BE/src/main/java/com/example/RealMatch/global/config/SecurityConfig.java at 94be1eb808c08f2d894145f3042654abaa083185 · RealMatchTeam/BE · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
package com.example.RealMatch.global.config;

import java.util.List;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

import com.example.RealMatch.global.config.jwt.JwtAuthenticationFilter;
import com.example.RealMatch.global.presentation.advice.CustomAccessDeniedHandler;
import com.example.RealMatch.global.presentation.advice.CustomAuthEntryPoint;
import com.example.RealMatch.oauth.handler.OAuth2SuccessHandler;
import com.example.RealMatch.oauth.service.CustomOAuth2UserService;

import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;

@Slf4j
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig {

    private final CustomOAuth2UserService customOAuth2UserService;
    private final OAuth2SuccessHandler oAuth2SuccessHandler;
    private final JwtAuthenticationFilter jwtAuthenticationFilter;
    private final CustomAuthEntryPoint customAuthEntryPoint;
    private final CustomAccessDeniedHandler customAccessDeniedHandler;

    private static final String[] PERMIT_ALL_URL_ARRAY = {
            "/", "/error", "/favicon.ico",
            "/css/**", "/js/**", "/images/**",
            "/login/**", "/oauth2/**",
            "/api/login/success",
            "/api/v1/ws/**",
            "/v3/api-docs/**", "/swagger-ui/**", "/swagger-resources/**",
            "/api/test",
            "/api/v1/tags/**",
            "/actuator/health",
            "/api/v1/auth/signup",
            "/api/v1/auth/refresh"
    };

    private static final String[] REQUEST_AUTHENTICATED_ARRAY = {
            "/api/test-auth", "/api/v1/campaigns/**"
    };

    @Value("${swagger.server-url}")
    private String swaggerUrl;

    @Value("${cors.allowed-origin}")
    private String allowedOrigin;

    @Value("${front.domain-url}")
    private String frontDomainUrl;

    @Value("${front.domain-url-v2}")
    private String frontDomainUrlV2;

    @Value("${front.domain-url-local}")
    private String frontDomainUrlLocal;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        log.info("Configuring Security Filter Chain");

        http
                .cors(cors -> cors.configurationSource(corsConfigurationSource()))
                .csrf(csrf -> csrf.disable())

                .sessionManagement(session -> session
                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS))

                .exceptionHandling(exception -> exception
                        .authenticationEntryPoint(customAuthEntryPoint)
                        .accessDeniedHandler(customAccessDeniedHandler))

                .authorizeHttpRequests(auth -> auth
                        .requestMatchers(REQUEST_AUTHENTICATED_ARRAY).authenticated()
                        .requestMatchers(PERMIT_ALL_URL_ARRAY).permitAll()
                        .anyRequest().authenticated())

                .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
                .oauth2Login(oauth2 -> oauth2
                        .userInfoEndpoint(userInfo -> userInfo
                                .userService(customOAuth2UserService))
                        .successHandler(oAuth2SuccessHandler)
                        .failureHandler((request, response, exception) -> {
                            log.error("OAuth2 login failed", exception);
                            response.sendRedirect("/api/test?error=oauth_login_failed");
                        }));

        return http.build();
    }

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(List.of(allowedOrigin, "http://localhost:8080", swaggerUrl, frontDomainUrl, frontDomainUrlV2, frontDomainUrlLocal));
        configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"));
        configuration.setAllowedHeaders(List.of("*"));
        configuration.setAllowCredentials(true);
        configuration.setMaxAge(3600L);

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}