From e223075db4d0b79675c4f4c4055c4e882601ae5b Mon Sep 17 00:00:00 2001 From: Dev Uni Date: Tue, 12 Sep 2023 15:43:34 +0900 Subject: [PATCH 1/5] =?UTF-8?q?v1.0.6=20=EB=B0=B0=ED=8F=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From f40b52ac8e146fb99d0a60fbd183e2be4aae231d Mon Sep 17 00:00:00 2001 From: Dev Uni Date: Tue, 12 Sep 2023 16:54:02 +0900 Subject: [PATCH 2/5] =?UTF-8?q?[JT-65]=20hotfix:=20Bearer=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../java/com/devtoon/jtoon/security/config/WebConfig.java | 3 +-- .../com/devtoon/jtoon/security/util/SecurityConstant.java | 3 ++- .../java/com/devtoon/jtoon/security/util/TokenCookie.java | 5 +++-- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/module-application/src/main/java/com/devtoon/jtoon/security/config/WebConfig.java b/module-application/src/main/java/com/devtoon/jtoon/security/config/WebConfig.java index 3e8bbf97..c4d1ffd0 100644 --- a/module-application/src/main/java/com/devtoon/jtoon/security/config/WebConfig.java +++ b/module-application/src/main/java/com/devtoon/jtoon/security/config/WebConfig.java @@ -5,7 +5,6 @@ import org.springframework.web.servlet.config.annotation.InterceptorRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; -import com.devtoon.jtoon.global.util.RegExp; import com.devtoon.jtoon.security.interceptor.MemberInterceptor; @Configuration @@ -22,7 +21,7 @@ public void addInterceptors(InterceptorRegistry registry) { @Override public void addCorsMappings(final CorsRegistry registry) { registry.addMapping("/**") - .allowedOriginPatterns(RegExp.ALLOW_ORIGIN_PATTERN) + .allowedOriginPatterns("*") .allowedMethods(ALLOWED_METHOD_NAMES.split(",")) .allowedHeaders("*") .allowCredentials(true) diff --git a/module-application/src/main/java/com/devtoon/jtoon/security/util/SecurityConstant.java b/module-application/src/main/java/com/devtoon/jtoon/security/util/SecurityConstant.java index b649f169..989cdb17 100644 --- a/module-application/src/main/java/com/devtoon/jtoon/security/util/SecurityConstant.java +++ b/module-application/src/main/java/com/devtoon/jtoon/security/util/SecurityConstant.java @@ -8,7 +8,8 @@ public final class SecurityConstant { public static final String ACCESS_TOKEN_HEADER = "Access_Token"; public static final String REFRESH_TOKEN_HEADER = "Refresh_Token"; - public static final String BEARER_VALUE = "Bearer+"; + public static final String BEARER_VALUE = "Bearer"; + public static final String BLANK = " "; public static final String SPLIT_DATA = "\\+"; public static final int MINUTE = 1000 * 60; } diff --git a/module-application/src/main/java/com/devtoon/jtoon/security/util/TokenCookie.java b/module-application/src/main/java/com/devtoon/jtoon/security/util/TokenCookie.java index 3de9302f..fa81a4d4 100644 --- a/module-application/src/main/java/com/devtoon/jtoon/security/util/TokenCookie.java +++ b/module-application/src/main/java/com/devtoon/jtoon/security/util/TokenCookie.java @@ -2,10 +2,11 @@ import static com.devtoon.jtoon.security.util.SecurityConstant.*; -import jakarta.servlet.http.Cookie; import java.net.URLEncoder; import java.nio.charset.Charset; import java.nio.charset.StandardCharsets; + +import jakarta.servlet.http.Cookie; import lombok.AccessLevel; import lombok.NoArgsConstructor; @@ -15,7 +16,7 @@ public class TokenCookie { private static final Charset charSet = StandardCharsets.UTF_8; public static Cookie of(String name, String value) { - Cookie cookie = new Cookie(name, URLEncoder.encode(BEARER_VALUE + value, charSet)); + Cookie cookie = new Cookie(name, URLEncoder.encode(BEARER_VALUE + BLANK + value, charSet)); cookie.setSecure(true); cookie.setHttpOnly(true); return cookie; From ccd79f8d6a6c26996b962db5232c77f0ac0cd4d1 Mon Sep 17 00:00:00 2001 From: ymkim97 Date: Tue, 12 Sep 2023 17:18:59 +0900 Subject: [PATCH 3/5] =?UTF-8?q?[JT-65]=20hotfix:=20webIgnore=20=EC=82=AD?