https://docs.spring.io/spring-boot/docs/current/reference/html/spring-boot-features.html#boot-features-security

9. Security

기본 싱글 유저 UserDetailsService 가 있다. name 은 user, password 는 랜덤이다.
- 로그레벨을 INFO 로 하면 password 나옴
spring.security.user.name, spring.security.user.password 로 조절 가능
```
Using generated security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
```
기본적으로 제공되는 것들
- 인메모리 스토어에 UserDetailsService (or ReactiveUserDetailsService) 빈과 single 유저 (비번포함)
- Form-based login 혹은 HTTP Basic security
- 인증 이벤트 게시를 위한 DefaultAuthenticationEventPublisher

9.1. MVC Security

중요한 클래스는 UserDetailsService, AuthenticationProvider, AuthenticationManager 정도. 나머진 필요할때 볼것

9.2. WebFlux Security

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    return http
        .authorizeExchange()
            .matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
            .pathMatchers("/foo", "/bar")
                .authenticated().and()
            .formLogin().and()
        .build();
}

9.3. OAuth2

9.3.1. Client

spring-security-oauth2-client 가 클래스패스에 있으면 자동구성


spring.security.oauth2.client.registration.my-client-1.client-id=abcd
spring.security.oauth2.client.registration.my-client-1.client-secret=password
spring.security.oauth2.client.registration.my-client-1.client-name=Client for user scope
spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-1.scope=user
spring.security.oauth2.client.registration.my-client-1.redirect-uri=https://my-redirect-uri.com
spring.security.oauth2.client.registration.my-client-1.client-authentication-method=basic
spring.security.oauth2.client.registration.my-client-1.authorization-grant-type=authorization_code

spring.security.oauth2.client.registration.my-client-2.client-id=abcd spring.security.oauth2.client.registration.my-client-2.client-secret=password spring.security.oauth2.client.registration.my-client-2.client-name=Client for email scope spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider spring.security.oauth2.client.registration.my-client-2.scope=email spring.security.oauth2.client.registration.my-client-2.redirect-uri=https://my-redirect-uri.com spring.security.oauth2.client.registration.my-client-2.client-authentication-method=basic spring.security.oauth2.client.registration.my-client-2.authorization-grant-type=authorization_code

spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=https://my-auth-server/oauth/authorize spring.security.oauth2.client.provider.my-oauth-provider.token-uri=https://my-auth-server/oauth/token spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=https://my-auth-server/userinfo spring.security.oauth2.client.provider.my-oauth-provider.user-info-authentication-method=header spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=https://my-auth-server/token_keys spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=name

* OpenID 의 경우 설정이 매우 단순해짐

spring.security.oauth2.client.provider.oidc-provider.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/

