refactor(feedback): 인증 필터가 요청당 한 번만 수행되는 것을 보장하도록 OncePerRequestFilter를 상속하도록 변경

haero77 · haero77 · commit 4741c46ade6b · 2025-02-12T22:53:57.000+09:00
- applies feedback next-step#40 (comment)
diff --git a/src/main/java/nextstep/security/filter/BasicAuthenticationFilter.java b/src/main/java/nextstep/security/filter/BasicAuthenticationFilter.java
@@ -1,18 +1,20 @@
 package nextstep.security.filter;
 
-import jakarta.servlet.*;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import nextstep.security.AuthenticationException;
 import nextstep.security.authentication.*;
 import nextstep.security.util.Base64Convertor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.web.filter.OncePerRequestFilter;
 
 import java.io.IOException;
 import java.util.List;
 
-public class BasicAuthenticationFilter implements Filter {
+public class BasicAuthenticationFilter extends OncePerRequestFilter {
 
     private static final Logger log = LoggerFactory.getLogger(BasicAuthenticationFilter.class);
 
@@ -27,37 +29,39 @@ public BasicAuthenticationFilter(UserDetailsService userDetailsService) {
     }
 
     @Override
-    public void doFilter(
-            ServletRequest servletRequest,
-            ServletResponse servletResponse,
-            FilterChain filterChain
-    ) throws IOException, ServletException {
-        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
-
-        if (!AUTHENTICATION_NEED_PATHS.contains(httpRequest.getRequestURI())) {
-            filterChain.doFilter(servletRequest, servletResponse);
-            return;
-        }
-
-        HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
+    protected boolean shouldNotFilter(HttpServletRequest request) {
+        // '/members' 에 대한 요청이 아니면 필터링 하지 말라는 의미. 즉, '/members'에 대한 요청만 필터링
+        return !AUTHENTICATION_NEED_PATHS.contains(request.getRequestURI());
+    }
 
+    @Override
+    protected void doFilterInternal(
+            HttpServletRequest request,
+            HttpServletResponse response,
+            FilterChain filterChain
+    ) throws ServletException, IOException {
         try {
-            String authorization = httpRequest.getHeader("Authorization");
-            String credentials = authorization.split(" ")[1]; // "Basic " 뒤의 문자열
-            String decodedString = Base64Convertor.decode(credentials);
-            String[] usernameAndPassword = decodedString.split(":");
-            String username = usernameAndPassword[0];
-            String password = usernameAndPassword[1];
+            Authentication authenticated = attemptAuthentication(request);
+            request.setAttribute("userDetails", authenticated); // 이후 필터에서 사용 가능하도록 인증된 사용자 정보를 저장
 
-            Authentication authRequest = UsernamePasswordAuthenticationToken.unAuthenticated(username, password);
-            Authentication authenticated = this.authenticationManager.authenticate(authRequest);
-
-            httpRequest.setAttribute("userDetails", authenticated); // 이후 필터에서 사용 가능하도록 인증된 사용자 정보를 저장
-
-            filterChain.doFilter(servletRequest, servletResponse);
+            filterChain.doFilter(request, response);
         } catch (AuthenticationException | RuntimeException e) {
             log.debug("Authentication failed", e);
-            httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication failed");
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication failed");
         }
     }
+
+    private Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {
+        String authorization = request.getHeader("Authorization");
+        String credentials = authorization.split(" ")[1];
+        String decodedString = Base64Convertor.decode(credentials);
+        String[] usernameAndPassword = decodedString.split(":");
+
+        Authentication authRequest = UsernamePasswordAuthenticationToken.unAuthenticated(
+                usernameAndPassword[0],
+                usernameAndPassword[1]
+        );
+
+        return this.authenticationManager.authenticate(authRequest);
+    }
 }
diff --git a/src/main/java/nextstep/security/filter/UsernamePasswordAuthenticationFilter.java b/src/main/java/nextstep/security/filter/UsernamePasswordAuthenticationFilter.java
@@ -1,19 +1,20 @@
 package nextstep.security.filter;
 
-import jakarta.servlet.*;
+import jakarta.servlet.FilterChain;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.servlet.http.HttpSession;
 import nextstep.security.AuthenticationException;
 import nextstep.security.authentication.*;
 import org.springframework.util.StringUtils;
+import org.springframework.web.filter.OncePerRequestFilter;
 
 import java.io.IOException;
 import java.util.List;
 import java.util.Map;
 
 // 인증 정보를 추출하고, AuthenticationManager 에게 비밀번호 맞고 틀리는 것을 검증하는 책임을 위임한다.
-public class UsernamePasswordAuthenticationFilter implements Filter {
+public class UsernamePasswordAuthenticationFilter extends OncePerRequestFilter {
 
     private static final String SPRING_SECURITY_CONTEXT_KEY = "SPRING_SECURITY_CONTEXT";
 
@@ -28,37 +29,34 @@ public UsernamePasswordAuthenticationFilter(UserDetailsService userDetailsServic
     }
 
     @Override
-    public void doFilter(
-            ServletRequest servletRequest,
-            ServletResponse servletResponse,
-            FilterChain filterChain
-    ) throws IOException, ServletException {
-        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
-        HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
-
-        if (!AUTHENTICATION_NEED_PATHS.contains(httpRequest.getRequestURI())) {
-            filterChain.doFilter(servletRequest, servletResponse);
-            return;
-        }
+    protected boolean shouldNotFilter(HttpServletRequest request) {
+        return !AUTHENTICATION_NEED_PATHS.contains(request.getRequestURI());
+    }
 
+    @Override
+    protected void doFilterInternal(
+            HttpServletRequest request,
+            HttpServletResponse response,
+            FilterChain filterChain
+    ) throws IOException {
         // extract username and password
-        Map<String, String[]> parameterMap = httpRequest.getParameterMap();
+        Map<String, String[]> parameterMap = request.getParameterMap();
         String username = parameterMap.get("username")[0];
         String password = parameterMap.get("password")[0];
 
         if (!StringUtils.hasText(username) || !StringUtils.hasText(password)) {
-            httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "username or password is empty");
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "username or password is empty");
             return;
         }
 
         Authentication authRequest = UsernamePasswordAuthenticationToken.unAuthenticated(username, password);
 
         try {
             Authentication authenticated = this.authenticationManager.authenticate(authRequest);
-            HttpSession session = httpRequest.getSession();
+            HttpSession session = request.getSession();
             session.setAttribute(SPRING_SECURITY_CONTEXT_KEY, authenticated);
         } catch (AuthenticationException e) {
-            httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "username or password is empty");
+            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "username or password is empty");
         }
     }
 }
