[Step2] 리펙터링

src/main/java/nextstep/app/config/AuthConfig.java

@@ -1,13 +1,15 @@
 package nextstep.app.config;
 
+import java.util.List;
 import nextstep.security.access.matcher.MvcRequestMatcher;
 import nextstep.security.authentication.AuthenticationManager;
 import nextstep.security.authentication.BasicAuthenticationFilter;
 import nextstep.security.authentication.UsernamePasswordAuthenticationFilter;
 import nextstep.security.authentication.UsernamePasswordAuthenticationProvider;
 import nextstep.security.authorization.AuthorizationFilter;
-import nextstep.security.authorization.RoleManager;
+import nextstep.security.authorization.PreAuthorizationFilter;
 import nextstep.security.config.DefaultSecurityFilterChain;
+import nextstep.security.config.AuthorizeRequestMatcherRegistry;
 import nextstep.security.config.FilterChainProxy;
 import nextstep.security.config.SecurityFilterChain;
 import nextstep.security.context.HttpSessionSecurityContextRepository;
@@ -17,6 +19,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.web.filter.DelegatingFilterProxy;
+import org.springframework.web.method.support.HandlerMethodArgumentResolver;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
@@ -34,48 +37,29 @@ public DelegatingFilterProxy securityFilterChainProxy() {
     }
 
     @Bean
-    public FilterChainProxy filterChainProxy(
-        SecurityFilterChain loginSecurityFilterChain,
-        SecurityFilterChain membersSecurityFilterChain
-    ) {
-        return new FilterChainProxy(
-            loginSecurityFilterChain,
-            membersSecurityFilterChain
-        );
+    public FilterChainProxy filterChainProxy(SecurityFilterChain securityFilterChain) {
+        return new FilterChainProxy(securityFilterChain);
     }
-
     @Bean
-    public SecurityFilterChain loginSecurityFilterChain(
+    public SecurityFilterChain securityFilterChain(
         AuthenticationManager authenticationManager,
         SecurityContextRepository securityContextRepository
     ) {
         return new DefaultSecurityFilterChain(
-            new MvcRequestMatcher(
-                HttpMethod.POST,
-                "/login"
-            ),
             new UsernamePasswordAuthenticationFilter(
                 authenticationManager,
                 securityContextRepository
-            )
-        );
-    }
-
-    @Bean
-    public SecurityFilterChain membersSecurityFilterChain(
-        AuthenticationManager authenticationManager,
-        SecurityContextRepository securityContextRepository
-    ) {
-        return new DefaultSecurityFilterChain(
-            new MvcRequestMatcher(
-                HttpMethod.GET,
-                "/members"
             ),
             new BasicAuthenticationFilter(
                 authenticationManager,
                 securityContextRepository
             ),
-            new AuthorizationFilter(securityContextRepository, new RoleManager("ADMIN"))
+            new PreAuthorizationFilter(securityContextRepository),
+            new AuthorizationFilter(
+                new AuthorizeRequestMatcherRegistry()
+                    .matcher(new MvcRequestMatcher(HttpMethod.GET, "/members")).hasAuthority("ADMIN")
+                    .matcher(new MvcRequestMatcher(HttpMethod.GET, "/members/me")).authenticated()
+            )
         );
     }
 
@@ -89,4 +73,8 @@ public AuthenticationManager authenticationManager() {
         return new AuthenticationManager(new UsernamePasswordAuthenticationProvider(userDetailsService));
     }
 
+    @Override
+    public void addArgumentResolvers(List<HandlerMethodArgumentResolver> resolvers) {
+        resolvers.add(new LoginUserArgumentResolver());
+    }
 }

src/main/java/nextstep/app/config/LoginUserArgumentResolver.java

@@ -0,0 +1,31 @@
+package nextstep.app.config;
+
+import javax.servlet.http.HttpServletRequest;
+import nextstep.app.ui.dto.LoginUser;
+import nextstep.security.context.SecurityContext;
+import org.springframework.core.MethodParameter;
+import org.springframework.web.bind.support.WebDataBinderFactory;
+import org.springframework.web.context.request.NativeWebRequest;
+import org.springframework.web.method.support.HandlerMethodArgumentResolver;
+import org.springframework.web.method.support.ModelAndViewContainer;
+
+public class LoginUserArgumentResolver implements HandlerMethodArgumentResolver {
+
+    @Override
+    public boolean supportsParameter(MethodParameter parameter) {
+        return parameter.getParameterType().equals(LoginUser.class);
+    }
+
+    @Override
+    public LoginUser resolveArgument(
+        MethodParameter parameter,
+        ModelAndViewContainer mavContainer,
+        NativeWebRequest webRequest,
+        WebDataBinderFactory binderFactory
+    ) {
+        final HttpServletRequest request = (HttpServletRequest) webRequest.getNativeRequest();
+        final SecurityContext context = (SecurityContext) request.getSession().getAttribute("SPRING_SECURITY_CONTEXT");
+        final String email = context.getAuthentication().getPrincipal().toString();
+        return new LoginUser(email);
+    }
+}

