Merge pull request #33 from selab-hs/dev

[Merge] dev → main 코드 통합

Author: PDJ-N

build.gradle

@@ -24,16 +24,51 @@ repositories {
 }
 
 dependencies {
+    implementation 'org.springframework.boot:spring-boot-starter'
+
+    // JPA
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-    implementation 'org.springframework.boot:spring-boot-starter-jdbc'
+
+    // Thymeleaf
+    implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+
+    // Security
+    implementation 'org.springframework.boot:spring-boot-starter-security'
+    implementation 'org.springframework.boot:spring-boot-starter-validation'
+
+    // JWT
+    implementation group: 'io.jsonwebtoken', name: 'jjwt-api', version: '0.11.5'
+    runtimeOnly group: 'io.jsonwebtoken', name: 'jjwt-impl', version: '0.11.5'
+    runtimeOnly group: 'io.jsonwebtoken', name: 'jjwt-jackson', version: '0.11.5'
+
+    // Spring Web
     implementation 'org.springframework.boot:spring-boot-starter-web'
+
+    // Lombok
     compileOnly 'org.projectlombok:lombok'
-    runtimeOnly 'com.mysql:mysql-connector-j'
     annotationProcessor 'org.projectlombok:lombok'
+
+    // Database
+    implementation 'com.mysql:mysql-connector-j:8.2.0'  // 보안 취약점 패치(>=8.2.0) 적용
+    implementation 'org.springframework.boot:spring-boot-starter-jdbc'
+    runtimeOnly 'com.h2database:h2'
+
+    // Test tool
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
     testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
+    testCompileOnly 'org.projectlombok:lombok'
+    testAnnotationProcessor 'org.projectlombok:lombok'
+
+    // Querydsl
+    implementation 'com.querydsl:querydsl-jpa:5.0.0:jakarta'
+    annotationProcessor "com.querydsl:querydsl-apt:${dependencyManagement.importedProperties['querydsl.version']}:jakarta"
+    annotationProcessor "jakarta.annotation:jakarta.annotation-api"
+    annotationProcessor "jakarta.persistence:jakarta.persistence-api"
+
+    // Swagger
+    implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.0.2'
 }
 
 tasks.named('test') {
     useJUnitPlatform()
-}
+}

src/main/java/com/demo/DemoApplication.java

@@ -1,9 +1,14 @@
 package com.demo;
 
+import com.demo.config.properties.JWTProperties;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
 
 @SpringBootApplication
+@EnableConfigurationProperties(
+        JWTProperties.class
+)
 public class DemoApplication {
 
     public static void main(String[] args) {

src/main/java/com/demo/config/CorsConfig.java

@@ -0,0 +1,27 @@
+package com.demo.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.filter.CorsFilter;
+
+/**
+ * 애플리케이션에서 CORS 설정을 하기 위한 Configuration
+ *
+ * @author duskafka
+ * */
+@Configuration
+public class CorsConfig {
+   @Bean
+   public CorsFilter corsFilter() {
+      UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+      CorsConfiguration config = new CorsConfiguration();
+      config.setAllowCredentials(true);
+      config.addAllowedOriginPattern("*");
+      config.addAllowedHeader("*");
+      config.addAllowedMethod("*");
+      source.registerCorsConfiguration("/api/v1/**", config);
+      return new CorsFilter(source);
+   }
+}

src/main/java/com/demo/config/JpaConfig.java

@@ -0,0 +1,19 @@
+package com.demo.config;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
+
+/**
+ * JPA 설정을 설정하기 위한 Configuration
+ *
+ * <li>JPAQueryFactory: Querydsl을 사용하기 위해 JPAQueryFactory를 빈으로 등록</li>
+ *
+ * @author duskafka
+ * */
+@Slf4j
+@EnableJpaAuditing
+@Configuration
+public class JpaConfig {
+
+}

src/main/java/com/demo/config/JwtSecurityConfig.java

@@ -0,0 +1,28 @@
+package com.demo.config;
+
+import com.demo.config.properties.JWTProperties;
+import com.demo.jwt.JwtFilter;
+import com.demo.jwt.TokenProvider;
+import com.demo.jwt.TokenValidator;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+@Configuration
+@RequiredArgsConstructor
+public class JwtSecurityConfig  extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
+    private final TokenProvider tokenProvider;
+    private final TokenValidator tokenValidator;
+    private final JWTProperties jwtProperties;
+
+    @Override
+    public void configure(HttpSecurity http) {
+        http.addFilterBefore(
+                new JwtFilter(tokenProvider, tokenValidator, jwtProperties),
+                UsernamePasswordAuthenticationFilter.class
+        );
+    }
+}

