Merge pull request #31 from ktds-dg0501/feature/partici2

security 수정

participation-service/src/main/java/com/kt/event/participation/infrastructure/config/SecurityConfig.java

@@ -1,17 +1,13 @@
 package com.kt.event.participation.infrastructure.config;
 
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.CorsConfigurationSource;
-import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-
-import java.util.Arrays;
 
 /**
  * Security Configuration for Participation Service
@@ -24,43 +20,31 @@ import java.util.Arrays;
 @EnableWebSecurity
 public class SecurityConfig {
 
-    @Value("${cors.allowed-origins:*}")
-    private String allowedOrigins;
-
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
-            .csrf(csrf -> csrf.disable())
+                // CSRF 비활성화 (REST API는 CSRF 불필요)
-            .cors(cors -> cors.configurationSource(corsConfigurationSource()))
+                .csrf(AbstractHttpConfigurer::disable)
-            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+
-            .authorizeHttpRequests(auth -> auth
+                // 세션 사용 안 함 (JWT 기반 인증)
-                // Actuator endpoints
+                .sessionManagement(session ->
-                .requestMatchers("/actuator/**").permitAll()
+                        session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-                .anyRequest().permitAll()
+                )
-            );
+
+                // 모든 요청 허용 (테스트용)
+                .authorizeHttpRequests(auth -> auth
+                        .anyRequest().permitAll()
+                );
 
         return http.build();
     }
 
+    /**
+     * Chrome DevTools 요청 등 정적 리소스 요청을 Spring Security에서 제외
+     */
     @Bean
-    public CorsConfigurationSource corsConfigurationSource() {
+    public WebSecurityCustomizer webSecurityCustomizer() {
-        CorsConfiguration configuration = new CorsConfiguration();
+        return (web) -> web.ignoring()
-
+                .requestMatchers("/.well-known/**");
-        String[] origins = allowedOrigins.split(",");
-        configuration.setAllowedOriginPatterns(Arrays.asList(origins));
-
-        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
-
-        configuration.setAllowedHeaders(Arrays.asList(
-            "Authorization", "Content-Type", "X-Requested-With", "Accept",
-            "Origin", "Access-Control-Request-Method", "Access-Control-Request-Headers"
-        ));
-
-        configuration.setAllowCredentials(true);
-        configuration.setMaxAge(3600L);
-
-        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-        source.registerCorsConfiguration("/**", configuration);
-        return source;
     }
 }