src/main/java/nextstep/app/ui/MemberController.java

@@ -1,16 +1,17 @@
 package nextstep.app.ui;
 
-import nextstep.security.authentication.Authentication;
-import nextstep.security.context.SecurityContextHolder;
+import java.util.List;
 import nextstep.app.domain.Member;
 import nextstep.app.domain.MemberRepository;
+import nextstep.app.ui.dto.LoginUser;
+import nextstep.security.exception.AuthenticationException;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.List;
-
 @RestController
+@RequestMapping("/members")
 public class MemberController {
 
     private final MemberRepository memberRepository;
@@ -19,10 +20,16 @@ public MemberController(MemberRepository memberRepository) {
         this.memberRepository = memberRepository;
     }
 
-    @GetMapping("/members")
+    @GetMapping
     public ResponseEntity<List<Member>> list() {
         List<Member> members = memberRepository.findAll();
         return ResponseEntity.ok(members);
     }
 
+    @GetMapping("/me")
+    public ResponseEntity<Member> me(LoginUser loginUser) {
+        final Member member = memberRepository.findByEmail(loginUser.getEmail())
+            .orElseThrow(() -> new AuthenticationException());
+        return ResponseEntity.ok(member);
+    }
 }

src/main/java/nextstep/app/ui/dto/LoginUser.java

@@ -0,0 +1,20 @@
+package nextstep.app.ui.dto;
+
+public class LoginUser {
+    private final String email;
+
+    public LoginUser(String email) {
+        this.email = email;
+    }
+
+    public String getEmail() {
+        return email;
+    }
+
+    @Override
+    public String toString() {
+        return "LoginUser{" +
+            "email='" + email + '\'' +
+            '}';
+    }
+}

src/main/java/nextstep/security/access/matcher/MvcRequestMatcher.java

@@ -28,6 +28,6 @@ public boolean matches(HttpServletRequest request) {
             return false;
         }
 
-        return request.getRequestURI().contains(pattern);
+        return request.getRequestURI().equals(pattern);
     }
 }

src/main/java/nextstep/security/authorization/AuthorizationFilter.java

@@ -1,26 +1,29 @@
 package nextstep.security.authorization;
 
 import java.io.IOException;
+import java.util.Optional;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import nextstep.security.context.SecurityContext;
-import nextstep.security.context.SecurityContextRepository;
+import nextstep.security.authentication.Authentication;
+import nextstep.security.authorization.manager.RoleManager;
+import nextstep.security.config.AuthorizeRequestMatcherRegistry;
+import nextstep.security.context.SecurityContextHolder;
+import nextstep.security.exception.AccessDeniedException;
+import nextstep.security.exception.AuthenticationException;
 import nextstep.security.exception.AuthorizationException;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.filter.GenericFilterBean;
 
 public class AuthorizationFilter extends GenericFilterBean {
 
-    private final SecurityContextRepository securityContextRepository;
-    private final RoleManager roleManager;
+    private final AuthorizeRequestMatcherRegistry authorizeRequestMatcherRegistry;
 
-    public AuthorizationFilter(SecurityContextRepository securityContextRepository, RoleManager roleManager) {
-        this.securityContextRepository = securityContextRepository;
-        this.roleManager = roleManager;
+    public AuthorizationFilter(AuthorizeRequestMatcherRegistry authorizeRequestMatcherRegistry) {
+        this.authorizeRequestMatcherRegistry = authorizeRequestMatcherRegistry;
     }
 
