[refactor/#350] WebSecurityConfigurerAdapter → SecurityFilterChain 마이그레이션 및 보안 설정 강화

Author: agree0002

module-auth/src/main/java/com/inhabas/api/auth/config/AuthBeansConfig.java

@@ -4,6 +4,7 @@
 
 import lombok.RequiredArgsConstructor;
 
+import org.springframework.boot.ApplicationRunner;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -35,6 +36,11 @@ public class AuthBeansConfig {
   private final AuthProperties authProperties;
   private final RefreshTokenRepository refreshTokenRepository;
 
+  @Bean
+  public ApplicationRunner jwtSecretKeyStrengthChecker(JwtTokenUtil jwtTokenUtil) {
+    return args -> jwtTokenUtil.validateSecretKeyStrength();
+  }
+
   @Bean
   public HttpCookieOAuth2AuthorizationRequestRepository
       httpCookieOAuth2AuthorizationRequestRepository() {

module-auth/src/main/java/com/inhabas/api/auth/config/AuthSecurityConfig.java

@@ -2,13 +2,17 @@
 
 import lombok.RequiredArgsConstructor;
 
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.web.cors.CorsUtils;
 
 import com.inhabas.api.auth.domain.oauth2.CustomOAuth2UserService;
@@ -18,9 +22,10 @@
 
 @Order(0) // 인증 관련 security filter chain 은 우선순위가 가장 높아야 함.
 @EnableWebSecurity
+@Configuration
 @RequiredArgsConstructor
 @Profile({"dev1", "dev2", "local", "prod1", "prod2"}) // 테스트에는 포함시키지 않음.
-public class AuthSecurityConfig extends WebSecurityConfigurerAdapter {
+public class AuthSecurityConfig {
 
   private final CustomOAuth2UserService customOAuth2UserService;
   private final OAuth2AuthorizedClientService authorizedClientService;
@@ -29,62 +34,40 @@ public class AuthSecurityConfig extends WebSecurityConfigurerAdapter {
   private final HttpCookieOAuth2AuthorizationRequestRepository
       httpCookieOAuth2AuthorizationRequestRepository;
 
-  /**
-   * 소셜 로그인 api <br>
-   * <br>
-   * 진행과정은 아래와 같다.<br>
-   *
-   * <ol>
-   *   <li>사용자가 소셜로그인 시작. (프론트에서 redirect_url 보내줘야함.)
-   *   <li>OAuth2 인증 진행 -> 기존 회원인지 검사
-   *       <ol style="list-style-type:lower-alpha">
-   *         <li>성공 -> OAuth2AuthenticationSuccessHandler
-   *             <ol>
-   *               <li>프론트에서 보내준 redirect_url 검증 (-> 실패하면 failure handler 에서 처리)
-   *               <li>jwt 토큰 발급 및 로그인 처리
-   *               <li>리다이렉트
-   *             </ol>
-   *         <li>실패 -> OAuth2AuthenticationFailureHandler
-   *       </ol>
-   * </ol>
-   *
-   * 회원가입이나, jwt 토큰 발급을 위한 url 로 함부로 접근할 수 없게 하기 위해 jwt 토근이 발급되기 이전까지는 OAuth2 인증 결과를 세션을 통해서 유지함.
-   * 따라서 critical 한 url 에 대해서 OAuth2 인증이 완료된 세션에 한해서만 허용.
-   */
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
+  @Bean
+  @Order(0)
+  public SecurityFilterChain authSecurityFilterChain(HttpSecurity http) throws Exception {
 
-    http.requestMatchers()
-        .antMatchers("/login/**")
-        .and()
+    http
+        // /login/** 경로에만 이 보안 체인 적용
+        .requestMatcher(new AntPathRequestMatcher("/login/**"))
         // 세션 생성 금지
-        .sessionManagement()
-        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-        .and()
-        .cors()
-        .and()
-        .authorizeRequests()
-        .requestMatchers(CorsUtils::isPreFlightRequest)
-        .permitAll()
-        .anyRequest()
-        .permitAll()
-        .and()
-        .csrf()
-        .disable()
-
+        .sessionManagement(
+            session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+        .cors(cors -> {})
+        .csrf(AbstractHttpConfigurer::disable)
+        .authorizeHttpRequests(
+            authorize ->
+                authorize
+                    .requestMatchers(request -> CorsUtils.isPreFlightRequest(request))
+                    .permitAll()
+                    .anyRequest()
+                    .permitAll())
         // Oauth 로그인 설정
-        .oauth2Login()
-        .authorizedClientService(authorizedClientService)
-        .authorizationEndpoint()
-        .baseUri("/login/oauth2/authorization")
-        .authorizationRequestRepository(httpCookieOAuth2AuthorizationRequestRepository)
-        .and()
+        .oauth2Login(
+            oauth2 ->
+                oauth2
+                    .authorizedClientService(authorizedClientService)
+                    .authorizationEndpoint(
+                        authorization ->
+                            authorization
+                                .baseUri("/login/oauth2/authorization")
+                                .authorizationRequestRepository(
+                                    httpCookieOAuth2AuthorizationRequestRepository))
+                    .userInfoEndpoint(userInfo -> userInfo.userService(customOAuth2UserService))
+                    .failureHandler(oauth2AuthenticationFailureHandler)
+                    .successHandler(oauth2AuthenticationSuccessHandler));
 