= =?UTF-8?q?=EC=A0=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../devtoon/jtoon/security/config/SecurityConfig.java | 9 --------- 1 file changed, 9 deletions(-) diff --git a/module-application/src/main/java/com/devtoon/jtoon/security/config/SecurityConfig.java b/module-application/src/main/java/com/devtoon/jtoon/security/config/SecurityConfig.java index 0a650da6..48738495 100644 --- a/module-application/src/main/java/com/devtoon/jtoon/security/config/SecurityConfig.java +++ b/module-application/src/main/java/com/devtoon/jtoon/security/config/SecurityConfig.java @@ -4,7 +4,6 @@ import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; @@ -18,7 +17,6 @@ import com.devtoon.jtoon.security.filter.JwtAuthenticationFilter; import com.devtoon.jtoon.security.handler.OAuth2FailureHandler; import com.devtoon.jtoon.security.handler.OAuth2SuccessHandler; - import lombok.RequiredArgsConstructor; @Configuration @@ -37,13 +35,6 @@ public PasswordEncoder encoder() { return new BCryptPasswordEncoder(); } - @Bean - public WebSecurityCustomizer webSecurityCustomizer() { - return web -> web.ignoring() - .requestMatchers("/members/sign-up") - .requestMatchers("/login"); - } - @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http From 31c9afce6d4c047f979369599e6c097e7741d643 Mon Sep 17 00:00:00 2001 From: ymkim97 Date: Tue, 12 Sep 2023 17:36:23 +0900 Subject: [PATCH 4/5] =?UTF-8?q?[JT-65]=20hotfix:=20Array=20null=20?= =?UTF-8?q?=EC=98=88=EC=99=B8=20=EC=B2=98=EB=A6=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../security/application/JwtService.java | 3 +- .../filter/JwtAuthenticationFilter.java | 35 ++++++++++--------- .../jtoon/security/util/TokenCookie.java | 4 +-- 3 files changed, 22 insertions(+), 20 deletions(-) diff --git a/module-application/src/main/java/com/devtoon/jtoon/security/application/JwtService.java b/module-application/src/main/java/com/devtoon/jtoon/security/application/JwtService.java index 6c905065..38180dc8 100644 --- a/module-application/src/main/java/com/devtoon/jtoon/security/application/JwtService.java +++ b/module-application/src/main/java/com/devtoon/jtoon/security/application/JwtService.java @@ -46,9 +46,7 @@ public class JwtService { private long REFRESH_EXPIRE; private Key secretKey; - private final CustomUserDetailsService userDetailsService; - private final RefreshTokenRepository refreshTokenRepository; @PostConstruct @@ -91,6 +89,7 @@ public boolean isTokenValid(String token) { .setSigningKey(secretKey) .build() .parseClaimsJws(token); + return true; } catch (ExpiredJwtException e) { log.error("Expired access Token", e); diff --git a/module-application/src/main/java/com/devtoon/jtoon/security/filter/JwtAuthenticationFilter.java b/module-application/src/main/java/com/devtoon/jtoon/security/filter/JwtAuthenticationFilter.java index 0e04ee8b..d71ff4e7 100644 --- a/module-application/src/main/java/com/devtoon/jtoon/security/filter/JwtAuthenticationFilter.java +++ b/module-application/src/main/java/com/devtoon/jtoon/security/filter/JwtAuthenticationFilter.java @@ -2,10 +2,8 @@ import static com.devtoon.jtoon.security.util.SecurityConstant.*; -import java.io.IOException; -import java.util.Arrays; - import org.jetbrains.annotations.NotNull; +import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.web.filter.OncePerRequestFilter; @@ -15,12 +13,14 @@ import com.devtoon.jtoon.security.application.JwtService; import com.devtoon.jtoon.security.domain.jwt.CustomUserDetails; import com.devtoon.jtoon.security.util.TokenCookie; - +import io.jsonwebtoken.MalformedJwtException; import jakarta.servlet.FilterChain; import jakarta.servlet.ServletException; import jakarta.servlet.http.Cookie; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.Arrays; import lombok.RequiredArgsConstructor; import lombok.extern.slf4j.Slf4j; @@ -37,26 +37,30 @@ protected