AI Service Security 설정 단순화 및 워크플로우 문서 추가

- SecurityConfig CORS 설정 제거 및 단순화 - 모든 요청 허용으로 변경 (내부 API 특성 반영) - DevTools 요청 정적 리소스 제외 처리 - AI Service 워크플로우 문서 추가 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-06-13 04:19:14 +00:00 · 2025-10-30 16:44:23 +09:00
parent c53cbdf4f8
commit c6b33885e0
2 changed files with 403 additions and 22 deletions
@@ -4,6 +4,7 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
@@ -27,21 +28,19 @@ import java.util.List;
@EnableWebSecurity
 public class SecurityConfig {

-    /**
-     * Security Filter Chain 설정
-     * - 모든 요청 허용 (내부 API)
-     * - CSRF 비활성화
-     * - Stateless 세션
-     */
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
+                // CSRF 비활성화 (REST API는 CSRF 불필요)
                .csrf(AbstractHttpConfigurer::disable)
-                .cors(cors -> cors.configurationSource(corsConfigurationSource()))
-                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+
+                // 세션 사용 안 함 (JWT 기반 인증)
+                .sessionManagement(session ->
+                        session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                )
+
+                // 모든 요청 허용 (테스트용)
                .authorizeHttpRequests(auth -> auth
-                        .requestMatchers("/health", "/actuator/**", "/v3/api-docs/**", "/swagger-ui/**").permitAll()
-                        .requestMatchers("/internal/**").permitAll()  // Internal API
                        .anyRequest().permitAll()
                );

@@ -49,19 +48,11 @@ public class SecurityConfig {
    }

    /**
-     * CORS 설정
+     * Chrome DevTools 요청 등 정적 리소스 요청을 Spring Security에서 제외
     */
    @Bean
-    public CorsConfigurationSource corsConfigurationSource() {
-        CorsConfiguration configuration = new CorsConfiguration();
-        configuration.setAllowedOrigins(Arrays.asList("http://localhost:3000", "http://localhost:8080"));
-        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH"));
-        configuration.setAllowedHeaders(List.of("*"));
-        configuration.setAllowCredentials(true);
-        configuration.setMaxAge(3600L);
-
-        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-        source.registerCorsConfiguration("/**", configuration);
-        return source;
+    public WebSecurityCustomizer webSecurityCustomizer() {
+        return (web) -> web.ignoring()
+                .requestMatchers("/.well-known/**");
    }
 }