search

kosmo138 / resumate

자기소개서를 세상에서 가장 쉽게 쓰는 방법
https://www.resumate.store
0 stars 0 forks source link

Spring Security 403 오류 #46

Closed suyons closed 3 months ago

suyons commented 3 months ago

Related Commit

https://github.com/kosmo138/resumate/commit/ddd43305b6a9af05664981eadf47721396b51592

Related Issue

https://github.com/kosmo138/resumate/issues/30

문제 상황

  1. POST /api/member 요청에 대해서는 200 OK가 반환되고 있어 문제 없음
  2. GET /api/resume, POST /api/resume 요청에 대해서는 403 Forbidden이 반환되고 있음

문제 해결

1차 시도: Spring Security 비활성화

  1. 보안 설정을 최소화하여 인증 정보가 없는 모든 요청을 허가하도록 변경. 이후 요청 시 403 Forbidden 대신 404 Not Found 표시

SecurityConfig.java

SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .httpBasic((basic) -> basic.disable())
                .csrf((csrf) -> csrf.ignoringRequestMatchers("/api/**"))
                .sessionManagement((session) -> session.disable())
                .formLogin((form) -> form.disable())
                .authorizeHttpRequests((auth) -> auth
                        .anyRequest().permitAll());
        return http.build();
}
  1. application.yml에 다음과 같은 속성을 추가하여 디버그 로깅을 활성화 참고 문서: Enable Logging for Spring Security - Baeldung
logging:
  level:
    org:
      springframework:
        security: DEBUG
  1. Docker 콘솔에서 GET /api/resume 요청 시 다음과 같은 로그를 확인
nginx   | 172.18.0.1 - - [27/Mar/2024:01:34:42 +0000] "GET /api/resume HTTP/1.1" 403 0 "-" "Thunder Client (https://www.thunderclient.com)" "-"
server  | 2024-03-27T01:34:42.068Z DEBUG 42 --- [server] [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
server  | 2024-03-27T01:34:42.068Z DEBUG 42 --- [server] [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /error
server  | 2024-03-27T01:34:42.069Z DEBUG 42 --- [server] [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
server  | 2024-03-27T01:34:42.069Z DEBUG 42 --- [server] [nio-8080-exec-1] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://host.docker.internal:8080/error?continue to session
server  | 2024-03-27T01:34:42.069Z DEBUG 42 --- [server] [nio-8080-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access
  1. GET /api/resume 요청 시 발생하는 예외 Stack Trace
org.springframework.web.servlet.resource.NoResourceFoundException: No static resource api/resume.
at org.springframework.web.servlet.resource.ResourceHttpRequestHandler.handleRequest(ResourceHttpRequestHandler.java:585)
at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:52)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1089)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:979)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:903)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:564)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108)
at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365)
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82)
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:230)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:1583)
  1. 다음과 같이 Bean: resumeController, Endpoint Mapping: GET /api/resume 설정이 정상 반영됨을 확인했다. 그럼에도 불구하고 404 Not Found가 표시되는 상황은 원인을 알 수가 없다.

VSCode Spring - Endpoint Mappings

2차 시도: 0에서부터 시작하기

  1. GET /api/resume/test 요청을 처리하는 간단한 메서드를 추가

ResumeController.java

@RestController
@RequiredArgsConstructor
@RequestMapping("/api/resume")
public class ResumeController {
    private final ResumeService resumeService;

    @GetMapping(value = "/test", produces = "application/json")
    public String getResumeTest() {
        return resumeService.testJson();
    }

ResumeService.java

// 테스트용 JSON 반환
public String testJson() {
    return jsonBuilder
            .put("status", "success")
            .put("message", "테스트용 JSON")
            .build();
}

응답 Test json response 1

  1. 요청 헤더의 인증 정보 처리

ResumeController.java

@GetMapping(value = "/test", produces = "application/json")
public String getResumeTest(@RequestHeader("authorization") String bearer) {
    return resumeService.testJson(bearer);
}

ResumeService.java

public String testJson(String bearer) {
    return jsonBuilder
            .put("status", "success")
            .put("email", jwtConfig.getEmailFromToken(bearer.substring(7)))
            .build();
}

응답

Test json response 2

  1. 기존에 선언한 메서드와 똑같이 변경

ResumeController.java

@GetMapping(value = "/", produces = "application/json")
    public ResponseEntity<String> getResume(@RequestHeader("authorization") String bearer) {
        return resumeService.selectResumeHead(bearer);
    }

ResumeService.java

public String testJson(String bearer) 삭제

응답

Test json response 3

  1. GET 요청은 200 OK를 정상적으로 반환하나, POST 요청은 여전히 403 Forbidden을 반환한다.

post forbidden

3차 시도: POST 요청에 대한 코드도 0부터 시작하기

  1. 입력받은 JSON 그대로 출력하기

ResumeController.java

@PostMapping(value = "/")
public ResponseEntity<String> postResume(@RequestBody String entity) {
    return ResponseEntity.ok(entity);
}
  1. 토큰에서 이메일 추출하기

