[신성수] 인가(Authorization) 리뷰 요청 드립니다.

README.md

@@ -1 +1,17 @@
 # spring-security-authorization
+
+# 🚀 1단계 - AuthorizationManager를 활용
+
+- [x] AuthorizationManager를 활용하여 인가 과정 추상화
+  - [x] SecuredAuthorizationManager 구현
+  - [x] RequestAuthorizationManager 구현
+  - [x] SecuredAuthorizationManager 구현
+
+# 🚀 2단계 - 요청별 권한 검증 정보 분리
+
+- [x] 요청별 권한 검증 정보를 별도의 객체로 분리하여 관리
+  - [x] RequestMatcher 작성
+  - [x] AnyRequestMatcher 구현
+  - [x] MvcRequestMatcher 구현
+  - [x] RequestMatcherEntry 작성
+

src/main/java/nextstep/app/SecurityConfig.java

@@ -1,13 +1,16 @@
 package nextstep.app;
 
+import jakarta.servlet.http.HttpServletRequest;
 import nextstep.app.domain.Member;
 import nextstep.app.domain.MemberRepository;
 import nextstep.security.authentication.AuthenticationException;
 import nextstep.security.authentication.BasicAuthenticationFilter;
 import nextstep.security.authentication.UsernamePasswordAuthenticationFilter;
+import nextstep.security.authorization.AuthorizationFilter;
 import nextstep.security.authorization.CheckAuthenticationFilter;
 import nextstep.security.authorization.SecuredAspect;
 import nextstep.security.authorization.SecuredMethodInterceptor;
+import nextstep.security.authorization.manager.*;
 import nextstep.security.config.DefaultSecurityFilterChain;
 import nextstep.security.config.DelegatingFilterProxy;
 import nextstep.security.config.FilterChainProxy;
@@ -22,6 +25,10 @@
 import java.util.List;
 import java.util.Set;
 
+import static nextstep.security.authorization.matcher.RequestMatcherEntry.createDefaultMatcher;
+import static nextstep.security.authorization.matcher.RequestMatcherEntry.createMvcMatcher;
+import static org.springframework.http.HttpMethod.GET;
+
 @EnableAspectJAutoProxy
 @Configuration
 public class SecurityConfig {
@@ -46,19 +53,20 @@ public FilterChainProxy filterChainProxy(List<SecurityFilterChain> securityFilte
     public SecuredMethodInterceptor securedMethodInterceptor() {
         return new SecuredMethodInterceptor();
     }
-//    @Bean
-//    public SecuredAspect securedAspect() {
-//        return new SecuredAspect();
-//    }
 
     @Bean
     public SecurityFilterChain securityFilterChain() {
+        final AuthorizationManager<HttpServletRequest> authorizationManager = new RequestAuthorizationManager(List.of(
+                createMvcMatcher(GET, "/members", new AuthorityAuthorizationManager<>("ADMIN")),
+                createMvcMatcher(GET, "/members/me", new AuthenticatedAuthorizationManager<>()),
+                createMvcMatcher(GET, "/search", new PermitAllAuthorizationManager<>())
+        ), createDefaultMatcher(new DenyAllAuthorizationManager<>()));
         return new DefaultSecurityFilterChain(
                 List.of(
                         new SecurityContextHolderFilter(),
                         new UsernamePasswordAuthenticationFilter(userDetailsService()),
                         new BasicAuthenticationFilter(userDetailsService()),
-                        new CheckAuthenticationFilter()
+                        new AuthorizationFilter(authorizationManager)
                 )
         );
     }

src/main/java/nextstep/app/ui/MemberController.java

@@ -2,12 +2,16 @@
 
 import nextstep.app.domain.Member;
 import nextstep.app.domain.MemberRepository;
+import nextstep.security.authentication.Authentication;
+import nextstep.security.authentication.AuthenticationException;
 import nextstep.security.authorization.Secured;
+import nextstep.security.context.SecurityContextHolder;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.List;
+import java.util.Optional;
 
 @RestController
 public class MemberController {
@@ -30,4 +34,17 @@ public ResponseEntity<List<Member>> search() {
         List<Member> members = memberRepository.findAll();
         return ResponseEntity.ok(members);
     }
+
+    @Secured("USER")
+    @GetMapping("/members/me")
+    public ResponseEntity<Member> me() {
+        final Authentication authentication = SecurityContextHolder
+                .getContext().getAuthentication();
+
+        Member member = memberRepository.findByEmail(
+                authentication.getPrincipal().toString()
+        ).orElseThrow(AuthenticationException::new);
+
+        return ResponseEntity.ok(member);
+    }
 }

src/main/java/nextstep/security/authentication/BasicAuthenticationFilter.java

@@ -1,6 +1,7 @@
 package nextstep.security.authentication;
 
 import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import nextstep.security.context.SecurityContext;
@@ -10,6 +11,7 @@
 import org.springframework.util.StringUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 
+import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.List;
@@ -26,23 +28,23 @@ public BasicAuthenticationFilter(UserDetailsService userDetailsService) {
     }
 