void doFilterInternal( @NotNull HttpServletResponse response, @NotNull FilterChain filterChain ) throws ServletException, IOException { - String accessToken = Arrays.stream(request.getCookies()) - .filter(coo -> coo.getName().equals(ACCESS_TOKEN_HEADER)) - .map(Cookie::getValue) - .findFirst() - .orElse(null); + try { + String accessToken = Arrays.stream(request.getCookies()) + .filter(coo -> coo.getName().equals(ACCESS_TOKEN_HEADER)) + .map(Cookie::getValue) + .findFirst() + .orElse(null); - if (accessToken != null && accessToken.startsWith(BEARER_VALUE)) { - try { + if (accessToken != null && accessToken.startsWith(BEARER_VALUE)) { accessToken = accessToken.split(SPLIT_DATA)[1]; + if (!jwtService.isTokenValid(accessToken)) { String refreshToken = validateAndGetRefreshToken(request); accessToken = regenerateTokens(refreshToken, response); } + authenticate(accessToken); - } catch (RuntimeException e) { - log.error("Token validation failed", e); - handlerExceptionResolver.resolveException(request, response, null, e); - return; } + } catch (NullPointerException | MalformedJwtException | BadCredentialsException e) { + log.error("Token validation failed", e); + handlerExceptionResolver.resolveException(request, response, null, e); + + return; } + filterChain.doFilter(request, response); } @@ -66,7 +70,6 @@ private String validateAndGetRefreshToken(HttpServletRequest request) { .map(Cookie::getValue) .findFirst() .orElse(null); - refreshToken = refreshToken.split(SPLIT_DATA)[1]; jwtService.isTokenValid(refreshToken); jwtService.verifyRefreshTokenDb(refreshToken); diff --git a/module-application/src/main/java/com/devtoon/jtoon/security/util/TokenCookie.java b/module-application/src/main/java/com/devtoon/jtoon/security/util/TokenCookie.java index fa81a4d4..e3a1b05b 100644 --- a/module-application/src/main/java/com/devtoon/jtoon/security/util/TokenCookie.java +++ b/module-application/src/main/java/com/devtoon/jtoon/security/util/TokenCookie.java @@ -2,11 +2,10 @@ import static com.devtoon.jtoon.security.util.SecurityConstant.*; +import jakarta.servlet.http.Cookie; import java.net.URLEncoder; import java.nio.charset.Charset; import java.nio.charset.StandardCharsets; - -import jakarta.servlet.http.Cookie; import lombok.AccessLevel; import lombok.NoArgsConstructor; @@ -19,6 +18,7 @@ public static Cookie of(String name, String value) { Cookie cookie = new Cookie(name, URLEncoder.encode(BEARER_VALUE + BLANK + value, charSet)); cookie.setSecure(true); cookie.setHttpOnly(true); + return cookie; } } From f671fa4ec35710bcb870803273066e88387d8997 Mon Sep 17 00:00:00 2001 From: ymkim97 Date: Tue, 12 Sep 2023 17:49:46 +0900 Subject: [PATCH 5/5] =?UTF-8?q?[JT-65]=20hotfix:=20NullPointerException=20?= =?UTF-8?q?=EC=B2=98=EB=A6=AC=20=EC=9C=84=EC=B9=98=20=EB=B3=80=EA=B2=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../jtoon/security/filter/JwtAuthenticationFilter.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/module-application/src/main/java/com/devtoon/jtoon/security/filter/JwtAuthenticationFilter.java b/module-application/src/main/java/com/devtoon/jtoon/security/filter/JwtAuthenticationFilter.java index d71ff4e7..f98bc6b7 100644 --- a/module-application/src/main/java/com/devtoon/jtoon/security/filter/JwtAuthenticationFilter.java +++ b/module-application/src/main/java/com/devtoon/jtoon/security/filter/JwtAuthenticationFilter.java @@ -54,11 +54,13 @@ protected void doFilterInternal( authenticate(accessToken); } - } catch (NullPointerException | MalformedJwtException | BadCredentialsException e) { + } catch (MalformedJwtException | BadCredentialsException e) { log.error("Token validation failed", e); handlerExceptionResolver.resolveException(request, response, null, e); return; + } catch (NullPointerException e) { + log.error("Cookie is null", e); } filterChain.doFilter(request, response);