Merge pull request #15 from AI-Tutor-2024/security

[FIX] oauth session 문제 해결 시도

Author: hyunbin1

src/main/java/com/example/ai_tutor/global/config/security/SecurityConfig.java

@@ -3,6 +3,8 @@
 import com.example.ai_tutor.domain.auth.application.CustomDefaultOAuth2UserService;
 import com.example.ai_tutor.domain.auth.application.CustomUserDetailsService;
 import com.example.ai_tutor.domain.auth.domain.repository.CustomAuthorizationRequestRepository;
+import com.example.ai_tutor.global.config.security.auth.CustomOAuth2AuthorizationRequestRedirectFilter;
+import com.example.ai_tutor.global.config.security.auth.CustomOAuth2AuthorizationRequestResolver;
 import com.example.ai_tutor.global.config.security.handler.CustomSimpleUrlAuthenticationFailureHandler;
 import com.example.ai_tutor.global.config.security.handler.CustomSimpleUrlAuthenticationSuccessHandler;
 import com.example.ai_tutor.global.config.security.token.CustomAuthenticationEntryPoint;
@@ -14,63 +16,48 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.authentication.logout.LogoutFilter;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 import java.util.Arrays;
 import java.util.List;
 
-@RequiredArgsConstructor
 @Configuration
+@RequiredArgsConstructor
 @EnableWebSecurity
+@EnableMethodSecurity
 public class SecurityConfig {
 
     private final CustomUserDetailsService customUserDetailsService;
     private final CustomDefaultOAuth2UserService customOAuth2UserService;
     private final CustomSimpleUrlAuthenticationSuccessHandler oAuth2AuthenticationSuccessHandler;
     private final CustomSimpleUrlAuthenticationFailureHandler oAuth2AuthenticationFailureHandler;
     private final CustomAuthorizationRequestRepository customAuthorizationRequestRepository;
+    private final CustomOAuth2AuthorizationRequestRedirectFilter customOAuth2AuthorizationRequestRedirectFilter;
+    private final CustomOAuth2AuthorizationRequestResolver customOAuth2AuthorizationRequestResolver;
+    private final JwtAuthenticationFilter jwtAuthenticationFilter;
 
-    @Bean
-    public PasswordEncoder passwordEncoder() {
-        return new BCryptPasswordEncoder();
-    }
-
-    @Bean
-    public JwtAuthenticationFilter customOncePerRequestFilter() {
-        return new JwtAuthenticationFilter();
-    }
-
-    @Bean
-    public DaoAuthenticationProvider authenticationProvider() {
-        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
-
-        authenticationProvider.setUserDetailsService(customUserDetailsService);
-        authenticationProvider.setPasswordEncoder(passwordEncoder());
-
-        return authenticationProvider;
-    }
-
-    @Bean
-    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
-        return authenticationConfiguration.getAuthenticationManager();
-    }
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
                 .cors(cors -> cors.configurationSource(corsConfigurationSource()))
                 .csrf(AbstractHttpConfigurer::disable)
                 .httpBasic(AbstractHttpConfigurer::disable)
+                .addFilterBefore(customOAuth2AuthorizationRequestRedirectFilter, OAuth2AuthorizationRequestRedirectFilter.class)
+                .addFilterBefore(jwtAuthenticationFilter, LogoutFilter.class)
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .formLogin(AbstractHttpConfigurer::disable)
                 .exceptionHandling(exception -> exception.authenticationEntryPoint(new CustomAuthenticationEntryPoint()))
@@ -88,15 +75,15 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 .oauth2Login(oauth2 -> oauth2
                         .authorizationEndpoint(authorization -> authorization
                                 .baseUri("/oauth2/authorize")
-                                .authorizationRequestRepository(customAuthorizationRequestRepository))
+                                .authorizationRequestRepository(customAuthorizationRequestRepository)
+                                .authorizationRequestResolver(customOAuth2AuthorizationRequestResolver))
                         .redirectionEndpoint(redirection -> redirection
                                 .baseUri("/oauth2/callback/**"))
                         .userInfoEndpoint(userInfo -> userInfo
                                 .userService(customOAuth2UserService))
                         .successHandler(oAuth2AuthenticationSuccessHandler)
                         .failureHandler(oAuth2AuthenticationFailureHandler));
 