     @Override
@@ -30,12 +33,40 @@ public void doFilter(
         FilterChain chain
     ) throws IOException, ServletException {
         try {
-            final SecurityContext context = securityContextRepository.loadContext((HttpServletRequest) request);
-            if (context.getAuthentication().getAuthorities().stream().noneMatch(roleManager::hasRole)) {
+            final Authentication authentication = Optional.ofNullable(
+                SecurityContextHolder
+                    .getContext()
+                    .getAuthentication()
+            ).orElseThrow(AuthenticationException::new);
+
+            final RoleManager roleManager = authorizeRequestMatcherRegistry.getRoleManager((HttpServletRequest) request);
+
+            if (roleManager == null) {
+                chain.doFilter(request, response);
+                return;
+            }
+
+
+            if (!roleManager.check(authentication)) {
                 throw new AuthorizationException();
             }
+        } catch (AuthenticationException e) {
+            ((HttpServletResponse) response).sendError(
+                HttpStatus.UNAUTHORIZED.value(),
+                HttpStatus.UNAUTHORIZED.getReasonPhrase()
+            );
+            return;
         } catch (AuthorizationException e) {
-            ((HttpServletResponse) response).sendError(HttpStatus.FORBIDDEN.value(), HttpStatus.FORBIDDEN.getReasonPhrase());
+            ((HttpServletResponse) response).sendError(
+                HttpStatus.FORBIDDEN.value(),
+                HttpStatus.FORBIDDEN.getReasonPhrase()
+            );
+            return;
+        } catch (AccessDeniedException e) {
+            ((HttpServletResponse) response).sendError(
+                HttpStatus.BAD_REQUEST.value(),
+                HttpStatus.BAD_REQUEST.getReasonPhrase()
+            );
             return;
         }
 

src/main/java/nextstep/security/authorization/PreAuthorizationFilter.java

@@ -0,0 +1,54 @@
+package nextstep.security.authorization;
+
+import java.io.IOException;
+import java.util.Optional;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import nextstep.security.authentication.Authentication;
+import nextstep.security.context.SecurityContext;
+import nextstep.security.context.SecurityContextHolder;
+import nextstep.security.context.SecurityContextRepository;
+import org.springframework.web.filter.GenericFilterBean;
+
+public class PreAuthorizationFilter extends GenericFilterBean {
+
+    private final SecurityContextRepository securityContextRepository;
+
+    public PreAuthorizationFilter(SecurityContextRepository securityContextRepository) {
+        this.securityContextRepository = securityContextRepository;
+    }
+
+    @Override
+    public void doFilter(
+        ServletRequest request,
+        ServletResponse response,
+        FilterChain chain
+    ) throws IOException, ServletException {
+        try {
+            if (SecurityContextHolder.getContext().getAuthentication() != null) {
+                chain.doFilter(request, response);
+                return;
+            }
+
+            final HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+            SecurityContext context = Optional.ofNullable(
+                    (SecurityContext) httpServletRequest.getSession()
+                        .getAttribute(SecurityContextHolder.SPRING_SECURITY_CONTEXT_KEY)
+                )
+                .orElseGet(() -> securityContextRepository.loadContext(httpServletRequest));
+
+            final Authentication authentication = Optional.ofNullable(context)
+                .map(it -> it.getAuthentication())
+                .orElse(null);
+
+            SecurityContextHolder.getContext().setAuthentication(authentication);
+
+        } catch (Exception ignored) {
+
+        }
+        chain.doFilter(request, response);
+    }
+}

src/main/java/nextstep/security/authorization/manager/AuthenticationRoleManager.java

@@ -0,0 +1,11 @@
+package nextstep.security.authorization.manager;
+
+import nextstep.security.authentication.Authentication;
+
+public class AuthenticationRoleManager implements RoleManager {
+
+    @Override
+    public boolean check(Authentication authentication) {
+        return authentication.isAuthenticated();
+    }
+}

src/main/java/nextstep/security/authorization/manager/AuthorizationRoleManager.java

@@ -0,0 +1,23 @@
+package nextstep.security.authorization.manager;
+
+import java.util.Set;
+import nextstep.security.authentication.Authentication;
+
+public class AuthorizationRoleManager implements RoleManager {
+
+    private final Set<String> authorities;
+
+    public AuthorizationRoleManager(Set<String> authorities) {
+        this.authorities = authorities;
+    }
+
+    public AuthorizationRoleManager(String... authorities) {
+        this(Set.of(authorities));
+    }
+
+    @Override
+    public boolean check(Authentication authentication) {
+        return authentication.getAuthorities().stream()
+            .anyMatch(authorities::contains);
+    }
+}

src/main/java/nextstep/security/authorization/manager/DenyAllRoleManager.java

@@ -0,0 +1,11 @@
+package nextstep.security.authorization.manager;
+
+import nextstep.security.authentication.Authentication;
+
+public class DenyAllRoleManager implements RoleManager {
+
+    @Override
+    public boolean check(Authentication authentication) {
+        return false;
+    }
+}