#1 인증 토큰 spring security, JWT

pom.xml

@@ -2,20 +2,25 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
+
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
 		<version>2.4.0</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
+
 	<groupId>com.pay</groupId>
 	<artifactId>billing</artifactId>
 	<version>0.0.1-SNAPSHOT</version>
 	<name>billing</name>
 	<description>billing project for Spring Boot</description>
 
 	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 		<java.version>1.8</java.version>
+		<start-class>com.pay.billing.BillingApplication</start-class>
 	</properties>
 
 	<dependencies>
@@ -29,11 +34,74 @@
 			<artifactId>lombok</artifactId>
 			<optional>true</optional>
 		</dependency>
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
 			<scope>test</scope>
 		</dependency>
+
+		<dependency>
+			<groupId>io.springfox</groupId>
+			<artifactId>springfox-swagger2</artifactId>
+			<version>2.9.2</version>
+		</dependency>
+		<dependency>
+			<groupId>io.springfox</groupId>
+			<artifactId>springfox-swagger-ui</artifactId>
+			<version>2.9.2</version>
+		</dependency>
+
+		<dependency>
+			<groupId>com.h2database</groupId>
+			<artifactId>h2</artifactId>
+			<scope>runtime</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-jdbc</artifactId>
+		</dependency>
+
+		<!-- Starter for using Spring Security -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+
+		<!-- Make method based security testing easier -->
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+		<!-- JSON Web Token Support -->
+		<dependency>
+			<groupId>io.jsonwebtoken</groupId>
+			<artifactId>jjwt</artifactId>
+			<version>0.9.1</version>
+		</dependency>
+
+		<!-- JPA Data (Repositories, Entities, Hibernate, etc..) -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-data-jpa</artifactId>
+		</dependency>
+
+		<!-- Model Mapper -->
+        <dependency>
+            <groupId>org.modelmapper</groupId>
+            <artifactId>modelmapper</artifactId>
+            <version>2.3.5</version>
+        </dependency>
+
+		<dependency>
+			<groupId>javax.validation</groupId>
+			<artifactId>validation-api</artifactId>
+			<version>2.0.1.Final</version>
+		</dependency>
+
 	</dependencies>
 
 	<build>

src/main/java/com/pay/billing/BillingApplication.java

@@ -1,13 +1,49 @@
 package com.pay.billing;
 
+import com.pay.billing.domain.model.Role;
+import com.pay.billing.domain.model.User;
+import com.pay.billing.service.UserService;
+import org.modelmapper.ModelMapper;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.CommandLineRunner;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+
+import java.util.ArrayList;
+import java.util.Arrays;
 
 @SpringBootApplication
-public class BillingApplication {
+public class BillingApplication implements CommandLineRunner {
+
+	@Autowired
+	UserService userService;
 
 	public static void main(String[] args) {
 		SpringApplication.run(BillingApplication.class, args);
 	}
 
+	@Bean
+	public ModelMapper modelMapper() {
+		return new ModelMapper();
+	}
+
+	@Override
+	public void run(String... params) throws Exception {
+		User admin = new User();
+		admin.setUsername("admin");
+		admin.setPassword("admin");
+		admin.setEmail("admin@email.com");
+		admin.setRoles(new ArrayList<Role>(Arrays.asList(Role.ROLE_ADMIN)));
+
+		userService.signup(admin);
+
+		User client = new User();
+		client.setUsername("client");
+		client.setPassword("client");
+		client.setEmail("client@email.com");
+		client.setRoles(new ArrayList<Role>(Arrays.asList(Role.ROLE_CLIENT)));
+
+		userService.signup(client);
+	}
 }

src/main/java/com/pay/billing/common/config/SwaggerConfig.java

@@ -0,0 +1,64 @@
+package com.pay.billing.common.config;
+
+import com.google.common.base.Predicates;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import springfox.documentation.builders.ApiInfoBuilder;
+import springfox.documentation.builders.PathSelectors;
+import springfox.documentation.builders.RequestHandlerSelectors;
+import springfox.documentation.service.ApiInfo;
+import springfox.documentation.service.ApiKey;
+import springfox.documentation.service.AuthorizationScope;
+import springfox.documentation.service.SecurityReference;
+import springfox.documentation.service.Tag;
+import springfox.documentation.spi.DocumentationType;
+import springfox.documentation.spi.service.contexts.SecurityContext;
+import springfox.documentation.spring.web.plugins.Docket;
+import springfox.documentation.swagger2.annotations.EnableSwagger2;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+
+@Configuration
+@EnableSwagger2
+public class SwaggerConfig {
+    @Bean
+    public Docket swaggerApi() {
+        return new Docket(DocumentationType.SWAGGER_2)//
+                .select()//
+                .apis(RequestHandlerSelectors.any())//
+                .paths(Predicates.not(PathSelectors.regex("/error")))//
+                .build()//
+                .apiInfo(swaggerInfo())
+                .useDefaultResponseMessages(false)//
+                .securitySchemes(Collections.singletonList(apiKey()))
+                .securityContexts(Collections.singletonList(securityContext()))
+                .tags(new Tag("users", "Operations about users"))//
+                .genericModelSubstitutes(Optional.class);
+    }
+
+    private ApiInfo swaggerInfo() {
+        return new ApiInfoBuilder().title("Spring API Documentation")
+                .description("앱 개발시 사용되는 서버 API에 대한 연동 문서입니다").build();
+    }
+
+    private ApiKey apiKey() {
+        return new ApiKey("Authorization", "Authorization", "header");
+    }
+
+    private SecurityContext securityContext() {
+        return SecurityContext.builder()
+                .securityReferences(defaultAuth())
+                .forPaths(PathSelectors.any())
+                .build();
+    }
+
+    private List<SecurityReference> defaultAuth() {
+        AuthorizationScope authorizationScope = new AuthorizationScope("global", "accessEverything");
+        AuthorizationScope[] authorizationScopes = new AuthorizationScope[1];
+        authorizationScopes[0] = authorizationScope;
+        return Arrays.asList(new SecurityReference("Authorization", authorizationScopes));
+    }
+}

