[인증(Authentication) - 2, 3, 4단계] 김선호 미션 제출합니다. 🚀

src/main/java/nextstep/app/security/AppSecurityConfiguration.java

@@ -1,5 +1,8 @@
 package nextstep.app.security;
 
+import nextstep.security.context.HttpSessionSecurityContextRepository;
+import nextstep.security.context.SecurityContextHolderFilter;
+import nextstep.security.context.SecurityContextRepository;
 import nextstep.security.filter.*;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -17,20 +20,13 @@ public AppSecurityConfiguration(UserDetailsService userDetailsService) {
 
     @Bean
     public SecurityFilterChain formLoginSecurityFilterChain() {
-        return new DefaultSecurityFilterChain(
-                (httpServletRequest) -> httpServletRequest.getRequestURI().equals("/login"),
-                List.of(
-                        new FormLoginFilter(userDetailsService)
-                )
-        );
-    }
+        SecurityContextRepository contextRepository = new HttpSessionSecurityContextRepository();
 
-    @Bean
-    public SecurityFilterChain basicAuthenticationSecurityFilterChain() {
         return new DefaultSecurityFilterChain(
-                (httpServletRequest) -> httpServletRequest.getRequestURI().equals("/members"),
                 List.of(
-                        new BasicAuthenticationFilter(userDetailsService)
+                        new SecurityContextHolderFilter(contextRepository),
+                        new UsernamePasswordAuthenticationFilter(userDetailsService, contextRepository),
+                        new BasicAuthenticationFilter(userDetailsService, contextRepository)
                 )
         );
     }

src/main/java/nextstep/app/security/UserDetailsServiceImpl.java

@@ -4,6 +4,7 @@
 import nextstep.security.filter.UserDetails;
 import nextstep.security.filter.UserDetailsService;
 import org.springframework.stereotype.Service;
+import org.springframework.util.StringUtils;
 
 import java.util.Optional;
 
@@ -18,6 +19,10 @@ public UserDetailsServiceImpl(MemberRepository memberRepository) {
 
     @Override
     public Optional<UserDetails> findUserDetailsByUsername(String username) {
+        if (!StringUtils.hasLength(username)) {
+            return Optional.empty();
+        }
+
         return memberRepository.findByEmail(username)
                 .map(member -> new UserDetails(member.getEmail(), member.getPassword()));
     }

src/main/java/nextstep/security/AuthenticationException.java

@@ -0,0 +1,12 @@
+package nextstep.security;
+
+public class AuthenticationException extends Exception{
+
+    public AuthenticationException() {
+        super();
+    }
+
+    public AuthenticationException(String message) {
+        super(message);
+    }
+}

src/main/java/nextstep/security/authentication/Authentication.java

@@ -0,0 +1,10 @@
+package nextstep.security.authentication;
+
+public interface Authentication {
+
+    Object getCredentials();
+
+    Object getPrincipal();
+
+    boolean isAuthenticated();
+}

src/main/java/nextstep/security/authentication/AuthenticationManager.java

@@ -0,0 +1,16 @@
+package nextstep.security.authentication;
+
+import nextstep.security.AuthenticationException;
+
+@FunctionalInterface
+public interface AuthenticationManager {
+
+    /**
+     * Attempts to authenticate the passed {@link Authentication} object, returning a
+     * fully populated <code>Authentication</code> object if successful.
+     * @param authentication the authentication request object
+     * @return a fully authenticated object including credentials
+     * @throws AuthenticationException if authentication fails
+     */
+    Authentication authenticate(Authentication authentication) throws AuthenticationException;
+}

src/main/java/nextstep/security/authentication/AuthenticationProvider.java

@@ -0,0 +1,16 @@
+package nextstep.security.authentication;
+
+import nextstep.security.AuthenticationException;
+
+public interface AuthenticationProvider {
+
+    /**
+     * Performs authentication with the same contract as AuthenticationManager.authenticate(Authentication).
+     * @param authentication the authentication request object.
+     * @return a fully authenticated object including credentials.
+     * @throws AuthenticationException if authentication fails.
+     */
+    Authentication authenticate(Authentication authentication) throws AuthenticationException;
+
+    boolean supports(Class<?> authentication);
+}