     @Override
-    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {
-        try {
-            Authentication authentication = convert(request);
-            if (authentication == null) {
-                filterChain.doFilter(request, response);
-                return;
-            }
-
-            Authentication authResult = this.authenticationManager.authenticate(authentication);
-            SecurityContext context = SecurityContextHolder.createEmptyContext();
-            context.setAuthentication(authResult);
-            SecurityContextHolder.setContext(context);
-
+    protected void doFilterInternal(
+            HttpServletRequest request,
+            HttpServletResponse response,
+            FilterChain filterChain
+    ) throws ServletException, IOException {
+        Authentication authentication = convert(request);
+        if (authentication == null) {
             filterChain.doFilter(request, response);
-        } catch (Exception e) {
-            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            return;
         }
+
+        Authentication authResult = this.authenticationManager.authenticate(authentication);
+        SecurityContext context = SecurityContextHolder.createEmptyContext();
+        context.setAuthentication(authResult);
+        SecurityContextHolder.setContext(context);
+
+        filterChain.doFilter(request, response);
     }
 
     private Authentication convert(HttpServletRequest request) {

src/main/java/nextstep/security/authorization/AuthorizationFilter.java

@@ -0,0 +1,37 @@
+package nextstep.security.authorization;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import nextstep.security.authentication.Authentication;
+import nextstep.security.authentication.AuthenticationException;
+import nextstep.security.authorization.manager.AuthorizationManager;
+import nextstep.security.context.SecurityContextHolder;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+
+public class AuthorizationFilter extends OncePerRequestFilter {
+    private final AuthorizationManager<HttpServletRequest> authorizationManager;
+
+    public AuthorizationFilter(AuthorizationManager<HttpServletRequest> authorizationManager) {
+        this.authorizationManager = authorizationManager;
+    }
+
+    @Override
+    protected void doFilterInternal(
+            HttpServletRequest request,
+            HttpServletResponse response,
+            FilterChain filterChain
+    ) throws ServletException, IOException {
+        final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (authentication == null || !authentication.isAuthenticated()) {
+            throw new AuthenticationException();
+        }
+        if (!authorizationManager.authorize(authentication, request).isGranted()) {
+            throw new ForbiddenException();
+        }
+        filterChain.doFilter(request, response);
+    }
+}

src/main/java/nextstep/security/authorization/SecuredMethodInterceptor.java

@@ -2,6 +2,7 @@
 
 import nextstep.security.authentication.Authentication;
 import nextstep.security.authentication.AuthenticationException;
+import nextstep.security.authorization.manager.SecuredAuthorizationManager;
 import nextstep.security.context.SecurityContextHolder;
 import org.aopalliance.aop.Advice;
 import org.aopalliance.intercept.MethodInterceptor;
@@ -11,32 +12,42 @@
 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.aop.support.annotation.AnnotationMatchingPointcut;
 
-import java.lang.reflect.Method;
-
 public class SecuredMethodInterceptor implements MethodInterceptor, PointcutAdvisor, AopInfrastructureBean {
 
+    private final SecuredAuthorizationManager securedAuthorizationManager;
+
     private final Pointcut pointcut;
 
     public SecuredMethodInterceptor() {
         this.pointcut = new AnnotationMatchingPointcut(null, Secured.class);
+        this.securedAuthorizationManager = new SecuredAuthorizationManager();
     }
 
     @Override
     public Object invoke(MethodInvocation invocation) throws Throwable {
-        Method method = invocation.getMethod();
-        if (method.isAnnotationPresent(Secured.class)) {
-            Secured secured = method.getAnnotation(Secured.class);
-            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-            if (authentication == null) {
-                throw new AuthenticationException();
-            }
-            if (!authentication.getAuthorities().contains(secured.value())) {
-                throw new ForbiddenException();
-            }
+        if (!invocation.getMethod().isAnnotationPresent(Secured.class)) {
+            return invocation.proceed();
         }
+        final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+
+        checkAuthenticated(authentication);
+        checkAuthorize(authentication, invocation);
+
         return invocation.proceed();
     }
 
