From 72728841db613e4fcb5f7fe0ea5b45dc431de994 Mon Sep 17 00:00:00 2001 From: jhbkjh Date: Thu, 30 Oct 2025 15:45:22 +0900 Subject: [PATCH] =?UTF-8?q?security=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../infrastructure/config/SecurityConfig.java | 58 +++++++------------ 1 file changed, 21 insertions(+), 37 deletions(-) diff --git a/participation-service/src/main/java/com/kt/event/participation/infrastructure/config/SecurityConfig.java b/participation-service/src/main/java/com/kt/event/participation/infrastructure/config/SecurityConfig.java index f11e549..f217f42 100644 --- a/participation-service/src/main/java/com/kt/event/participation/infrastructure/config/SecurityConfig.java +++ b/participation-service/src/main/java/com/kt/event/participation/infrastructure/config/SecurityConfig.java @@ -1,17 +1,13 @@ package com.kt.event.participation.infrastructure.config; -import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.SecurityFilterChain; -import org.springframework.web.cors.CorsConfiguration; -import org.springframework.web.cors.CorsConfigurationSource; -import org.springframework.web.cors.UrlBasedCorsConfigurationSource; - -import java.util.Arrays; /** * Security Configuration for Participation Service @@ -24,43 +20,31 @@ import java.util.Arrays; @EnableWebSecurity public class SecurityConfig { - @Value("${cors.allowed-origins:*}") - private String allowedOrigins; - @Bean - public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http - .csrf(csrf -> csrf.disable()) - .cors(cors -> cors.configurationSource(corsConfigurationSource())) - .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) - .authorizeHttpRequests(auth -> auth - // Actuator endpoints - .requestMatchers("/actuator/**").permitAll() - .anyRequest().permitAll() - ); + // CSRF 비활성화 (REST API는 CSRF 불필요) + .csrf(AbstractHttpConfigurer::disable) + + // 세션 사용 안 함 (JWT 기반 인증) + .sessionManagement(session -> + session.sessionCreationPolicy(SessionCreationPolicy.STATELESS) + ) + + // 모든 요청 허용 (테스트용) + .authorizeHttpRequests(auth -> auth + .anyRequest().permitAll() + ); return http.build(); } + /** + * Chrome DevTools 요청 등 정적 리소스 요청을 Spring Security에서 제외 + */ @Bean - public CorsConfigurationSource corsConfigurationSource() { - CorsConfiguration configuration = new CorsConfiguration(); - - String[] origins = allowedOrigins.split(","); - configuration.setAllowedOriginPatterns(Arrays.asList(origins)); - - configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS")); - - configuration.setAllowedHeaders(Arrays.asList( - "Authorization", "Content-Type", "X-Requested-With", "Accept", - "Origin", "Access-Control-Request-Method", "Access-Control-Request-Headers" - )); - - configuration.setAllowCredentials(true); - configuration.setMaxAge(3600L); - - UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); - source.registerCorsConfiguration("/**", configuration); - return source; + public WebSecurityCustomizer webSecurityCustomizer() { + return (web) -> web.ignoring() + .requestMatchers("/.well-known/**"); } }