* 기본적으로 OAuth2 매칭 패스는 `/login/oauth2/code/*` 인데, 바꿀수 있음
```java

OAuth2 client registration for common providers

유명한 프로바이더 (Google, Github, Facebook, Okta) 는 구성 엄청 쉬움


spring.security.oauth2.client.registration.my-client.client-id=abcd
spring.security.oauth2.client.registration.my-client.client-secret=password
spring.security.oauth2.client.registration.my-client.provider=google

spring.security.oauth2.client.registration.google.client-id=abcd spring.security.oauth2.client.registration.google.client-secret=password


### 9.3.2. Resource Server
* `spring-security-oauth2-resource-server` 가 클래스패스에 있으면 자동구성 함
* JWT 구성이 필요한데, JWK Set URI or OIDC Issuer URI 설정 필요

spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://example.com/oauth2/default/v1/keys spring.security.oauth2.resourceserver.jwt.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/


### 9.3.3. Authorization Server
* 지금은 Spring Security 가 OAuth 2.0 Authorization Server 지원 안됨
  * 일단은  Spring Security OAuth 프로젝트를 써라
  * 하지만 나중에는 Spring Security 가 지원할 것이다.

## 9.4. SAML 2.0
* `spring-security-saml2-service-provider` 가 클래스패스에 있을것
* IDP(Identity Provider), SP(Service Provider) 쌍으로 적어줌

spring.security.saml2.relyingparty.registration.my-relying-party1.signing.credentials[0].private-key-location=path-to-private-key spring.security.saml2.relyingparty.registration.my-relying-party1.signing.credentials[0].certificate-location=path-to-certificate spring.security.saml2.relyingparty.registration.my-relying-party1.identityprovider.verification.credentials[0].certificate-location=path-to-verification-cert spring.security.saml2.relyingparty.registration.my-relying-party1.identityprovider.entity-id=remote-idp-entity-id1 spring.security.saml2.relyingparty.registration.my-relying-party1.identityprovider.sso-url=https://remoteidp1.sso.url

spring.security.saml2.relyingparty.registration.my-relying-party2.signing.credentials[0].private-key-location=path-to-private-key spring.security.saml2.relyingparty.registration.my-relying-party2.signing.credentials[0].certificate-location=path-to-certificate spring.security.saml2.relyingparty.registration.my-relying-party2.identityprovider.verification.credentials[0].certificate-location=path-to-other-verification-cert spring.security.saml2.relyingparty.registration.my-relying-party2.identityprovider.entity-id=remote-idp-entity-id2 spring.security.saml2.relyingparty.registration.my-relying-party2.identityprovider.sso-url=https://remoteidp2.sso.url



## 9.5. Actuator Security
* 보안상 기본적으로 `/health`, `/info` disable 되어 있음
  * `management.endpoints.web.exposure.include` 로 enable 해라
### 9.5.1. Cross Site Request Forgery Protection
* CSRF 보안이 기본적으로 켜져 있음. 
  * actuator 엔드포인트의 POST, PUT, DELETE 요청은 403 뜰수 있다.
> non-browser 클라이언트를 쓸때에만 CSRF 보안을 끄길 추천한다.

11. Working with NoSQL Technologies

MongoDB
Neo4J
Elasticsearch
Solr
Redis
GemFire or Geode
Cassandra
Couchbase
LDAP

11.1. Redis

Redis 는 캐시, 메시지 브로커, richly-featured key-value 스토어 이다
Spring Data Redis 가 추상화 해주고, Lettuce, Jedis 클라이언트를 제공한다.
- spring-boot-starter-data-redis 사용
- 기본적으로 Lettuce

11.1.1. Connecting to Redis

@Component
public class MyBean {

    private StringRedisTemplate template;

    @Autowired
    public MyBean(StringRedisTemplate template) {
        this.template = template;
    }

    // ...

}

11.2. MongoDB

MongoDB 는 JSON-like 스키마의 오픈소스 NoSQL 도큐먼트 DB 다.
spring-boot-starter-data-mongodb and spring-boot-starter-data-mongodb-reactive
11.2.1. Connecting to a MongoDB Database
MongoDbFactory 가 자동굿어 되는데 기본적으로 mongodb://localhost/test 로 연결 시도 한다.
```
import org.springframework.data.mongodb.MongoDbFactory;
import com.mongodb.DB;
```

@Component public class MyBean {

private final MongoDbFactory mongo;

@Autowired
public MyBean(MongoDbFactory mongo) {
    this.mongo = mongo;
}

// ...

public void example() {
    DB db = mongo.getDb();
    // ...
}

}

* URL 변경 가능

spring.data.mongodb.uri=mongodb://user:secret@mongo1.example.com:12345,mongo2.example.com:23456/test


### 11.2.2. MongoTemplate
* JdbcTemplate 와 유사한 MongoTemplate 를 제공한다.
```java
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.mongodb.core.MongoTemplate;
import org.springframework.stereotype.Component;

@Component
public class MyBean {

    private final MongoTemplate mongoTemplate;

    @Autowired
    public MyBean(MongoTemplate mongoTemplate) {
        this.mongoTemplate = mongoTemplate;
    }

    // ...

}

11.2.3. Spring Data MongoDB Repositories

메서드 기반 쿼리 가능
```
package com.example.myapp.domain;
```

import org.springframework.data.domain.; import org.springframework.data.repository.;

public interface CityRepository extends Repository<City, Long> {

Page<City> findAll(Pageable pageable);

City findByNameAndStateAllIgnoringCase(String name, String state);

}


### 11.2.4. Embedded Mongo
* 임베디드 몽고도 지원
* `de.flapdoodle.embed:de.flapdoodle.embed.mongo` 디펜던시 추가 필요

Pyohwan / english-study

Spring Boot Features : 9 #29