(step3) httpSecurity - AuthorizeHttpRequestsConfigurer를 이용한 인가 관리 리팩토링

Author: haero77

src/main/java/nextstep/app/SecurityConfig.java

@@ -5,15 +5,12 @@
 import nextstep.oauth2.registration.ClientRegistration;
 import nextstep.oauth2.registration.ClientRegistrationRepository;
 import nextstep.oauth2.userinfo.OAuth2UserService;
-import nextstep.security.access.AnyRequestMatcher;
-import nextstep.security.access.MvcRequestMatcher;
-import nextstep.security.access.RequestMatcherEntry;
 import nextstep.security.access.hierarchicalroles.RoleHierarchy;
 import nextstep.security.access.hierarchicalroles.RoleHierarchyImpl;
 import nextstep.security.authentication.AuthenticationManager;
 import nextstep.security.authentication.DaoAuthenticationProvider;
 import nextstep.security.authentication.ProviderManager;
-import nextstep.security.authorization.*;
+import nextstep.security.authorization.SecuredMethodInterceptor;
 import nextstep.security.config.Customizer;
 import nextstep.security.config.DelegatingFilterProxy;
 import nextstep.security.config.FilterChainProxy;
@@ -25,9 +22,7 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
-import org.springframework.http.HttpMethod;
 
-import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -63,13 +58,6 @@ public SecuredMethodInterceptor securedMethodInterceptor() {
         return new SecuredMethodInterceptor();
     }
 
-    @Bean
-    public RoleHierarchy roleHierarchy() {
-        return RoleHierarchyImpl.with()
-                .role("ADMIN").implies("USER")
-                .build();
-    }
-
     @Bean
     public AuthenticationManager authenticationManager() {
         return new ProviderManager(List.of(
@@ -80,35 +68,23 @@ public AuthenticationManager authenticationManager() {
     @Bean
     public SecurityFilterChain securityFilterChain2(HttpSecurity http) {
         return http
+                .authorizeHttpRequests(authorize -> authorize
+                        .requestMatchers("/members").hasRole("ADMIN")
+                        .requestMatchers("/members/me").authenticated()
+                        .anyRequest().permitAll()
+                )
                 .csrf(c -> c.ignoringRequestMatchers("/login"))
                 .formLogin(Customizer.withDefaults())
                 .httpBasic(Customizer.withDefaults())
                 .oauth2Login(Customizer.withDefaults())
                 .build();
     }
 
-//    @Bean
-//    public SecurityFilterChain securityFilterChain() {
-//        return new DefaultSecurityFilterChain(
-//                List.of(
-//                        new SecurityContextHolderFilter(),
-//                        new CsrfFilter(Set.of(new MvcRequestMatcher(HttpMethod.POST, "/login"))),
-//                        new UsernamePasswordAuthenticationFilter(authenticationManager()),
-//                        new BasicAuthenticationFilter(authenticationManager()),
-//                        new OAuth2AuthorizationRequestRedirectFilter(clientRegistrationRepository()),
-//                        new OAuth2LoginAuthenticationFilter(clientRegistrationRepository(), new OAuth2AuthorizedClientRepository(), authenticationManager()),
-//                        new AuthorizationFilter(requestAuthorizationManager())
-//                )
-//        );
-//    }
-
     @Bean
-    public RequestMatcherDelegatingAuthorizationManager requestAuthorizationManager() {
-        List<RequestMatcherEntry<AuthorizationManager>> mappings = new ArrayList<>();
-        mappings.add(new RequestMatcherEntry<>(new MvcRequestMatcher(HttpMethod.GET, "/members"), new AuthorityAuthorizationManager(roleHierarchy(), "ADMIN")));
-        mappings.add(new RequestMatcherEntry<>(new MvcRequestMatcher(HttpMethod.GET, "/members/me"), new AuthorityAuthorizationManager(roleHierarchy(), "USER")));
-        mappings.add(new RequestMatcherEntry<>(AnyRequestMatcher.INSTANCE, new PermitAllAuthorizationManager<Void>()));
-        return new RequestMatcherDelegatingAuthorizationManager(mappings);
+    public RoleHierarchy roleHierarchy() {
+        return RoleHierarchyImpl.with()
+                .role("ADMIN").implies("USER")
+                .build();
     }
 
