security 수정

2025-10-30 15:45:22 +09:00 · 2025-10-30 15:45:22 +09:00 · 72728841db
commit 72728841db
parent a3381cc540
1 changed files with 21 additions and 37 deletions
--- a/participation-service/src/main/java/com/kt/event/participation/infrastructure/config/SecurityConfig.java
+++ b/participation-service/src/main/java/com/kt/event/participation/infrastructure/config/SecurityConfig.java
@ -1,17 +1,13 @@
 package com.kt.event.participation.infrastructure.config;

-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.CorsConfigurationSource;
-import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
-
-import java.util.Arrays;

 /**
 * Security Configuration for Participation Service
@ -24,43 +20,31 @@ import java.util.Arrays;
@EnableWebSecurity
 public class SecurityConfig {

-    @Value("${cors.allowed-origins:*}")
-    private String allowedOrigins;
-
    @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
-            .csrf(csrf -> csrf.disable())
-            .cors(cors -> cors.configurationSource(corsConfigurationSource()))
-            .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                // CSRF 비활성화 (REST API는 CSRF 불필요)
+                .csrf(AbstractHttpConfigurer::disable)
+
+                // 세션 사용 안 함 (JWT 기반 인증)
+                .sessionManagement(session ->
+                        session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                )
+
+                // 모든 요청 허용 (테스트용)
                .authorizeHttpRequests(auth -> auth
-                // Actuator endpoints
-                .requestMatchers("/actuator/**").permitAll()
                        .anyRequest().permitAll()
                );

        return http.build();
    }

+    /**
+     * Chrome DevTools 요청 등 정적 리소스 요청을 Spring Security에서 제외
+     */
    @Bean
-    public CorsConfigurationSource corsConfigurationSource() {
-        CorsConfiguration configuration = new CorsConfiguration();
-
-        String[] origins = allowedOrigins.split(",");
-        configuration.setAllowedOriginPatterns(Arrays.asList(origins));
-
-        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
-
-        configuration.setAllowedHeaders(Arrays.asList(
-            "Authorization", "Content-Type", "X-Requested-With", "Accept",
-            "Origin", "Access-Control-Request-Method", "Access-Control-Request-Headers"
-        ));
-
-        configuration.setAllowCredentials(true);
-        configuration.setMaxAge(3600L);
-
-        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-        source.registerCorsConfiguration("/**", configuration);
-        return source;
+    public WebSecurityCustomizer webSecurityCustomizer() {
+        return (web) -> web.ignoring()
+                .requestMatchers("/.well-known/**");
    }
 }