Merge pull request #183 from Review-zip/fix/#178-swagger-fix-security

[Fix] CorsConfig 관련 코드 수정
Review-zip · Feb 7, 2024 · d3b3ad4 · d3b3ad4
2 parents b4e38ee + a3d6ca1
commit d3b3ad4
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 8 deletions.
diff --git a/src/main/java/com/example/ReviewZIP/domain/token/RefreshTokenController.java b/src/main/java/com/example/ReviewZIP/domain/token/RefreshTokenController.java
@@ -18,7 +18,7 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-@Tag(name = "로컬 로그인/회원가입", description = "로컬 로그인, 회원가입 API")
+@Tag(name = "token-controller", description = "로컬 로그인, 회원가입 API")
 @RestController
 @RequestMapping("/auth")
 @RequiredArgsConstructor

diff --git a/src/main/java/com/example/ReviewZIP/global/security/CorsConfig.java b/src/main/java/com/example/ReviewZIP/global/security/CorsConfig.java
@@ -6,6 +6,8 @@
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
 
+import java.util.List;
+
 @Configuration
 public class CorsConfig {
     @Bean
@@ -15,7 +17,7 @@ public CorsFilter corsFilter() {
         config.setAllowCredentials(true);
         config.addAllowedOriginPattern("*");
         config.addAllowedHeader("*");
-        config.addAllowedMethod("*");
+        config.setAllowedMethods(List.of("POST", "GET", "PUT", "DELETE", "PATCH", "OPTIONS"));
         config.addAllowedOrigin("https://api.egusajo.shop");
 
         source.registerCorsConfiguration("/**", config);

diff --git a/src/main/java/com/example/ReviewZIP/global/security/WebSecurityConfig.java b/src/main/java/com/example/ReviewZIP/global/security/WebSecurityConfig.java
@@ -4,6 +4,7 @@
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -12,39 +13,39 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-import org.springframework.web.filter.CorsFilter;
 
 @Configuration
 @EnableWebSecurity
 @RequiredArgsConstructor
 public class WebSecurityConfig {
 
     private final JwtProvider jwtProvider;
-    private final CorsFilter corsFilter;
+    private final CorsConfig corsConfig;
     private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
     private final JwtAccessDeniedHandler jwtAccessDeniedHandler;
     private final JwtRequestFilter jwtRequestFilter;
 
     @Bean
     public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
         http
-                .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
+                .addFilterBefore(corsConfig.corsFilter(), UsernamePasswordAuthenticationFilter.class)
                 .csrf(AbstractHttpConfigurer::disable)
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authorizeHttpRequests(authorize -> authorize
                         .requestMatchers("/", "/**").permitAll()
                         .requestMatchers(new AntPathRequestMatcher("/auth/**")).permitAll()
                         .requestMatchers(new AntPathRequestMatcher("/S3/**")).permitAll()
                         .requestMatchers("/swagger-resources/**", "/swagger-ui/**", "/v3/api-docs/**", "/api-docs/**", "/").permitAll()
+                        .requestMatchers("https://api.egusajo.shop ").permitAll()
+                        .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                         .anyRequest().authenticated())
 
                 .exceptionHandling(exceptionHandling -> exceptionHandling
                         .authenticationEntryPoint(jwtAuthenticationEntryPoint)
                         .accessDeniedHandler(jwtAccessDeniedHandler))
 
-                // JwtFilter를 addFilterBefore로 등록했던 JwtSecurityConfig 클래스를 적용
-                .apply(new JwtSecurityConfig(jwtProvider));
-
+                // apply가 deprecated 되서 JwtRequestFilter에서 직접 설정한 필터를 추가
+                .addFilterBefore(new JwtRequestFilter(jwtProvider), UsernamePasswordAuthenticationFilter.class);
         return http.build();
 
     }