3. 멤버 권한줘서 컨트롤러별 접근막기
@Bean
@Order(SecurityProperties.BASIC_AUTH_ORDER)
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.cors();
http.csrf().disable()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPointException)
.accessDeniedHandler(accessDeniedHandlerException)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/api/member/**").permitAll()
.antMatchers("/api/post/**").permitAll()
.antMatchers("/api/comment/**").permitAll()
.antMatchers("/api/auth/**").hasAnyRole("ROLE_ADMIN","ROLE_MEMBER")
.antMatchers("/api/admin/**").hasRole("ROlE_ADMIN")
.antMatchers("/v2/api-docs",
"/swagger-resources",
"/swagger-resources/**",
"/configuration/ui",
"/configuration/security",
"/swagger-ui.html",
"/webjars/**",
"/v3/api-docs/**",
"/swagger-ui/**").permitAll()
.anyRequest().authenticated()
.and()
.addFilter(corsConfig.corsFilter())
.apply(new JwtSecurityConfiguration(SECRET_KEY, tokenProvider, userDetailsService));Security에서 제공하는 hasRole 을 사용하여 권한이 필요한 url을 등록해준다.
.antMatchers("/api/auth/**").hasAnyRole("ROLE_ADMIN","ROLE_MEMBER")
.antMatchers("/api/admin/**").hasRole("ROlE_ADMIN")Security에서 제공하는 타입으로 변경.
public enum Authority {
ROLE_ADMIN,
ROLE_MEMBER,
ROLE_GUEST
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
Authority memberRole=member.getRole();
SimpleGrantedAuthority authority = new SimpleGrantedAuthority(memberRole.toString());
Collection<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(authority);
return authorities;
}
'항해 99(9기) > 항해 일일' 카테고리의 다른 글
| 항해 99 38일차 (1) | 2022.10.27 |
|---|---|
| 항해 99 37일차 (0) | 2022.10.26 |
| 항해 99 35일차 (0) | 2022.10.24 |
| 항해 99(9기) 5주차 WTL 회고 (0) | 2022.10.23 |
| 항해 99 33일차 (0) | 2022.10.21 |