+    private void checkAuthenticated(Authentication authentication) {
+        if (authentication == null || !authentication.isAuthenticated()) {
+            throw new AuthenticationException();
+        }
+    }
+
+    private void checkAuthorize(Authentication authentication, MethodInvocation invocation) {
+        if (!securedAuthorizationManager.authorize(authentication, invocation).isGranted()) {
+            throw new ForbiddenException();
+        }
+    }
+
     @Override
     public Pointcut getPointcut() {
         return pointcut;

src/main/java/nextstep/security/authorization/manager/AuthenticatedAuthorizationManager.java

@@ -0,0 +1,19 @@
+package nextstep.security.authorization.manager;
+
+import nextstep.security.authentication.Authentication;
+
+import static nextstep.security.authorization.manager.AuthorizationDecision.GRANTED;
+import static nextstep.security.authorization.manager.AuthorizationDecision.NOT_GRANTED;
+
+public class AuthenticatedAuthorizationManager<T> implements AuthorizationManager<T> {
+    @Override
+    public AuthorizationResult authorize(Authentication authentication, T target) {
+        if(authentication != null &&
+                authentication.isAuthenticated()
+            ) {
+            return GRANTED;
+        }
+
+        return NOT_GRANTED;
+    }
+}

src/main/java/nextstep/security/authorization/manager/AuthorityAuthorizationManager.java

@@ -0,0 +1,29 @@
+package nextstep.security.authorization.manager;
+
+import nextstep.security.authentication.Authentication;
+
+import java.util.Set;
+
+public class AuthorityAuthorizationManager<T> implements AuthorizationManager<T> {
+    private final Set<String> authorities;
+
+    public AuthorityAuthorizationManager(String... authorities) {
+        this.authorities = Set.of(authorities);
+    }
+
+    @Override
+    public AuthorizationResult authorize(Authentication authentication, T target) {
+        return AuthorizationDecision.from(isGranted(authentication));
+    }
+
+    private boolean isGranted(Authentication authentication) {
+        return authentication != null
+                && authentication.isAuthenticated()
+                && anyMatch(authentication);
+    }
+
+    private boolean anyMatch(Authentication authentication) {
+        return authentication.getAuthorities().stream()
+                .anyMatch(authorities::contains);
+    }
+}

src/main/java/nextstep/security/authorization/manager/AuthorizationDecision.java

@@ -0,0 +1,20 @@
+package nextstep.security.authorization.manager;
+
+public enum AuthorizationDecision implements AuthorizationResult {
+    GRANTED(true),
+    NOT_GRANTED(false);
+
+    private final boolean granted;
+
+    AuthorizationDecision(final boolean granted) {
+        this.granted = granted;
+    }
+
+    public boolean isGranted() {
+        return this.granted;
+    }
+
+    public static AuthorizationResult from(boolean granted) {
+        return granted ? GRANTED : NOT_GRANTED;
+    }
+}

src/main/java/nextstep/security/authorization/manager/AuthorizationManager.java

@@ -0,0 +1,8 @@
+package nextstep.security.authorization.manager;
+
+import nextstep.security.authentication.Authentication;
+
+@FunctionalInterface
+public interface AuthorizationManager<T> {
+    AuthorizationResult authorize(Authentication authentication, T target);
+}

src/main/java/nextstep/security/authorization/manager/AuthorizationResult.java

@@ -0,0 +1,5 @@
+package nextstep.security.authorization.manager;
+
+public interface AuthorizationResult {
+    boolean isGranted();
+}

src/main/java/nextstep/security/authorization/manager/DenyAllAuthorizationManager.java

@@ -0,0 +1,12 @@
+package nextstep.security.authorization.manager;
+
+import nextstep.security.authentication.Authentication;
+
+import static nextstep.security.authorization.manager.AuthorizationDecision.NOT_GRANTED;
+
+public class DenyAllAuthorizationManager<T> implements AuthorizationManager<T> {
+    @Override
+    public AuthorizationResult authorize(Authentication authentication, T target) {
+        return NOT_GRANTED;
+    }
+}

src/main/java/nextstep/security/authorization/manager/PermitAllAuthorizationManager.java

@@ -0,0 +1,12 @@
+package nextstep.security.authorization.manager;
+
+import nextstep.security.authentication.Authentication;
+
+import static nextstep.security.authorization.manager.AuthorizationDecision.GRANTED;
+
+public class PermitAllAuthorizationManager<T> implements AuthorizationManager<T> {
+    @Override
+    public AuthorizationResult authorize(Authentication authentication, T target) {
+        return GRANTED;
+    }
+}