이전 방식에서는 override해서 사용했으나
security 6 부터는 객체를 생성해서 @Bean으로 만들어야함
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecConfig {
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Bean // 기본 필터 생성
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.cors(AbstractHttpConfigurer::disable)
.authorizeHttpRequests( (auth) -> auth
.requestMatchers(HttpMethod.GET, "/api/**").permitAll()
.anyRequest()
.authenticated()
)
.httpBasic(Customizer.withDefaults())
;
return http.build();
}
@Bean // 사용자 생성
public UserDetailsService users() {
UserDetails user = User
.withUsername("user")
.password("pass")
.passwordEncoder(str -> passwordEncoder().encode(str))
.roles("USER")
.build();
UserDetails admin = User.withUsername("admin")
.password(passwordEncoder().encode("pass"))
.roles("USER", "ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
}
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecConfig {
@Bean
PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Bean // 기본 필터 생성
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.cors(AbstractHttpConfigurer::disable)
.authorizeHttpRequests( (auth) -> auth
.requestMatchers(HttpMethod.GET, "/api/**").permitAll()
.anyRequest()
.authenticated()
)
.httpBasic(Customizer.withDefaults())
;
return http.build();
}
@Bean // 사용자 생성
public UserDetailsService users() {
UserDetails user = User
.withUsername("user")
.password("pass")
.passwordEncoder(str -> passwordEncoder().encode(str))
.roles("USER")
.build();
UserDetails admin = User.withUsername("admin")
.password(passwordEncoder().encode("pass"))
.roles("USER", "ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
}
rest api 방식에서 post 방식을 허용하기 위해서는
@EnableGlobalMethodSecurity(prePostEnabled = true) 이 필요하고
controller에도 적용이 필요함(get을 제외한 post, put, delet에 적용)
@PreAuthorize("hasRole('ADMIN')")
@PostMapping
public ResponseEntity<PostDto> createPost(@Valid @RequestBody PostDto postDto) {
return new ResponseEntity<>(postService.createPost(postDto), HttpStatus.CREATED);
}
@PostMapping
public ResponseEntity<PostDto> createPost(@Valid @RequestBody PostDto postDto) {
return new ResponseEntity<>(postService.createPost(postDto), HttpStatus.CREATED);
}
위와 같이 하면 post 방식에 대해 ADMIN 권한을 요구함
==> filter에 적용해도됨...
'Spring > spring secutiry' 카테고리의 다른 글
| spring security 6.1 mysql signin, signup-rest api (0) | 2023.06.12 |
|---|---|
| spring security 6.1 mysql authentication(개정 생성, login) (0) | 2023.06.11 |