ResumeController.java

@PostMapping(value = "/", consumes = "application/json", produces = "application/json")
public ResponseEntity<String> postResume(@RequestHeader("authorization") String bearer,
        @RequestBody String entity) {
    System.out.println("[Debug] entity: " + entity);
    return resumeService.testJson(bearer);
}

ResumeService.java

public ResponseEntity<String> testJson(String bearer) {
    String responseJson = jsonBuilder
            .put("status", "success")
            .put("email", jwtConfig.getEmailFromToken(bearer.substring(7)))
            .build();
    return ResponseEntity.ok().body(responseJson);
}

응답

Post 200

Docker 터미널

server  | 2024-03-27T03:22:33.013Z  INFO 42 --- [server] [nio-8080-exec-1] o.a.c.c.C.[Tomcat-2].[localhost].[/]     : Initializing Spring DispatcherServlet 'dispatcherServlet'
server  | 2024-03-27T03:22:33.014Z  INFO 42 --- [server] [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
server  | 2024-03-27T03:22:33.014Z  INFO 42 --- [server] [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 0 ms
server  | 2024-03-27T03:22:33.015Z DEBUG 42 --- [server] [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /api/resume/
server  | 2024-03-27T03:22:33.015Z DEBUG 42 --- [server] [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Secured POST /api/resume/
server  | [Debug] entity: {
server  |   "title": "test title",
server  |   "content": {
server  |     "section1": "hello 1",
server  |     "section2": "hello 2"
server  |   }
server  | }
server  | 2024-03-27T03:22:33.033Z DEBUG 42 --- [server] [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
nginx   | 172.18.0.1 - - [27/Mar/2024:03:22:33 +0000] "POST /api/resume/ HTTP/1.1" 200 44 "-" "Thunder Client (https://www.thunderclient.com)" "-"

4차 시도: 원인 발견

Request payload

{
  "title": "제목",
  "careerData": [
    { "date": "2019-08 ~ 2020-10", "content": "경력1" },
    { "date": "2019-08 ~ 2020-10", "content": "경력2" }
  ],
  "careerText": "경력 세부내용",
  "education": [
    { "date": "2019-08 ~ 2020-10", "content": "학력1" },
    { "date": "2019-08 ~ 2020-10", "content": "학력2" }
  ],
  "skill": "스킬 세부내용",
  "award": [
    { "date": "2019-08 ~ 2020-10", "content": "수상1" },
    { "date": "2019-08 ~ 2020-10", "content": "수상2" }
  ],
  "language": "외국어 세부내용"
}

DTO Resume

public class Resume {
    private int id;
    private String email;
    private String title;
    private String content;
    private Date modified;
}

TABLE member

Field Type Null Key Default Extra
id int NO PRI NULL auto_increment
email varchar(30) NO MUL NULL
title varchar(100) NO NULL
content json YES NULL
modified timestamp YES CURRENT_TIMESTAMP DEFAULT_GENERATED

Type problem (1) Javascript object to Java String: ERROR

{ "title": "제목", "career": { ... } } -> Resume

(2) Java String to MySQL JSON: ERROR

Resume -> JSON

문제 수정을 위해 Type을 String으로 통일

Resume.java

public class Resume {
    private int id;
    private String email;
    private String title;
    private String content;
    private Date modified;
}

ResumeController.java

@PostMapping(value = "/", consumes = "application/json", produces = "application/json")
public ResponseEntity<String> postResume(@RequestHeader("authorization") String bearer,
        @RequestBody String resume) {
    return resumeService.insertResume(bearer, resume);
}

ResumeService.java

// 컨트롤러: 이력서 추가
public ResponseEntity<String> insertResume(String bearer, String resume) {
    String token = bearer.substring(7);
    String email = jwtConfig.getEmailFromToken(token);

    if (!isLoggedin(bearer)) {
        String responseJson = jsonBuilder
                .put("status", "fail")
                .put("message", "권한이 없습니다.")
                .build();
        return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(responseJson);
    } else {
        Resume newResume = new Resume();
        newResume.setEmail(email);
        newResume.setTitle(getTitleFromJson(resume));
        newResume.setContent(resume);
        resumeMapper.insertResume(newResume);
        String responseJson = jsonBuilder
                .put("status", "success")
                .put("message", "이력서가 추가되었습니다.")
                .build();
        return ResponseEntity.ok().body(responseJson);
    }
}

ResumeMapper.java

@Mapper
public interface ResumeMapper {
    // ...
    void insertResume(Resume resume);
    // ...
}

resume-mapper.xml

<insert id="insertResume" parameterType="resumate.server.dto.Resume">
  INSERT INTO resume (email, title, content) VALUES (#{email}, #{title}, #{content})
</insert>

결과

Solved

suyons commented 3 months ago

Close #46

Related Commit https://github.com/kosmo138/resumate/commit/afa6f841f24e0bd9f5dab2e80617ca4e77bb4018