src/main/java/com/pay/billing/common/config/WebSecurityConfig.java

@@ -0,0 +1,80 @@
+package com.pay.billing.common.config;
+
+import com.pay.billing.common.security.JwtTokenFilterConfigurer;
+import com.pay.billing.common.security.JwtTokenProvider;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+  @Autowired
+  private JwtTokenProvider jwtTokenProvider;
+
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+
+    // Disable CSRF (cross site request forgery)
+    http.csrf().disable();
+
+    // No session will be created or used by spring security
+    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+
+    // Entry points
+    http.authorizeRequests()//
+        .antMatchers("/users/signin").permitAll()//
+        .antMatchers("/users/signup").permitAll()//
+        .antMatchers("/h2-console/**/**").permitAll()
+        // Disallow everything else..
+        .anyRequest().authenticated();
+
+    // If a user try to access a resource without having enough permissions
+    http.exceptionHandling().accessDeniedPage("/login");
+
+    // Apply JWT
+    http.apply(new JwtTokenFilterConfigurer(jwtTokenProvider));
+
+    // Optional, if you want to test the API from a browser
+    // http.httpBasic();
+  }
+
+  @Override
+  public void configure(WebSecurity web) throws Exception {
+    // Allow swagger to be accessed without authentication
+    web.ignoring().antMatchers("/v2/api-docs")//
+        .antMatchers("/swagger-resources/**")//
+        .antMatchers("/swagger-ui.html")//
+        .antMatchers("/configuration/**")//
+        .antMatchers("/webjars/**")//
+        .antMatchers("/public")
+
+        // Un-secure H2 Database (for testing purposes, H2 console shouldn't be unprotected in production)
+        .and()
+        .ignoring()
+        .antMatchers("/h2-console/**/**");;
+  }
+
+  @Bean
+  public PasswordEncoder passwordEncoder() {
+    return new BCryptPasswordEncoder(12);
+  }
+
+  @Override
+  @Bean
+  public AuthenticationManager authenticationManagerBean() throws Exception {
+    return super.authenticationManagerBean();
+  }
+
+}

src/main/java/com/pay/billing/common/exception/CustomException.java

@@ -0,0 +1,26 @@
+package com.pay.billing.common.exception;
+
+import org.springframework.http.HttpStatus;
+
+public class CustomException extends RuntimeException {
+
+  private static final long serialVersionUID = 1L;
+
+  private final String message;
+  private final HttpStatus httpStatus;
+
+  public CustomException(String message, HttpStatus httpStatus) {
+    this.message = message;
+    this.httpStatus = httpStatus;
+  }
+
+  @Override
+  public String getMessage() {
+    return message;
+  }
+
+  public HttpStatus getHttpStatus() {
+    return httpStatus;
+  }
+
+}

src/main/java/com/pay/billing/common/security/JwtTokenFilter.java

@@ -0,0 +1,41 @@
+package com.pay.billing.common.security;
+
+import com.pay.billing.common.exception.CustomException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+// We should use OncePerRequestFilter since we are doing a database call, there is no point in doing this more than once
+public class JwtTokenFilter extends OncePerRequestFilter {
+
+  private JwtTokenProvider jwtTokenProvider;
+
+  public JwtTokenFilter(JwtTokenProvider jwtTokenProvider) {
+    this.jwtTokenProvider = jwtTokenProvider;
+  }
+
+  @Override
+  protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
+    String token = jwtTokenProvider.resolveToken(httpServletRequest);
+    try {
+      if (token != null && jwtTokenProvider.validateToken(token)) {
+        Authentication auth = jwtTokenProvider.getAuthentication(token);
+        SecurityContextHolder.getContext().setAuthentication(auth);
+      }
+    } catch (CustomException ex) {
+      //this is very important, since it guarantees the user is not authenticated at all
+      SecurityContextHolder.clearContext();
+      httpServletResponse.sendError(ex.getHttpStatus().value(), ex.getMessage());
+      return;
+    }
+
+    filterChain.doFilter(httpServletRequest, httpServletResponse);
+  }
+
+}

src/main/java/com/pay/billing/common/security/JwtTokenFilterConfigurer.java

@@ -0,0 +1,22 @@
+package com.pay.billing.common.security;
+
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+public class JwtTokenFilterConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
+
+  private JwtTokenProvider jwtTokenProvider;
+
+  public JwtTokenFilterConfigurer(JwtTokenProvider jwtTokenProvider) {
+    this.jwtTokenProvider = jwtTokenProvider;
+  }
+
+  @Override
+  public void configure(HttpSecurity http) throws Exception {
+    JwtTokenFilter customFilter = new JwtTokenFilter(jwtTokenProvider);
+    http.addFilterBefore(customFilter, UsernamePasswordAuthenticationFilter.class);
+  }
+
+}