src/main/java/nextstep/security/authentication/DaoAuthenticationProvider.java

@@ -0,0 +1,48 @@
+package nextstep.security.authentication;
+
+import nextstep.security.AuthenticationException;
+import nextstep.security.filter.UserDetails;
+import nextstep.security.filter.UserDetailsService;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+
+import java.util.Optional;
+
+public class DaoAuthenticationProvider implements AuthenticationProvider {
+
+    private final UserDetailsService userDetailsService;
+
+    public DaoAuthenticationProvider(UserDetailsService userDetailsService) {
+        this.userDetailsService = userDetailsService;
+    }
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication, "Only UsernamePasswordAuthenticationToken is supported");
+
+        String username = (String) authentication.getPrincipal();
+        String password = (String) authentication.getCredentials();
+
+        if (!StringUtils.hasLength(username) || !StringUtils.hasLength(password)) {
+            throw new AuthenticationException("username or password is empty");
+        }
+
+        Optional<UserDetails> userDetailsOpt = userDetailsService.findUserDetailsByUsername(username);
+        if (userDetailsOpt.isEmpty()) {
+            throw new AuthenticationException("User not found");
+        }
+
+        UserDetails userDetails = userDetailsOpt.get();
+        if (!userDetails.matchesPassword(password)) {
+            throw new AuthenticationException("username or password invalid");
+        }
+
+        // matches password. authenticated.
+        return UsernamePasswordAuthenticationToken.authenticated(authentication);
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
+    }
+}

src/main/java/nextstep/security/authentication/ProviderManager.java

@@ -0,0 +1,25 @@
+package nextstep.security.authentication;
+
+import nextstep.security.AuthenticationException;
+
+import java.util.List;
+
+public class ProviderManager implements AuthenticationManager {
+
+    private final List<AuthenticationProvider> providers;
+
+    public ProviderManager(List<AuthenticationProvider> providers) {
+        this.providers = providers;
+    }
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        for (AuthenticationProvider provider : providers) {
+            if (provider.supports(authentication.getClass())) {
+                return provider.authenticate(authentication);
+            }
+        }
+
+        return authentication;
+    }
+}

src/main/java/nextstep/security/authentication/UsernamePasswordAuthenticationToken.java

@@ -0,0 +1,41 @@
+package nextstep.security.authentication;
+
+public class UsernamePasswordAuthenticationToken implements Authentication {
+
+    private final String username;
+    private final String password;
+    private final boolean authenticated;
+
+    private UsernamePasswordAuthenticationToken(String username, String password, boolean authenticated) {
+        this.username = username;
+        this.password = password;
+        this.authenticated = authenticated;
+    }
+
+    public static UsernamePasswordAuthenticationToken unAuthenticated(String username, String password) {
+        return new UsernamePasswordAuthenticationToken(username, password, false);
+    }
+
+    public static UsernamePasswordAuthenticationToken authenticated(Authentication authentication) {
+        return new UsernamePasswordAuthenticationToken(
+                (String) authentication.getPrincipal(),
+                (String) authentication.getCredentials(),
+                true
+        );
+    }
+
+    @Override
+    public Object getCredentials() {
+        return this.password;
+    }
+
+    @Override
+    public Object getPrincipal() {
+        return this.username;
+    }
+
+    @Override
+    public boolean isAuthenticated() {
+        return this.authenticated;
+    }
+}

src/main/java/nextstep/security/context/HttpSessionSecurityContextRepository.java

