next-step · iinow · Oct 31, 2024 · Nov 1, 2024 · Nov 1, 2024 · Nov 1, 2024
diff --git a/README.md b/README.md
@@ -1 +1,7 @@
 # spring-security-authentication
+
+## 구현 기능 목록
+* refactor: formLoginAuthInterceptor
+* feat: 로그인 기능 구현
+* feat: 인증 검사 인터셉터 추가
+* feat: basic 인증 인터셉터 추가
diff --git a/src/main/java/nextstep/app/config/SecurityConfig.java b/src/main/java/nextstep/app/config/SecurityConfig.java
@@ -0,0 +1,48 @@
+package nextstep.app.config;
+
+import nextstep.security.DefaultSecurityFilterChain;
+import nextstep.security.filter.AuthorizationFilter;
+import nextstep.security.filter.BasicAuthenticationFilter;
+import nextstep.security.filter.FilterChainProxy;
+import nextstep.security.filter.FormLoginAuthFilter;
+import nextstep.security.manager.ProviderManager;
+import nextstep.security.provider.UsernamePasswordProvider;
+import nextstep.security.service.UserDetailsService;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.filter.GenericFilterBean;
+
+import java.util.List;
+
+@Configuration
+public class SecurityConfig {
+
+    private final UserDetailsService userDetailsService;
+
+    public SecurityConfig(UserDetailsService userDetailsService) {
+        this.userDetailsService = userDetailsService;
+    }
+
+    @Bean
+    public GenericFilterBean delegatingFilterProxy() {
+        return new FilterChainProxy(List.of(
+                new DefaultSecurityFilterChain("/login", List.of(
+                        new FormLoginAuthFilter(new ProviderManager(List.of(new UsernamePasswordProvider(userDetailsService)))),
+                        new AuthorizationFilter()
+                )),
+                new DefaultSecurityFilterChain("/members", List.of(
+                        new BasicAuthenticationFilter(new ProviderManager(List.of(new UsernamePasswordProvider(userDetailsService)))),
+                        new AuthorizationFilter()
+                ))
+        ));
+    }
+
+    @Bean
+    public FilterRegistrationBean<GenericFilterBean> delegatingFilterProxyFilterRegistrationBean(GenericFilterBean delegatingFilterProxy) {
+        FilterRegistrationBean<GenericFilterBean> registrationBean = new FilterRegistrationBean<>();
+        registrationBean.setFilter(delegatingFilterProxy);
+        registrationBean.addUrlPatterns("/*");
+        return registrationBean;
+    }
+}
diff --git a/src/main/java/nextstep/app/config/WebConfig.java b/src/main/java/nextstep/app/config/WebConfig.java
@@ -0,0 +1,25 @@
+package nextstep.app.config;
+
+import nextstep.security.interceptor.AuthorizationInterceptor;
+import nextstep.security.interceptor.BasicAuthenticationInterceptor;
+import nextstep.security.interceptor.FormLoginAuthInterceptor;
+import nextstep.security.service.UserDetailsService;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+//@Configuration
+public class WebConfig implements WebMvcConfigurer {
+
+    private final UserDetailsService userDetailsService;
+
+    public WebConfig(UserDetailsService userDetailsService) {
+        this.userDetailsService = userDetailsService;
+    }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        registry.addInterceptor(new BasicAuthenticationInterceptor(userDetailsService));
+        registry.addInterceptor(new FormLoginAuthInterceptor(userDetailsService)).addPathPatterns("/login");
+        registry.addInterceptor(new AuthorizationInterceptor()).addPathPatterns("/members");
+    }
+}
diff --git a/src/main/java/nextstep/app/domain/Member.java b/src/main/java/nextstep/app/domain/Member.java
@@ -1,6 +1,8 @@
 package nextstep.app.domain;
 
-public class Member {
+import nextstep.security.userdetails.UserDetails;
+
+public class Member implements UserDetails {
     private final String email;
     private final String password;
     private final String name;
@@ -13,10 +15,12 @@ public Member(String email, String password, String name, String imageUrl) {
         this.imageUrl = imageUrl;
     }
 
