Security Config

default setting

private val permitUrl = arrayOf(
        "/api/v1/auth/token", "/booking-service/swagger-ui\\/**", "/booking-service/v2/api-docs\\/**",
        "/booking-service/v3/api-docs\\/**", "/booking-service/swagger-resources\\/**", "/booking-service/webjars\\/**"
    )

@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain {
    val function: (t: OAuth2ResourceServerConfigurer<HttpSecurity>) -> Unit = { oauth2ResourceServer ->
        oauth2ResourceServer.jwt { jwt -> jwt.decoder(customJwtDecoder(kmsClient())) }
    }
//			  Authorization Header 명 변경 방법
//        val defaultBearerTokenResolver = DefaultBearerTokenResolver()
//        defaultBearerTokenResolver.setBearerTokenHeaderName("abc")
//        val function: (t: OAuth2ResourceServerConfigurer<HttpSecurity>) -> Unit = { oauth2ResourceServer ->
//            oauth2ResourceServer.bearerTokenResolver(defaultBearerTokenResolver)
//            oauth2ResourceServer.jwt { jwt -> jwt.decoder(jwtDecoder()) }
//        }

    return http
        .headers { it -> it.frameOptions { it.disable() } }
        .csrf { it.disable() }
        .httpBasic { it.disable() }
        .oauth2ResourceServer(function)
        .sessionManagement { it.sessionCreationPolicy(SessionCreationPolicy.STATELESS) }
        .authorizeHttpRequests { authorizeHttpRequests ->
            authorizeHttpRequests.requestMatchers(*permitUrl).permitAll()
            authorizeHttpRequests.requestMatchers("/api/v1/auth/refresh")
                .hasAnyAuthority("SCOPE_API", "SCOPE_ISSUE")
            authorizeHttpRequests.requestMatchers("\\/**").hasAuthority("SCOPE_API")
            authorizeHttpRequests.anyRequest().authenticated()
        }
//            .exceptionHandling { exceptions ->
//                exceptions
//                    .authenticationEntryPoint(BearerTokenAuthenticationEntryPoint())
//            .accessDeniedHandler(BearerTokenAccessDeniedHandler())
//            }
        .build()
}

CORS

@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain {
    val function: (t: OAuth2ResourceServerConfigurer<HttpSecurity>) -> Unit = { oauth2ResourceServer ->
        oauth2ResourceServer.jwt { jwt ->
            jwt.decoder(customJwtDecoder(kmsClient()))
        }
    }

    return http
        .headers { it -> it.frameOptions { it.disable() } }
        .cors { }
        .csrf { it.disable() }
        .httpBasic { it.disable() }
        .oauth2ResourceServer(function)
        .sessionManagement { it.sessionCreationPolicy(SessionCreationPolicy.STATELESS) }
        .authorizeHttpRequests { authorizeHttpRequests ->
            authorizeHttpRequests.requestMatchers(*loginApiUrl).anonymous()
            authorizeHttpRequests.requestMatchers(*permitAllUrl).permitAll()
            authorizeHttpRequests.requestMatchers(*openApiUrl).permitAll()
            authorizeHttpRequests.requestMatchers(*tokenApiUrl).hasAnyAuthority("refresh")
            authorizeHttpRequests.anyRequest().authenticated()
        }
        .build()
}

@Bean
fun corsConfigurationSource(): CorsConfigurationSource {
    val configuration = CorsConfiguration()
    configuration.allowedOrigins = mutableListOf("*")
    configuration.allowedMethods = mutableListOf("GET", "POST")
    configuration.allowedHeaders = mutableListOf("*")

    val source = UrlBasedCorsConfigurationSource()
    source.registerCorsConfiguration("/**/", configuration)
    return source
}

Prefix 제거

@Bean
fun jwtAuthenticationConverter(): JwtAuthenticationConverter {
    val grantedAuthoritiesConverter = JwtGrantedAuthoritiesConverter()
    grantedAuthoritiesConverter.setAuthorityPrefix("")

    val jwtAuthenticationConverter = JwtAuthenticationConverter()
    jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter)
    return jwtAuthenticationConverter
}