf๋ฅผ disable ํ–ˆ์Šต๋‹ˆ๋‹ค.
                .csrf().disable()
                .exceptionHandling()

                .and()
                    .authorizeRequests()
                    // Notice์˜ Role์„ ๊ฒ€์‚ฌํ•ฉ๋‹ˆ๋‹ค.
                    .antMatchers(HttpMethod.POST, "/api/v1/notices/notice").hasRole("ADMIN")
                    .antMatchers(HttpMethod.PUT, "/api/v1/notices/notice").hasRole("ADMIN")
                    .antMatchers(HttpMethod.DELETE, "/api/v1/notices/notice/**").hasRole("ADMIN")
                    .antMatchers(HttpMethod.GET, "/api/v1/notices/notice/**").hasAnyRole("ADMIN", "USER")
                    
                    // Swagger์˜ ์ ‘๊ทผ์„ permitALL() ํ•ฉ๋‹ˆ๋‹ค.
                    .antMatchers("/v3/api-docs/**", "/swagger-ui/**").permitAll()
                    .anyRequest().permitAll()

                .and()
                	// UsernamePasswordAuthenticationFilter ์ „์— ํ•„ํ„ฐ๋ฅผ ์ ์šฉํ•ฉ๋‹ˆ๋‹ค.
                	.apply(new UserAuthenticationConfig(userAuthenticationProvider))

                .and()
                	.authenticationManager(userAuthenticationManager);


    }

๐Ÿ˜Ž Notice ํ…Œ์ŠคํŠธ ๊ฒฐ๊ณผ

์ผ๋ฐ˜ ์‚ฌ์šฉ์ž ์ผ ๋•Œ

๊ด€๋ฆฌ์ž ์ผ ๋•Œ


Role ๋ถ€์—ฌํ•˜๊ธฐ ๊ธฐ๋Šฅ์„ ๊ตฌํ˜„ํ•˜๋ฉด์„œ


  • Springboot security๋ฅผ ์ฒ˜์Œ ์‚ฌ์šฉํ•ด๋ณด์•˜์Šต๋‹ˆ๋‹ค.
  • ๋‹ค๋ฅธ ๋ธ”๋กœ๊ทธ๋“ค๊ณผ๋Š” ๋‹ค๋ฅด๊ฒŒ CowAPI DB๋ฅผ ์ตœ๋Œ€ํ•œ ์ˆ˜์ •ํ•˜์ง€ ์•Š๊ณ  ๊ตฌํ˜„ํ•˜๊ธฐ์œ„ํ•ด ๋…ธ๋ ฅํ–ˆ์Šต๋‹ˆ๋‹ค.
  • Role์„ if-else ๋ฌธ์ด ์•„๋‹Œ security๋ฅผ ์‚ฌ์šฉํ•จ์œผ๋กœ์จ ์„œ๋น„์Šค์˜ ์ฝ”๋“œ๊ฐ€ ๊ฐ„๊ฒฐํ•ด์ง€๊ณ  ์•ˆ์ •์ ์œผ๋กœ ์šด์˜ํ•  ์ˆ˜ ์žˆ๋‹ค๋Š” ๊ฒƒ์„ ๊นจ๋‹ฌ์•˜์Šต๋‹ˆ๋‹ค.
  • csrf๋ฅผ ์ ์šฉํ•˜์ง€ ์•Š์•„์„œ GET์„ ์ œ์™ธํ•œ ๋‹ค๋ฅธ HTTP Method๋“ค์˜ ์—๋Ÿฌ๊ฐ€ ๋‚ฌ์Šต๋‹ˆ๋‹ค.
  • API ์„œ๋ฒ„์—์„œ๋Š” csrf๋ฅผ ์ ์šฉํ•˜์ง€ ์•Š์•„๋„ ๋˜์ง€๋งŒ ์„ธ์…˜ ๊ธฐ๋ฐ˜์˜ ์œ ์ € ๊ด€๋ฆฌ๋ฅผ ํ–ˆ์„ ๋•Œ ํ•„์š”ํ•  ๊ฒƒ์ด๋ผ๊ณ  ์ƒ๊ฐํ•˜์—ฌ ํ•œ๋ฒˆ ๊ตฌํ˜„์„ ํ•ด๋ณด๊ณ  ํ…Œ์ŠคํŠธ๋ฅผ ์ง„ํ–‰ํ•ด๋ณด์•˜์Šต๋‹ˆ๋‹ค.
  • ์ถ”ํ›„์— JWT์™€ CORS๋ฅผ ์ ์šฉํ•  ์˜ˆ์ •์ž…๋‹ˆ๋‹ค.

Code


Github : CowAPI


profile
๋ˆˆ ๋‚ด๋ฆฌ๋Š” ๊ฒจ์šธ์ด ์ข‹์•„!

0๊ฐœ์˜ ๋Œ“๊ธ€