2단계 - 리팩터링

src/main/java/nextstep/app/config/AuthConfig.java

@@ -1,23 +1,27 @@
 package nextstep.app.config;
 
 import nextstep.security.access.matcher.AnyRequestMatcher;
+import nextstep.security.access.matcher.MvcRequestMatcher;
 import nextstep.security.authentication.AuthenticationManager;
 import nextstep.security.authentication.BasicAuthenticationFilter;
 import nextstep.security.authentication.UsernamePasswordAuthenticationFilter;
 import nextstep.security.authentication.UsernamePasswordAuthenticationProvider;
+import nextstep.security.authorization.AuthorizationFilter;
+import nextstep.security.config.AuthorizeRequestMatcherRegistry;
 import nextstep.security.config.DefaultSecurityFilterChain;
 import nextstep.security.config.FilterChainProxy;
 import nextstep.security.config.SecurityFilterChain;
 import nextstep.security.context.HttpSessionSecurityContextRepository;
+import nextstep.security.context.SecurityContextHolderFilter;
 import nextstep.security.context.SecurityContextRepository;
 import nextstep.security.userdetails.UserDetailsService;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.web.filter.DelegatingFilterProxy;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 import javax.servlet.Filter;
-import java.util.ArrayList;
 import java.util.List;
 
 @Configuration
@@ -41,9 +45,12 @@ public FilterChainProxy filterChainProxy() {
 
     @Bean
     public SecurityFilterChain securityFilterChain() {
-        List<Filter> filters = new ArrayList<>();
-        filters.add(new UsernamePasswordAuthenticationFilter(authenticationManager(), securityContextRepository()));
-        filters.add(new BasicAuthenticationFilter(authenticationManager()));
+        List<Filter> filters = List.of(
+            new SecurityContextHolderFilter(securityContextRepository()),
+            new UsernamePasswordAuthenticationFilter(authenticationManager(), securityContextRepository()),
+            new BasicAuthenticationFilter(authenticationManager()),
+            new AuthorizationFilter()
+        );
         return new DefaultSecurityFilterChain(AnyRequestMatcher.INSTANCE, filters);
     }
 
@@ -57,4 +64,10 @@ public AuthenticationManager authenticationManager() {
         return new AuthenticationManager(new UsernamePasswordAuthenticationProvider(userDetailsService));
     }
 
+    @Bean
+    public AuthorizeRequestMatcherRegistry authorizeRequestMatcherRegistry() {
+        return new AuthorizeRequestMatcherRegistry()
+                .matcher(new MvcRequestMatcher(HttpMethod.GET, "/members")).hasAuthority("ADMIN")
+                .matcher(new MvcRequestMatcher(HttpMethod.GET, "/members/me")).authenticated();
+    }
 }

src/main/java/nextstep/app/ui/LoginController.java

@@ -6,9 +6,9 @@
 
 @RestController
 public class LoginController {
+
     @PostMapping("/login")
     public ResponseEntity<Void> login() {
         return ResponseEntity.ok().build();
     }
-
 }

src/main/java/nextstep/app/ui/MemberController.java

@@ -2,35 +2,36 @@
 
 import nextstep.app.domain.MemberRepository;
 import nextstep.app.ui.dto.MemberDto;
+import nextstep.security.context.SecurityContextHolder;
+import nextstep.security.exception.AuthenticationException;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.List;
-import java.util.stream.Collectors;
 
 @RestController
 public class MemberController {
 
     private final MemberRepository memberRepository;
-
-    public MemberController(MemberRepository memberRepository) {
+    public MemberController(final MemberRepository memberRepository) {
         this.memberRepository = memberRepository;
     }
 
     @GetMapping("/members")
     public ResponseEntity<List<MemberDto>> list() {
-        List<MemberDto> members = memberRepository.findAll()
-                .stream()
-                .map(member -> new MemberDto(
-                        member.getEmail(),
-                        member.getPassword(),
-                        member.getName(),
-                        member.getImageUrl(),
-                        member.getRoles())
-                )
-                .collect(Collectors.toList());
-        return ResponseEntity.ok(members);
+        final var members = memberRepository.findAll();
+        return ResponseEntity.ok(MemberDto.toList(members));
     }
 