+    @Override
     public String getEmail() {
         return email;
     }
 
+    @Override
     public String getPassword() {
         return password;
     }

diff --git a/src/main/java/nextstep/app/domain/MemberService.java b/src/main/java/nextstep/app/domain/MemberService.java
@@ -0,0 +1,22 @@
+package nextstep.app.domain;
+
+import nextstep.security.service.UserDetailsService;
+import nextstep.security.userdetails.UserDetails;
+import org.springframework.stereotype.Service;
+
+@Service
+public class MemberService implements UserDetailsService {
+
+    private final MemberRepository memberRepository;
+
+    public MemberService(MemberRepository memberRepository) {
+        this.memberRepository = memberRepository;
+    }
+
+    @Override
+    public UserDetails loadUserByEmailAndPassword(String email, String password) {
+        return memberRepository.findByEmail(email)
+                .filter(v -> v.getPassword().equals(password))
+                .orElse(null);
+    }
+}
diff --git a/src/main/java/nextstep/app/ui/LoginController.java b/src/main/java/nextstep/app/ui/LoginController.java
@@ -1,6 +1,5 @@
 package nextstep.app.ui;
 
-import nextstep.app.domain.MemberRepository;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.ExceptionHandler;
@@ -14,12 +13,6 @@
 public class LoginController {
     public static final String SPRING_SECURITY_CONTEXT_KEY = "SPRING_SECURITY_CONTEXT";
 
-    private final MemberRepository memberRepository;
-
-    public LoginController(MemberRepository memberRepository) {
-        this.memberRepository = memberRepository;
-    }
-
     @PostMapping("/login")
     public ResponseEntity<Void> login(HttpServletRequest request, HttpSession session) {
         return ResponseEntity.ok().build();

