[인증(Authentication)] 김선호 미션 제출합니다. 🚀 (#40)

* refactor: 폼 로그인 인증을 컨트롤러가 아닌 폼 로그인 인터셉터에서 담당하도록 변경

* refactor: Basic 인증을 컨트롤러가 아닌 Basic 인증 인터셉터가 처리하도록 변경

* refactor: 서비스 코드와 인증 코드를 각각 app, security 패키지로 분리

- 인증 로직이 서비스 로직에 의존하지 않도록 중간 객체를 이요하여 의존성 분리

* refactor(step1): 폼 로그인 인증을 인터셉터가 아닌 필터로 처리하도록 변경

- 인터셉터는 Spring MVC에 속하고 이것은 app로직으로 볼 수 있으므로 비즈니스 로직과 인증/인가를 분리하기 위해 인터셉터가 아닌 필터에서 처리하도록 변경

* test: mockMvc request, response 콘솔 출력 추가

* refactor(step1): Basic 인증을 인터셉터가 아닌 필터로 처리하도록 변경

* chore(step1): 미사용 RequestHeader 파라미터 제거

* chore(step1): 미사용 AuthenticationException 삭제

- 필터의 예외처리는 Spring MVC 예외처리에 포함되지 않으므로 ResponseStatus는 동작 안 함

* test: 테스트 수행 시 로그 레벨 설정 (디버깅 용도)

* feat(step1): HTTP 요청 처리 여부를 결정하는 RequestMatcher 인터페이스 정의

* feat(step1): HTTP 요청에 대한 인증/인가 필터를 보관하는 SecurityFilterChain 정의 및 구현체 DefaultSecurityFilterChain 구현

* feat(step1): DelegatingFilterProxy로 부터 인증/인가 책임을 위임받아 그 책임을 수행할 FilterChainProxy 구현

* feat(step1): DelegatingFilterProxy를 필터로 등록하는 SecurityFilterAutoConfiguration 구현

* feat(step1): FilterChainProxy를 빈으로 등록하는 WebSecurityConfiguration 구현

* feat(step1): Security 관련 설정을 자동으로 로드하는 SecurityAutoConfiguration 구현

* refactor(step1): springSecurityFilterChain라는 빈이 있을 때만 DelegatingFilterProxy를 필터로 등록하도록 수정

- springSecurityFilterChain 이름의 빈(=filterChainProxy)이 없으면 DelegatingFilterProxy를 필터로 등록할 필요가 없다.

* refactor(step1): 폼 로그인 인증, Basic 인증 방식을 SecurityFilterChain을 통해 진행하도록 변경

* chore(step1): 폼 로그인 인증에서 filterChain.doFilter를 처리하지 않는 이유 주석 추가

* refactor(step1): security의 필터 관련 클래스를 security.filter 패키지로 응집

* refactor(step1): app에서 security를 사용하는 부분을 app.security로 이동

Author: haero77

src/main/java/nextstep/app/SecurityAuthenticationApplication.java

@@ -1,9 +1,12 @@
 package nextstep.app;
 
+import nextstep.security.config.SecurityAutoConfiguration;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Import;
 
 @SpringBootApplication
+@Import(SecurityAutoConfiguration.class)
 public class SecurityAuthenticationApplication {
 
     public static void main(String[] args) {

src/main/java/nextstep/app/security/AppSecurityConfiguration.java

@@ -0,0 +1,37 @@
+package nextstep.app.security;
+
+import nextstep.security.filter.*;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import java.util.List;
+
+@Configuration
+public class AppSecurityConfiguration {
+
+    private final UserDetailsService userDetailsService;
+
+    public AppSecurityConfiguration(UserDetailsService userDetailsService) {
+        this.userDetailsService = userDetailsService;
+    }
+
+    @Bean
+    public SecurityFilterChain formLoginSecurityFilterChain() {
+        return new DefaultSecurityFilterChain(
+                (httpServletRequest) -> httpServletRequest.getRequestURI().equals("/login"),
+                List.of(
+                        new FormLoginFilter(userDetailsService)
+                )
+        );
+    }
+
+    @Bean
+    public SecurityFilterChain basicAuthenticationSecurityFilterChain() {
+        return new DefaultSecurityFilterChain(
+                (httpServletRequest) -> httpServletRequest.getRequestURI().equals("/members"),
+                List.of(
+                        new BasicAuthenticationFilter(userDetailsService)
+                )
+        );
+    }
+}

src/main/java/nextstep/app/security/UserDetailsServiceImpl.java

@@ -0,0 +1,24 @@
+package nextstep.app.security;
+
+import nextstep.app.domain.MemberRepository;
+import nextstep.security.filter.UserDetails;
+import nextstep.security.filter.UserDetailsService;
+import org.springframework.stereotype.Service;
+
+import java.util.Optional;
+
+@Service
+public class UserDetailsServiceImpl implements UserDetailsService {
+
+    private final MemberRepository memberRepository;
+
+    public UserDetailsServiceImpl(MemberRepository memberRepository) {
+        this.memberRepository = memberRepository;
+    }
+
+    @Override
+    public Optional<UserDetails> findUserDetailsByUsername(String username) {
+        return memberRepository.findByEmail(username)
+                .map(member -> new UserDetails(member.getEmail(), member.getPassword()));
+    }
+}

src/main/java/nextstep/app/ui/AuthenticationException.java

@@ -2,10 +2,8 @@
 
 import nextstep.app.domain.Member;
 import nextstep.app.domain.MemberRepository;
-import nextstep.app.util.Base64Convertor;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.List;
@@ -20,22 +18,8 @@ public MemberController(MemberRepository memberRepository) {
     }
 