-        // 사용자 정보를 가져오는 엔드포인트에 대한 설정
-        .userInfoEndpoint()
-        .userService(customOAuth2UserService)
-        .and()
-        .failureHandler(oauth2AuthenticationFailureHandler)
-        .successHandler(oauth2AuthenticationSuccessHandler);
+    return http.build();
   }
 }

module-auth/src/main/java/com/inhabas/api/auth/domain/oauth2/cookie/CookieUtils.java

@@ -1,5 +1,6 @@
 package com.inhabas.api.auth.domain.oauth2.cookie;
 
+import java.time.Duration;
 import java.util.Base64;
 import java.util.Objects;
 import java.util.Optional;
@@ -8,19 +9,36 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.http.ResponseCookie;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.util.SerializationUtils;
 
 import io.micrometer.core.instrument.util.StringUtils;
 
 public interface CookieUtils {
 
+  enum SameSite {
+    LAX("Lax"),
+    STRICT("Strict"),
+    NONE("None");
+    private final String value;
+
+    SameSite(String v) {
+      this.value = v;
+    }
+
+    @Override
+    public String toString() {
+      return value;
+    }
+  }
+
   /** request 에 담겨 있는 쿠키를 꺼낸다. */
   static Optional<Cookie> resolveCookie(HttpServletRequest request, String cookieName) {
 
     Cookie[] cookies = request.getCookies();
 
-    if (cookies != null && cookies.length > 0) {
+    if (cookies != null) {
       for (Cookie cookie : cookies) {
         if (cookie.getName().equals(cookieName)) {
           return Optional.of(cookie);
@@ -31,38 +49,80 @@ static Optional<Cookie> resolveCookie(HttpServletRequest request, String cookieN
     return Optional.empty();
   }
 
-  /** 쿠키를 지우는 작업은 없고, maxAge 를 0으로 설정해서 브라우저가 파기하도록 한다. */
+  /** 기본 삭제: SameSite=Lax, Secure=request.isSecure(), path="/" 로 설정하여 Max-Age=0 으로 파기. */
   static void deleteCookie(
       HttpServletRequest request, HttpServletResponse response, String cookieName) {
 
-    Cookie[] cookies = request.getCookies();
-    if (cookies != null && cookies.length > 0) {
-      for (Cookie cookie : cookies) {
-        if (cookie.getName().equals(cookieName)) {
-          cookie.setValue("");
-          cookie.setPath("/");
-          cookie.setMaxAge(0);
-          response.addCookie(cookie);
-          break;
-        }
-      }
+    // 동일 이름 쿠키를 빈 값과 Max-Age=0 으로 덮어써서 삭제
+    deleteCookie(request, response, cookieName, SameSite.LAX, null);
+  }
+
+  /**
+   * 생성 시와 동일한 속성으로 삭제할 수 있도록 SameSite/Secure 를 제어하는 오버로드. secure=null 이면 request.isSecure() 사용.
+   * SameSite=None 이면 Secure=true 강제.
+   */
+  static void deleteCookie(
+      HttpServletRequest request,
+      HttpServletResponse response,
+      String cookieName,
+      SameSite sameSite,
+      Boolean secure) {
+
+    boolean secureFlag = secure != null ? secure : request.isSecure();
+    if (sameSite == SameSite.NONE && !secureFlag) {
+      // 브라우저 정책: SameSite=None 은 Secure 필요. 강제 상승.
+      secureFlag = true;
     }
+
+    ResponseCookie rc =
+        ResponseCookie.from(cookieName, "")
+            .path("/")
+            .httpOnly(true)
+            .secure(secureFlag)
+            .maxAge(Duration.ZERO)
+            .sameSite(sameSite.toString())
+            .build();
+    response.addHeader("Set-Cookie", rc.toString());
+  }
+
+  /** 기본값: SameSite=Lax, Secure=request.isSecure() */
+  static void setCookie(
+      HttpServletRequest request,
+      HttpServletResponse response,
+      String cookieName,
+      String cookieContents,
+      int maxAge) {
+    setCookie(request, response, cookieName, cookieContents, maxAge, SameSite.LAX, null);
   }
 
   /**
-   * @param response 응답에 쿠키를 적어서 보내줌
-   * @param cookieName key
-   * @param cookieContents value
-   * @param maxAge 초 단위
+   * SameSite/Secure 를 제어할 수 있는 오버로드. secure=null 이면 request.isSecure() 사용. SameSite=None 이면
+   * Secure=true 강제.
    */
   static void setCookie(
-      HttpServletResponse response, String cookieName, String cookieContents, int maxAge) {
+      HttpServletRequest request,
+      HttpServletResponse response,
+      String cookieName,
+      String cookieContents,
+      int maxAge,
+      SameSite sameSite,
+      Boolean secure) {
+
+    boolean secureFlag = secure != null ? secure : request.isSecure();
+    if (sameSite == SameSite.NONE && !secureFlag) {
+      // 브라우저 정책: SameSite=None 은 Secure 필요. 강제 상승.
+      secureFlag = true;
+    }
 