+    @GetMapping("/members/me")
+    public ResponseEntity<MemberDto> me() {
+        final var authentication = SecurityContextHolder.getContext().getAuthentication();
+        final var email = (String) authentication.getPrincipal();
+
+        final var member = memberRepository.findByEmail(email)
+                .orElseThrow(AuthenticationException::new);
+
+        return ResponseEntity.ok(MemberDto.toDto(member));
+    }
 }

src/main/java/nextstep/app/ui/dto/MemberDto.java

@@ -2,8 +2,11 @@
 
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import nextstep.app.domain.Member;
 
+import java.util.List;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 public class MemberDto {
 
@@ -15,17 +18,33 @@ public class MemberDto {
 
     @JsonCreator
     public MemberDto(@JsonProperty("email") final String email,
-                     @JsonProperty("password")final String password,
-                     @JsonProperty("name")final String name,
-                     @JsonProperty("imageUrl")final String imageUrl,
-                     @JsonProperty("roles")final Set<String> roles) {
+                     @JsonProperty("password") final String password,
+                     @JsonProperty("name") final String name,
+                     @JsonProperty("imageUrl") final String imageUrl,
+                     @JsonProperty("roles") final Set<String> roles) {
         this.email = email;
         this.password = password;
         this.name = name;
         this.imageUrl = imageUrl;
         this.roles = roles;
     }
 
+    public static MemberDto toDto(final Member member) {
+        return new MemberDto(
+                member.getEmail(),
+                member.getPassword(),
+                member.getName(),
+                member.getImageUrl(),
+                member.getRoles()
+        );
+    }
+
+    public static List<MemberDto> toList(final List<Member> members) {
+        return members.stream()
+                .map(MemberDto::toDto)
+                .collect(Collectors.toList());
+    }
+
     public String getEmail() {
         return email;
     }

src/main/java/nextstep/security/authentication/Authentication.java

@@ -10,4 +10,6 @@ public interface Authentication {
     Set<String> getAuthorities();
 
     boolean isAuthenticated();
+
+    boolean isAdmin();
 }

src/main/java/nextstep/security/authentication/BasicAuthenticationFilter.java

@@ -2,7 +2,6 @@
 
 import nextstep.security.context.SecurityContextHolder;
 import nextstep.security.exception.AuthenticationException;
-import nextstep.security.exception.AuthorizationException;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.filter.GenericFilterBean;
 
@@ -21,34 +20,27 @@ public class BasicAuthenticationFilter extends GenericFilterBean {
 
     private final AuthenticationManager authenticationManager;
 
-    public BasicAuthenticationFilter(AuthenticationManager authenticationManager) {
+    public BasicAuthenticationFilter(final AuthenticationManager authenticationManager) {
         this.authenticationManager = authenticationManager;
     }
 
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
 
         try {
-            Authentication authRequest = convertAuthenticationRequest((HttpServletRequest) request);
+            final var authRequest = convertAuthenticationRequest((HttpServletRequest) request);
 
             if (authRequest == null) {
                 chain.doFilter(request, response);
                 return;
             }
 
-            Authentication authResult = authenticationManager.authenticate(authRequest);
+            final var authResult = authenticationManager.authenticate(authRequest);
             SecurityContextHolder.getContext().setAuthentication(authResult);
-
-            if (authResult.getAuthorities().isEmpty()) {
-                throw new AuthorizationException();
-            }
         } catch (AuthenticationException e) {
             SecurityContextHolder.clearContext();
             ((HttpServletResponse) response).sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
             return;
-        } catch (AuthorizationException e) {
-            ((HttpServletResponse) response).sendError(HttpStatus.FORBIDDEN.value(), HttpStatus.FORBIDDEN.getReasonPhrase());
-            return;
         }
 
         chain.doFilter(request, response);
@@ -75,6 +67,4 @@ private Authentication convertAuthenticationRequest(HttpServletRequest request)
 
         return UsernamePasswordAuthentication.ofRequest(email, password);
     }
-
-
 }

src/main/java/nextstep/security/authentication/UsernamePasswordAuthentication.java

@@ -47,4 +47,8 @@ public boolean isAuthenticated() {
         return authenticated;
     }
 
+    public boolean isAdmin() {
+        return getAuthorities()
+                .contains("ADMIN");
+    }
 }

src/main/java/nextstep/security/authentication/UsernamePasswordAuthenticationFilter.java