     @GetMapping("/members")
-    public ResponseEntity<List<Member>> list(@RequestHeader("Authorization") String authorization) {
-        try {
-            String credentials = authorization.split(" ")[1];
-            String decodedString = Base64Convertor.decode(credentials);
-            String[] usernameAndPassword = decodedString.split(":");
-            String username = usernameAndPassword[0];
-            String password = usernameAndPassword[1];
-
-            memberRepository.findByEmail(username)
-                    .filter(it -> it.matchPassword(password))
-                    .orElseThrow(AuthenticationException::new);
-
-            List<Member> members = memberRepository.findAll();
-            return ResponseEntity.ok(members);
-        } catch (Exception e) {
-            throw new AuthenticationException();
-        }
+    public ResponseEntity<List<Member>> list() {
+        List<Member> members = memberRepository.findAll();
+        return ResponseEntity.ok(members);
     }
 }

src/main/java/nextstep/app/ui/LoginController.java

@@ -0,0 +1,13 @@
+package nextstep.security.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+
+@Configuration
+@Import({
+        WebSecurityConfiguration.class,
+        SecurityFilterAutoConfiguration.class,
+})
+public class SecurityAutoConfiguration {
+
+}

src/main/java/nextstep/app/ui/MemberController.java

@@ -0,0 +1,26 @@
+package nextstep.security.config;
+
+import jakarta.servlet.Filter;
+import nextstep.security.filter.FilterChainProxy;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.filter.DelegatingFilterProxy;
+
+/**
+ * DelegatingFilterProxy를 FilterChainProxy를 참조하게 한 후 빈으로 등록한다.
+ */
+@Configuration
+public class SecurityFilterAutoConfiguration {
+
+    @Bean
+    @ConditionalOnBean(name = FilterChainProxy.FILTER_CHAIN_PROXY_BEAN_NAME)
+    public FilterRegistrationBean<Filter> springSecurityFilterChainRegistration() {
+        FilterRegistrationBean<Filter> registration = new FilterRegistrationBean<>();
+
+        registration.setFilter(new DelegatingFilterProxy(FilterChainProxy.FILTER_CHAIN_PROXY_BEAN_NAME));
+
+        return registration;
+    }
+}

src/main/java/nextstep/security/config/SecurityAutoConfiguration.java

@@ -0,0 +1,20 @@
+package nextstep.security.config;
+
+import nextstep.security.filter.FilterChainProxy;
+import nextstep.security.filter.SecurityFilterChain;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import java.util.List;
+
+/**
+ * "springSecurityFilterChain"이라는 이름으로 FilterChainProxy를 빈으로 등록한다.
+ */
+@Configuration
+public class WebSecurityConfiguration {
+
+    @Bean(name = FilterChainProxy.FILTER_CHAIN_PROXY_BEAN_NAME)
+    public FilterChainProxy filterChainProxy(List<SecurityFilterChain> securityFilterChains) {
+        return new FilterChainProxy(securityFilterChains);
+    }
+}

src/main/java/nextstep/security/config/SecurityFilterAutoConfiguration.java

@@ -0,0 +1,60 @@
+package nextstep.security.filter;
+
+import jakarta.servlet.*;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import nextstep.security.util.Base64Convertor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.Optional;
+
+public class BasicAuthenticationFilter implements Filter {
+
+    private static final Logger log = LoggerFactory.getLogger(BasicAuthenticationFilter.class);
+
+    private final UserDetailsService userDetailsService;
+
+    public BasicAuthenticationFilter(UserDetailsService userDetailsService) {
+        this.userDetailsService = userDetailsService;
+    }
+
+    @Override
+    public void doFilter(
+            ServletRequest servletRequest,
+            ServletResponse servletResponse,
+            FilterChain filterChain
+    ) throws IOException, ServletException {
+        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
+        HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
+
+        try {
+            String authorization = httpRequest.getHeader("Authorization");
+            String credentials = authorization.split(" ")[1]; // "Basic " 뒤의 문자열
+            String decodedString = Base64Convertor.decode(credentials);
+            String[] usernameAndPassword = decodedString.split(":");
+            String username = usernameAndPassword[0];
+            String password = usernameAndPassword[1];
+
+            Optional<UserDetails> userDetailsOpt = userDetailsService.findUserDetailsByUsername(username);
+            if (userDetailsOpt.isEmpty()) {
+                httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User not found");
+                return;
+            }
+
+            UserDetails userDetails = userDetailsOpt.get();
+            if (!userDetails.matchesPassword(password)) {
+                httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Password mismatch");
+                return;
+            }
+
+            httpRequest.setAttribute("userDetails", userDetails); // 이후 필터에서 사용 가능하도록 인증된 사용자 정보를 저장
+
+            filterChain.doFilter(servletRequest, servletResponse);
+        } catch (RuntimeException e) {
+            log.debug("Authentication failed", e);
+            httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication failed");
+        }
+    }
+}