-    Cookie cookie = new Cookie(cookieName, cookieContents);
-    cookie.setPath("/");
-    cookie.setHttpOnly(true);
-    cookie.setMaxAge(maxAge);
-    response.addCookie(cookie);
+    ResponseCookie rc =
+        ResponseCookie.from(cookieName, cookieContents)
+            .path("/")
+            .httpOnly(true)
+            .secure(secureFlag)
+            .maxAge(Duration.ofSeconds(Math.max(0, maxAge)))
+            .sameSite(sameSite.toString())
+            .build();
+    response.addHeader("Set-Cookie", rc.toString());
   }
 
   /**
@@ -82,9 +142,14 @@ static String serialize(OAuth2AuthorizationRequest request) {
   static <T> T deserialize(Cookie cookie, Class<T> clz) {
 
     if (isDeleted(cookie)) return null;
-    else
-      return clz.cast(
-          SerializationUtils.deserialize(Base64.getUrlDecoder().decode(cookie.getValue())));
+    else {
+      try {
+        return clz.cast(
+            SerializationUtils.deserialize(Base64.getUrlDecoder().decode(cookie.getValue())));
+      } catch (RuntimeException ex) { // Base64 decoding error or deserialization error
+        return null;
+      }
+    }
   }
 
   private static boolean isDeleted(Cookie cookie) {

module-auth/src/main/java/com/inhabas/api/auth/domain/oauth2/cookie/HttpCookieOAuth2AuthorizationRequestRepository.java

@@ -35,19 +35,34 @@ public void saveAuthorizationRequest(
       HttpServletRequest request,
       HttpServletResponse response) {
     if (authorizationRequest == null) {
-      CookieUtils.deleteCookie(request, response, OAUTH2_AUTHORIZATION_REQUEST_COOKIE_NAME);
-      CookieUtils.deleteCookie(request, response, REDIRECT_URL_PARAM_COOKIE_NAME);
+      CookieUtils.deleteCookie(
+          request,
+          response,
+          OAUTH2_AUTHORIZATION_REQUEST_COOKIE_NAME,
+          CookieUtils.SameSite.LAX,
+          null);
+      CookieUtils.deleteCookie(
+          request, response, REDIRECT_URL_PARAM_COOKIE_NAME, CookieUtils.SameSite.LAX, null);
       return;
     }
     CookieUtils.setCookie(
+        request,
         response,
         OAUTH2_AUTHORIZATION_REQUEST_COOKIE_NAME,
         CookieUtils.serialize(authorizationRequest),
-        cookieExpireSeconds);
+        cookieExpireSeconds,
+        CookieUtils.SameSite.LAX,
+        null);
     String redirectUrlAfterLogin = request.getParameter(REDIRECT_URL_PARAM_COOKIE_NAME);
     if (StringUtils.isNotBlank(redirectUrlAfterLogin)) {
       CookieUtils.setCookie(
-          response, REDIRECT_URL_PARAM_COOKIE_NAME, redirectUrlAfterLogin, cookieExpireSeconds);
+          request,
+          response,
+          REDIRECT_URL_PARAM_COOKIE_NAME,
+          redirectUrlAfterLogin,
+          cookieExpireSeconds,
+          CookieUtils.SameSite.LAX,
+          null);
     }
   }
 
@@ -68,14 +83,25 @@ public OAuth2AuthorizationRequest removeAuthorizationRequest(
 
     // 쿠키 삭제하기 전에 쿠키 문자열을 객체로 변환
     OAuth2AuthorizationRequest authorizationRequest = this.loadAuthorizationRequest(request);
-    CookieUtils.deleteCookie(request, response, OAUTH2_AUTHORIZATION_REQUEST_COOKIE_NAME);
+    CookieUtils.deleteCookie(
+        request,
+        response,
+        OAUTH2_AUTHORIZATION_REQUEST_COOKIE_NAME,
+        CookieUtils.SameSite.LAX,
+        null);
 
     return authorizationRequest;
   }
 
   /** redirect_url이 담긴 쿠키는 인증이 완전히 완료된 후에 제거되어야함. */
   public void clearCookies(HttpServletRequest request, HttpServletResponse response) {
-    CookieUtils.deleteCookie(request, response, OAUTH2_AUTHORIZATION_REQUEST_COOKIE_NAME);
-    CookieUtils.deleteCookie(request, response, REDIRECT_URL_PARAM_COOKIE_NAME);
+    CookieUtils.deleteCookie(
+        request,
+        response,
+        OAUTH2_AUTHORIZATION_REQUEST_COOKIE_NAME,
+        CookieUtils.SameSite.LAX,
+        null);
+    CookieUtils.deleteCookie(
+        request, response, REDIRECT_URL_PARAM_COOKIE_NAME, CookieUtils.SameSite.LAX, null);
   }
 }