     @Bean

src/main/java/nextstep/security/authorization/AuthenticatedAuthorizationManager.java

@@ -3,9 +3,13 @@
 import nextstep.security.authentication.Authentication;
 
 public class AuthenticatedAuthorizationManager<T> implements AuthorizationManager<T> {
+
     @Override
     public AuthorizationDecision check(Authentication authentication, T object) {
-        boolean granted = authentication.isAuthenticated();
-        return new AuthorizationDecision(granted);
+        return new AuthorizationDecision(isGranted(authentication));
+    }
+
+    private boolean isGranted(Authentication authentication) {
+        return authentication != null && authentication.isAuthenticated();
     }
 }

src/main/java/nextstep/security/authorization/AuthorizationFilter.java

@@ -29,15 +29,27 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
         try {
             Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
             AuthorizationDecision decision = this.authorizationManager.check(authentication, request);
-            if (decision != null && !decision.isGranted()) {
-                throw new AccessDeniedException("Access Denied");
+
+            if (authorizationSucceed(decision)) {
+                chain.doFilter(servletRequest, servletResponse);
+                return;
+            }
+
+            // 인가에 실패했는데 인증에 실패해서 인가에 실패한 경우
+            if (authentication == null || !authentication.isAuthenticated()) {
+                throw new AuthenticationException();
             }
 
-            chain.doFilter(request, response);
+            // 인가에 실패한 경우
+            throw new AccessDeniedException();
         } catch (AccessDeniedException e) {
             response.sendError(HttpServletResponse.SC_FORBIDDEN);
         } catch (AuthenticationException e) {
             response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
         }
     }
+
+    private boolean authorizationSucceed(AuthorizationDecision decision) {
+        return decision != null && decision.isGranted();
+    }
 }

src/main/java/nextstep/security/authorization/RequestMatcherDelegatingAuthorizationManager.java

@@ -20,7 +20,6 @@ public AuthorizationDecision check(Authentication authentication, HttpServletReq
             RequestMatcher matcher = mapping.getRequestMatcher();
             if (matcher.matches(request)) {
                 AuthorizationManager manager = mapping.getEntry();
-
                 return manager.check(authentication, request);
             }
         }

src/main/java/nextstep/security/config/annotation/web/builders/HttpSecurity.java

@@ -1,12 +1,17 @@
 package nextstep.security.config.annotation.web.builders;
 
 import jakarta.servlet.Filter;
+import nextstep.security.access.hierarchicalroles.RoleHierarchy;
 import nextstep.security.authentication.AuthenticationManager;
+import nextstep.security.authorization.AuthorizationFilter;
 import nextstep.security.config.Customizer;
 import nextstep.security.config.DefaultSecurityFilterChain;
 import nextstep.security.config.SecurityFilterChain;
 import nextstep.security.config.annotation.web.SecurityConfigurer;
 import nextstep.security.config.annotation.web.configurers.*;
+import nextstep.security.context.SecurityContextHolderFilter;
+import org.springframework.context.ApplicationContext;
+import org.springframework.util.Assert;
 
 import java.util.*;
 
@@ -25,14 +30,14 @@ public <C> C getSharedObject(Class<C> sharedType) {
         return (C) this.sharedObjects.get(sharedType);
     }
 
-    private  <C> void setSharedObject(Class<C> sharedType, C object) {
+    public <C> void setSharedObject(Class<C> sharedType, C object) {
         this.sharedObjects.put(sharedType, object);
     }
 
     public SecurityFilterChain build() {
         init();
         configure();
-        return new DefaultSecurityFilterChain(filters);
+        return new DefaultSecurityFilterChain(orderFilters());
     }
 
     private void init() {
@@ -67,7 +72,10 @@ public HttpSecurity oauth2Login(Customizer<OAuth2LoginConfigurer> oauth2LoginCus
         return this;
     }
 
-    public HttpSecurity authorizeHttpRequests() {
+    public HttpSecurity authorizeHttpRequests(Customizer<AuthorizeHttpRequestsConfigurer> requestsCustomizer) {
+        RoleHierarchy roleHierarchy = getSharedObject(ApplicationContext.class).getBean(RoleHierarchy.class);
+        Assert.notNull(roleHierarchy, "roleHierarchy must not be null");
+        requestsCustomizer.customize(getOrApply(new AuthorizeHttpRequestsConfigurer(roleHierarchy)));
         return this;
     }
 