-        http.addFilterBefore(customOncePerRequestFilter(), UsernamePasswordAuthenticationFilter.class);
         return http.build();
     }
 
@@ -113,6 +100,24 @@ public CorsConfigurationSource corsConfigurationSource() {
         source.registerCorsConfiguration("/**", configuration);
         return source;
     }
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
 
+    @Bean
+    public DaoAuthenticationProvider authenticationProvider() {
+        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
 
+        authenticationProvider.setUserDetailsService(customUserDetailsService);
+        authenticationProvider.setPasswordEncoder(passwordEncoder());
+
+        return authenticationProvider;
+    }
+
+    @Bean
+    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
+        return authenticationConfiguration.getAuthenticationManager();
+    }
 }

src/main/java/com/example/ai_tutor/global/config/security/auth/CustomOAuth2AuthorizationRequestRedirectFilter.java

@@ -1,5 +1,6 @@
 package com.example.ai_tutor.global.config.security.auth;
 
+import com.example.ai_tutor.global.config.security.util.CustomCookie;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -24,13 +25,13 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
         String redirectUrl = request.getParameter("redirect_url");
         String errorRedirectUrl = request.getParameter("error_redirect_url");
 
-        // 쿼리 파라미터가 있다면 세션에 저장
+        // 쿼리 파라미터가 있다면 쿠키에 저장
         if (redirectUrl != null) {
-            request.getSession().setAttribute("OAUTH2_REDIRECT_URL", redirectUrl);
+            CustomCookie.addCookie(response, "redirect_uri", redirectUrl, 180);
         }
 
         if (errorRedirectUrl != null) {
-            request.getSession().setAttribute("OAUTH2_ERROR_REDIRECT_URL", errorRedirectUrl);
+            CustomCookie.addCookie(response, "error_redirect_uri", errorRedirectUrl, 180);
         }
 
         // 기존 필터 체인 동작

src/main/java/com/example/ai_tutor/global/config/security/auth/CustomOAuth2AuthorizationRequestResolver.java

@@ -17,10 +17,7 @@ public CustomOAuth2AuthorizationRequestResolver(ClientRegistrationRepository cli
         this.delegate = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, "/oauth2/authorize");
 
         this.delegate.setAuthorizationRequestCustomizer(builder -> {
-            String registrationId = (String) builder.build().getAttributes().get("registration_id");
-            if ("google".equals(registrationId)) {
-                builder.additionalParameters(params -> params.put("prompt", "select_account"));
-            }
+            builder.additionalParameters(params -> params.put("prompt", "consent"));
         });
     }
 

src/main/java/com/example/ai_tutor/global/config/security/handler/CustomSimpleUrlAuthenticationSuccessHandler.java

@@ -5,8 +5,6 @@
 import com.example.ai_tutor.domain.auth.domain.repository.CustomAuthorizationRequestRepository;
 import com.example.ai_tutor.domain.auth.domain.repository.TokenRepository;
 import com.example.ai_tutor.domain.auth.dto.TokenMapping;
-import com.example.ai_tutor.global.DefaultAssert;
-import com.example.ai_tutor.global.config.security.OAuth2Config;
 import com.example.ai_tutor.global.config.security.util.CustomCookie;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.Cookie;

src/main/java/com/example/ai_tutor/global/config/security/token/JwtAuthenticationFilter.java

@@ -5,21 +5,24 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import java.io.IOException;
 
 @Slf4j
+@Component
+@RequiredArgsConstructor
 public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
-    @Autowired
-    private JwtUtil jwtUtil;
+    private final JwtUtil jwtUtil;
 
     public static final String AUTHORIZATION_HEADER_NAME = "Authorization";
     public static final String BEARER_TOKEN_PREFIX = "Bearer ";