spring/security
#1. security 시작
tokkaiiii
2025. 4. 16. 10:58
1. 의존성 주입
implementation 'org.springframework.boot:spring-boot-starter-security'이렇게 주입만 해도 자동으로 설정된 보안 기능이 구동된다.
페이지를 제공
SecurityProperties 클래스에서 한 개의 계정을 제공하는데
username: user
password: 랜덤문자열
이다.
SecurityProperties 에서 만들어진 계정은 UserDetailServiceAutoConfiguration 클래스의 inMemoryUserDetailsManager 함수를 탄다 User 객체를 생성해서 관리한다.
@Bean
public InMemoryUserDetailsManager inMemoryUserDetailsManager(SecurityProperties properties, ObjectProvider<PasswordEncoder> passwordEncoder) {
SecurityProperties.User user = properties.getUser();
List<String> roles = user.getRoles();
return new InMemoryUserDetailsManager(new UserDetails[]{User.withUsername(user.getName()).password(this.getOrDeducePassword(user, (PasswordEncoder)passwordEncoder.getIfAvailable())).roles(StringUtils.toStringArray(roles)).build()});
}
SpringBootWebSecuriyConfiguration 클래스에 의해 자동 설정
@ConditionalOnDefaultWebSecurity
static class SecurityFilterChainConfiguration {
SecurityFilterChainConfiguration() {
}
@Bean
@Order(2147483642)
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((requests) -> ((AuthorizeHttpRequestsConfigurer.AuthorizedUrl)requests.anyRequest()).authenticated());
http.formLogin(Customizer.withDefaults());
http.httpBasic(Customizer.withDefaults());
return (SecurityFilterChain)http.build();
}
}하지만 아래의 조건이 충족돼야 실행된다
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//
package org.springframework.boot.autoconfigure.security;
import org.springframework.boot.autoconfigure.condition.AllNestedConditions;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.ConfigurationCondition.ConfigurationPhase;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
class DefaultWebSecurityCondition extends AllNestedConditions {
DefaultWebSecurityCondition() {
super(ConfigurationPhase.REGISTER_BEAN);
}
@ConditionalOnClass({SecurityFilterChain.class, HttpSecurity.class})
static class Classes {
Classes() {
}
}
@ConditionalOnMissingBean({SecurityFilterChain.class})
static class Beans {
Beans() {
}
}
}클래스패스에 SecurityFilterChain 과 HttpSecurity 가 있어야 하고 SecurityFilterChain bean 이 생성되지 않았어야 한다