diff --git a/src/main/java/nextstep/app/ui/MemberController.java b/src/main/java/nextstep/app/ui/MemberController.java
@@ -22,5 +22,4 @@ public ResponseEntity<List<Member>> list() {
         List<Member> members = memberRepository.findAll();
         return ResponseEntity.ok(members);
     }
-
 }
diff --git a/src/main/java/nextstep/security/DefaultSecurityFilterChain.java b/src/main/java/nextstep/security/DefaultSecurityFilterChain.java
@@ -0,0 +1,26 @@
+package nextstep.security;
+
+import javax.servlet.Filter;
+import javax.servlet.http.HttpServletRequest;
+import java.util.List;
+
+public class DefaultSecurityFilterChain implements SecurityFilterChain {
+
+    private final String path;
+    private final List<Filter> filters;
+
+    public DefaultSecurityFilterChain(String path, List<Filter> filters) {
+        this.path = path;
+        this.filters = filters;
+    }
+
+    @Override
+    public boolean matches(HttpServletRequest request) {
+        return request.getRequestURI().startsWith(path);
+    }
+
+    @Override
+    public List<Filter> getFilters() {
+        return filters;
+    }
+}
diff --git a/src/main/java/nextstep/security/SecurityFilterChain.java b/src/main/java/nextstep/security/SecurityFilterChain.java
@@ -0,0 +1,12 @@
+package nextstep.security;
+
+import javax.servlet.Filter;
+import javax.servlet.http.HttpServletRequest;
+import java.util.List;
+
+public interface SecurityFilterChain {
+
+    boolean matches(HttpServletRequest request);
+
+    List<Filter> getFilters();
+}
diff --git a/src/main/java/nextstep/security/authentication/Authentication.java b/src/main/java/nextstep/security/authentication/Authentication.java
@@ -0,0 +1,6 @@
+package nextstep.security.authentication;
+
+public interface Authentication {
+    Object getCredentials();
+    Object getPrincipal();
+}
diff --git a/src/main/java/nextstep/security/authentication/UsernamePasswordAuthenticationToken.java b/src/main/java/nextstep/security/authentication/UsernamePasswordAuthenticationToken.java
@@ -0,0 +1,21 @@
+package nextstep.security.authentication;
+
+public class UsernamePasswordAuthenticationToken implements Authentication {
+    private final Object principal;
+    private final Object credentials;
+
+    public UsernamePasswordAuthenticationToken(Object principal, Object credentials) {
+        this.principal = principal;
+        this.credentials = credentials;
+    }
+
+    @Override
+    public Object getCredentials() {
+        return credentials;
+    }
+
+    @Override
+    public Object getPrincipal() {
+        return principal;
+    }
+}
diff --git a/src/main/java/nextstep/security/context/UserContextHolder.java b/src/main/java/nextstep/security/context/UserContextHolder.java
@@ -0,0 +1,28 @@
+package nextstep.security.context;
+
+import nextstep.security.userdetails.UserDetails;
+import org.springframework.web.context.request.RequestAttributes;
+import org.springframework.web.context.request.RequestContextHolder;
+
+import static nextstep.security.interceptor.BasicAuthenticationInterceptor.SPRING_SECURITY_CONTEXT;
+
+public final class UserContextHolder {
+
+    private UserContextHolder() {}
+
+    public static UserDetails getUser() {
+        RequestAttributes attributes = RequestContextHolder.getRequestAttributes();
+        if (attributes == null) {
+            return null;
+        }
+        return (UserDetails) attributes.getAttribute(SPRING_SECURITY_CONTEXT, RequestAttributes.SCOPE_SESSION);
+    }
+
+    public static void setUser(UserDetails userDetails) {
+        RequestAttributes attributes = RequestContextHolder.getRequestAttributes();
+        if (attributes == null) {
+            return;
+        }
+        attributes.setAttribute(SPRING_SECURITY_CONTEXT, userDetails, RequestAttributes.SCOPE_SESSION);
+    }
+}
diff --git a/src/main/java/nextstep/security/filter/AuthorizationFilter.java b/src/main/java/nextstep/security/filter/AuthorizationFilter.java
@@ -0,0 +1,23 @@
+package nextstep.security.filter;
+
+import nextstep.security.context.UserContextHolder;
+import nextstep.security.userdetails.UserDetails;
+import org.springframework.http.HttpStatus;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class AuthorizationFilter implements Filter {
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        UserDetails userDetails = UserContextHolder.getUser();
+        if (userDetails == null) {
+            ((HttpServletResponse) response).setStatus(HttpStatus.UNAUTHORIZED.value());
+            return;
+        }
+
+        chain.doFilter(request, response);
+    }
+}
diff --git a/src/main/java/nextstep/security/filter/BasicAuthenticationFilter.java b/src/main/java/nextstep/security/filter/BasicAuthenticationFilter.java
@@ -0,0 +1,79 @@
+package nextstep.security.filter;
+
+import nextstep.security.authentication.Authentication;
+import nextstep.security.authentication.UsernamePasswordAuthenticationToken;
+import nextstep.security.context.UserContextHolder;
+import nextstep.security.manager.AuthenticationManager;
+import nextstep.security.userdetails.UserDetails;
+import org.springframework.http.HttpHeaders;
+import org.springframework.lang.Nullable;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+
+public class BasicAuthenticationFilter implements Filter {
+
+    public static final String SPRING_SECURITY_CONTEXT = "SPRING_SECURITY_CONTEXT";
+    private static final String BASIC = "Basic";
+    private static final String BLANK = " ";
+    private static final String COLON = ":";
+
+    private final AuthenticationManager authenticationManager;
+
+    public BasicAuthenticationFilter(AuthenticationManager authenticationManager) {
+        this.authenticationManager = authenticationManager;
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        String[] credentials = parseBasicHeader((HttpServletRequest) request);
+        if (credentials == null) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        Authentication authentication = this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(credentials[0], credentials[1]));
+        if (authentication != null) {
+            UserContextHolder.setUser((UserDetails) authentication.getPrincipal());
+        }
+        chain.doFilter(request, response);
+    }
+
+    @Nullable
+    private String[] parseBasicHeader(HttpServletRequest request) {
+        // authorization 헤더를 조회한다.
+        String authorizationValue = request.getHeader(HttpHeaders.AUTHORIZATION);
+        if (authorizationValue == null || authorizationValue.isBlank()) {
+            return null;
+        }
+
+        // Basic authentication 방식인지 확인한다.
+        String[] strs = authorizationValue.split(BLANK);
+        if (strs.length != 2) {
+            return null;
+        }
+
+        String authType = strs[0];
+        String authValue = strs[1];
+
+        // Basic authentication 방식이 아닌 경우 null을 반환한다.
+        if (!BASIC.equalsIgnoreCase(authType)) {
+            return null;
+        }
+
+        String decodedBasicValue = new String(Base64.getDecoder().decode(authValue), StandardCharsets.UTF_8);
+        if (decodedBasicValue.isBlank()) {
+            return null;
+        }
+
+        strs = decodedBasicValue.split(COLON);
+        if (strs.length != 2) {
+            return null;
+        }
+
+        return new String[]{strs[0], strs[1]};
+    }
+}