@@ -1,11 +1,9 @@
 package nextstep.security.authentication;
 
 import nextstep.security.access.matcher.MvcRequestMatcher;
-import nextstep.security.context.SecurityContext;
 import nextstep.security.context.SecurityContextHolder;
 import nextstep.security.context.SecurityContextRepository;
 import nextstep.security.exception.AuthenticationException;
-import nextstep.security.exception.AuthorizationException;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.filter.GenericFilterBean;
@@ -20,48 +18,44 @@
 
 public class UsernamePasswordAuthenticationFilter extends GenericFilterBean {
 
+    private static final MvcRequestMatcher DEFAULT_REQUEST_MATCHER = new MvcRequestMatcher(HttpMethod.POST, "/login");
+
     private final AuthenticationManager authenticationManager;
     private final SecurityContextRepository securityContextRepository;
-    private static final MvcRequestMatcher DEFAULT_REQUEST_MATCHER = new MvcRequestMatcher(HttpMethod.POST,
-            "/login");
 
-    public UsernamePasswordAuthenticationFilter(AuthenticationManager authenticationManager, SecurityContextRepository securityContextRepository) {
+    public UsernamePasswordAuthenticationFilter(final AuthenticationManager authenticationManager,
+                                                final SecurityContextRepository securityContextRepository) {
         this.authenticationManager = authenticationManager;
         this.securityContextRepository = securityContextRepository;
     }
 
     @Override
-    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+    public void doFilter(ServletRequest servletRequest, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+        final var request = (HttpServletRequest) servletRequest;
 
         try {
-            if (!DEFAULT_REQUEST_MATCHER.matches((HttpServletRequest) request)) {
+            if (!DEFAULT_REQUEST_MATCHER.matches(request)) {
                 chain.doFilter(request, response);
                 return;
             }
 
             String username = request.getParameter("username");
             String password = request.getParameter("password");
 
-            UsernamePasswordAuthentication authRequest = UsernamePasswordAuthentication.ofRequest(username,
+            final var authRequest = UsernamePasswordAuthentication.ofRequest(username,
                     password);
-            Authentication authResult = authenticationManager.authenticate(authRequest);
+            final var authResult = authenticationManager.authenticate(authRequest);
 
-            SecurityContext context = SecurityContextHolder.createEmptyContext();
+            final var context = SecurityContextHolder.createEmptyContext();
             context.setAuthentication(authResult);
             SecurityContextHolder.setContext(context);
 
-            securityContextRepository.saveContext(context, (HttpServletRequest) request, (HttpServletResponse) response);
-
-            if (authResult.getAuthorities().isEmpty()) {
-                throw new AuthorizationException();
-            }
+            securityContextRepository.saveContext(context, request, (HttpServletResponse) response);
         } catch (AuthenticationException e) {
             SecurityContextHolder.clearContext();
             ((HttpServletResponse) response).sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
             return;
-        } catch (AuthorizationException e) {
-            ((HttpServletResponse) response).sendError(HttpStatus.FORBIDDEN.value(), HttpStatus.FORBIDDEN.getReasonPhrase());
-            return;
         }
 
         chain.doFilter(request, response);

src/main/java/nextstep/security/authorization/AuthorizationFilter.java

@@ -0,0 +1,35 @@
+package nextstep.security.authorization;
+
+import nextstep.security.context.SecurityContextHolder;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.filter.GenericFilterBean;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class AuthorizationFilter extends GenericFilterBean {
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        final var authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (authentication == null) {
+            sendError(response, HttpStatus.UNAUTHORIZED);
+            return;
+        }
+
+        if (!authentication.isAdmin()) {
+            sendError(response, HttpStatus.FORBIDDEN);
+            return;
+        }
+
+        chain.doFilter(request, response);
+    }
+
+    private static void sendError(final ServletResponse response, final HttpStatus httpStatus) throws IOException {
+        ((HttpServletResponse) response).sendError(httpStatus.value(), httpStatus.getReasonPhrase());
+    }
+}

src/main/java/nextstep/security/context/SecurityContextHolderFilter.java

@@ -0,0 +1,27 @@
+package nextstep.security.context;
+
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Optional;
+
+public class SecurityContextHolderFilter extends OncePerRequestFilter {
+
+    private final SecurityContextRepository securityContextRepository;
+
+    public SecurityContextHolderFilter(final SecurityContextRepository securityContextRepository) {
+        this.securityContextRepository = securityContextRepository;
+    }
+
+    @Override
+    protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain filterChain) throws ServletException, IOException {
+        Optional.ofNullable(securityContextRepository.loadContext(request))
+                .ifPresent(SecurityContextHolder::setContext);
+
+        filterChain.doFilter(request, response);
+    }
+}