@@ -0,0 +1,51 @@
+package nextstep.security.context;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpSession;
+
+public class HttpSessionSecurityContextRepository implements SecurityContextRepository {
+
+    public static final String SPRING_SECURITY_CONTEXT_KEY = "SPRING_SECURITY_CONTEXT";
+
+    // todo: SecurityContextRepository의 loadContext와 saveContext 동작을 각각 테스트.
+    @Override
+    public SecurityContext loadContext(HttpServletRequest request) {
+        SecurityContext securityContext = readSecurityContextFromSession(request.getSession());
+
+        if (securityContext == null) {
+            return SecurityContextHolder.createEmptyContext();
+        }
+
+        return securityContext;
+    }
+
+    @Override
+    public void saveContext(
+            SecurityContext context,
+            HttpServletRequest request,
+            HttpServletResponse response
+    ) {
+        HttpSession session = request.getSession();
+        session.setAttribute(SPRING_SECURITY_CONTEXT_KEY, context);
+    }
+
+    private SecurityContext readSecurityContextFromSession(HttpSession session) {
+        if (session == null) {
+            return null;
+        }
+
+        // Session Exists.
+        Object securityContextFromSession = session.getAttribute(SPRING_SECURITY_CONTEXT_KEY);
+        if (securityContextFromSession == null) {
+            return null;
+        }
+
+        if (!(securityContextFromSession instanceof SecurityContext)) {
+            return null;
+        }
+
+        // Everything Cool! SecurityContext Exists.
+        return (SecurityContext) securityContextFromSession;
+    }
+}

src/main/java/nextstep/security/context/SecurityContext.java

@@ -0,0 +1,12 @@
+package nextstep.security.context;
+
+import nextstep.security.authentication.Authentication;
+
+import java.io.Serializable;
+
+public interface SecurityContext extends Serializable {
+
+    Authentication getAuthentication();
+
+    void setAuthentication(Authentication authentication);
+}

src/main/java/nextstep/security/context/SecurityContextHolder.java

@@ -0,0 +1,29 @@
+package nextstep.security.context;
+
+public class SecurityContextHolder {
+
+    private static final ThreadLocal<SecurityContext> contextHolder = new ThreadLocal<>();
+
+    public static SecurityContext getContext() {
+        SecurityContext context = contextHolder.get();
+
+        if (context == null) {
+            context = createEmptyContext();
+            contextHolder.set(context);
+        }
+
+        return context;
+    }
+
+    public static void setContext(SecurityContext context) {
+        contextHolder.set(context);
+    }
+
+    public static void clearContext() {
+        contextHolder.remove();
+    }
+
+    public static SecurityContext createEmptyContext() {
+        return new SecurityContextImpl();
+    }
+}

src/main/java/nextstep/security/context/SecurityContextHolderFilter.java

@@ -0,0 +1,38 @@
+package nextstep.security.context;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.util.Assert;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+
+public class SecurityContextHolderFilter extends OncePerRequestFilter {
+
+    private final SecurityContextRepository securityContextRepository;
+
+    public SecurityContextHolderFilter(SecurityContextRepository securityContextRepository) {
+        Assert.notNull(securityContextRepository, "securityContextRepository cannot be null");
+        this.securityContextRepository = securityContextRepository;
+    }
+
+    @Override
+    protected void doFilterInternal(
+            HttpServletRequest request,
+            HttpServletResponse response,
+            FilterChain filterChain
+    ) throws ServletException, IOException {
+        // contextRepository를 통해 SecurityContext를 가져온다. 없을 경우 empty context.
+        SecurityContext context = this.securityContextRepository.loadContext(request);
+
+        try {
+            SecurityContextHolder.setContext(context);
+            filterChain.doFilter(request, response);
+        } finally {
+            // 요청이 끝나고 SecurityContext를 clear. (HTTP Session에는 SecurityContext가 남아있을 수 있음)
+            SecurityContextHolder.clearContext();
+        }
+    }
+}

src/main/java/nextstep/security/context/SecurityContextImpl.java

@@ -0,0 +1,25 @@
+package nextstep.security.context;
+
+import nextstep.security.authentication.Authentication;
+
+public class SecurityContextImpl implements SecurityContext {
+
+    private Authentication authentication;
+
+    public SecurityContextImpl() {
+    }
+
+    public SecurityContextImpl(Authentication authentication) {
+        this.authentication = authentication;
+    }
+
+    @Override
+    public Authentication getAuthentication() {
+        return this.authentication;
+    }
+
+    @Override
+    public void setAuthentication(Authentication authentication) {
+        this.authentication = authentication;
+    }
+}

src/main/java/nextstep/security/context/SecurityContextRepository.java

@@ -0,0 +1,11 @@
+package nextstep.security.context;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public interface SecurityContextRepository {
+
+    SecurityContext loadContext(HttpServletRequest request);
+
+    void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
+}