src/main/java/com/demo/config/SecurityConfig.java

@@ -0,0 +1,104 @@
+package com.demo.config;
+
+import com.demo.config.properties.JWTProperties;
+import com.demo.jwt.JwtAccessDeniedHandler;
+import com.demo.jwt.JwtAuthenticationEntryPoint;
+import com.demo.jwt.TokenProvider;
+import com.demo.jwt.TokenValidator;
+import com.demo.repository.StudentRepository;
+import com.demo.service.CustomLoginService;
+import lombok.AccessLevel;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.filter.CorsFilter;
+import org.springframework.web.cors.CorsUtils;
+
+@Slf4j
+@EnableWebSecurity
+@EnableMethodSecurity
+@Configuration
+@RequiredArgsConstructor(access = AccessLevel.PROTECTED)
+public class SecurityConfig {
+    private final CorsFilter corsFilter;
+    private final TokenProvider tokenProvider;
+    private final TokenValidator tokenValidator;
+    private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
+    private final JwtAccessDeniedHandler jwtAccessDeniedHandler;
+    private final JWTProperties jwtProperties;
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    @Bean
+    public CustomLoginService customLoginService(StudentRepository studentRepository) {
+        return new CustomLoginService(studentRepository);
+    }
+
+    @Bean
+    public AuthenticationManager authenticationManager(HttpSecurity http, PasswordEncoder passwordEncoder, CustomLoginService customLoginService) throws Exception {
+        return http.getSharedObject(AuthenticationManagerBuilder.class)
+                .userDetailsService(customLoginService)
+                .passwordEncoder(passwordEncoder)
+                .and()
+                .build();
+    }
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http.csrf(AbstractHttpConfigurer::disable)
+                .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
+                .exceptionHandling(exception -> {
+                    exception.accessDeniedHandler(jwtAccessDeniedHandler)
+                            .authenticationEntryPoint(jwtAuthenticationEntryPoint);
+                })
+                .authorizeHttpRequests(request -> {
+                    request
+                            // UI 라우트: 비로그인 허용
+                            .requestMatchers("/", "/sign-in", "/sign-up").permitAll()
+                            .requestMatchers("/posts", "/posts/*", "/posts/edit/*").permitAll()
+                            .requestMatchers("/js/**", "/css/**", "/images/**", "/favicon.ico", "/error").permitAll()
+
+                            //  API 조회는 비로그인 허용
+                            .requestMatchers(HttpMethod.GET, "/api/v1/posts/**").permitAll()
+
+                            //  API 쓰기 작업은 인증 필요
+                            .requestMatchers(HttpMethod.POST,   "/api/v1/posts/**").authenticated()
+                            .requestMatchers(HttpMethod.PUT,    "/api/v1/posts/**").authenticated()
+                            .requestMatchers(HttpMethod.DELETE, "/api/v1/posts/**").authenticated()
+
+                            // 나머지 기존 정책
+                            .requestMatchers("/api/v1/auth/login", "/api/v1/auth/register", "/api/v1/auth/check-id").permitAll()
+                            .requestMatchers("/api/v1/admin/**").hasRole("ADMIN")
+                            .requestMatchers("/api/v1/students/**").hasAnyRole("ADMIN", "USER")
+                            .requestMatchers(org.springframework.web.cors.CorsUtils::isPreFlightRequest).permitAll()
+                            .anyRequest().authenticated();
+                })
+                .sessionManagement(session -> {
+                    session.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+                })
+                .headers(headers -> {
+                    headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin);
+                })
+                .with(new JwtSecurityConfig(tokenProvider, tokenValidator, jwtProperties), customizer -> {
+                });
+        return http.build();
+    }
+}

src/main/java/com/demo/config/properties/JWTProperties.java

@@ -0,0 +1,28 @@
+package com.demo.config.properties;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+/**
+ * JWT 토큰 프로퍼티를 가지는 클래스
+ *
+ * @author duskafka
+ * */
+@ConfigurationProperties(prefix = "jwt")
+public record JWTProperties(
+        //JWT 토큰이 HTTP 헤더에 담길 때 사용될 헤더 이름 (예: Authorization)
+        String accessTokenHeader,
+
+        //JWT 서명 및 검증에 사용될 비밀 키 (Base64 인코딩된 문자열)
+        //HS512 알고리즘을 사용할 것이기 때문에 512bit, 즉 64byte 이상의 secret key를 사용해야 합니다.
+        String secret,
+
+        //Access Token의 만료 기간 (초 단위)
+        long accessTokenValidityInHour,
+
+        //인증용 키
+        String authorityKey,
+
+        //액세스 토큰 인증 헤더
+        String bearerHeader
+) {
+}