@@ -91,4 +99,28 @@ private <C extends SecurityConfigurer> C getOrApply(C configurer) {
         this.configurers.put(clazz, configurer);
         return configurer;
     }
+
+    private List<Filter> orderFilters() {
+        List<Filter> orderedFilters = new ArrayList<>(this.filters);
+
+        // SecurityContext는 인증 전부터 관리되므로, SecurityContextHolder 필터를 인증 필터보다 앞에 위치.
+        orderedFilters.stream()
+                .filter(filter -> filter instanceof SecurityContextHolderFilter)
+                .findFirst()
+                .ifPresent(filter -> {
+                    orderedFilters.remove(filter);
+                    orderedFilters.add(0, filter);
+                });
+
+        // 인증 후에 인가를 실행해야하므로, 인가 필터를 가장 마지막에 위치
+        orderedFilters.stream()
+                .filter(filter -> filter instanceof AuthorizationFilter)
+                .findFirst()
+                .ifPresent(filter -> {
+                    orderedFilters.remove(filter);
+                    orderedFilters.add(filter);
+                });
+
+        return orderedFilters;
+    }
 }

src/main/java/nextstep/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

@@ -0,0 +1,76 @@
+package nextstep.security.config.annotation.web.configurers;
+
+import nextstep.security.access.AnyRequestMatcher;
+import nextstep.security.access.MvcRequestMatcher;
+import nextstep.security.access.RequestMatcher;
+import nextstep.security.access.RequestMatcherEntry;
+import nextstep.security.access.hierarchicalroles.RoleHierarchy;
+import nextstep.security.authorization.*;
+import nextstep.security.config.annotation.web.SecurityConfigurer;
+import nextstep.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.util.Assert;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+public class AuthorizeHttpRequestsConfigurer implements SecurityConfigurer {
+
+    List<RequestMatcherEntry<AuthorizationManager>> mappings = new ArrayList<>();
+    private List<? extends RequestMatcher> currentMatchers;
+    private final RoleHierarchy roleHierarchy;
+
+    public AuthorizeHttpRequestsConfigurer(RoleHierarchy roleHierarchy) {
+        Assert.notNull(roleHierarchy, "roleHierarchy cannot be null");
+        this.roleHierarchy = roleHierarchy;
+    }
+
+    @Override
+    public void init(HttpSecurity http) {
+        // AuthorizeHttpRequestsConfigurer.hasRole() 보다 HttpSecurity.build()가 먼저 수행되므로,
+        // init()에서 roleHierarchy 초기화를 진행 시 .hasRole() 시점에 roleHierarchy가 null이 되는 문제 발생 -> 생성자에서 roleHierarchy 주입.
+    }
+
+    @Override
+    public void configure(HttpSecurity http) {
+        RequestMatcherDelegatingAuthorizationManager manager = new RequestMatcherDelegatingAuthorizationManager(mappings);
+        AuthorizationFilter filter = new AuthorizationFilter(manager);
+        http.addFilter(filter);
+    }
+
+    public AuthorizeHttpRequestsConfigurer requestMatchers(String... patterns) {
+        this.currentMatchers = Arrays.stream(patterns)
+                .map(pattern -> new MvcRequestMatcher(null, pattern))
+                .toList();
+
+        return this;
+    }
+
+    public AuthorizeHttpRequestsConfigurer anyRequest() {
+        this.currentMatchers = List.of(AnyRequestMatcher.INSTANCE);
+        return this;
+    }
+
+    public AuthorizeHttpRequestsConfigurer hasRole(String role) {
+        addMappings(new AuthorityAuthorizationManager<>(this.roleHierarchy, role));
+        return this;
+    }
+
+    public AuthorizeHttpRequestsConfigurer permitAll() {
+        addMappings(new PermitAllAuthorizationManager<>());
+        return this;
+    }
+
+    public AuthorizeHttpRequestsConfigurer authenticated() {
+        addMappings(new AuthenticatedAuthorizationManager<>());
+        return this;
+    }
+
+    private <T> void addMappings(AuthorizationManager<T> authorizationManager) {
+        for (RequestMatcher matcher : this.currentMatchers) {
+            this.mappings.add(
+                    new RequestMatcherEntry<>(matcher, authorizationManager)
+            );
+        }
+    }
+}