feat: spring security whitelist filtering (#20)

* dev: whitelist url consts

* dev: whitelist method and url pair class

* dev: security exception remove token cookie & whitelist check

* test: mocking servlet req/resp for authFilter

* dev: request null check before whitelist pass

* dev: remove request null check in filter

Author: ghkdqhrbals

bm-controller/src/main/java/org/benchmarker/security/JwtAuthFilter.java

@@ -2,17 +2,21 @@
 
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
+import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
+import org.benchmarker.security.util.MethodUrlPair;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import java.io.IOException;
 
 import static org.benchmarker.security.constant.TokenConsts.ACCESS_TOKEN_COOKIE_NAME;
+import static org.benchmarker.security.constant.URLConsts.WHITE_LIST_URLS;
 
 @Slf4j
 public class JwtAuthFilter extends OncePerRequestFilter {
@@ -30,18 +34,34 @@ public JwtAuthFilter(BMUserDetailsService userDetailsService,
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
         FilterChain filterChain) throws ServletException, IOException {
-        String userId = jwtTokenProvider.validateTokenAndGetUserId(request,
-            ACCESS_TOKEN_COOKIE_NAME);
-        if (userId != null) {
-            log.info("userId : {}", userId);
-
-            UserDetails userDetails = userDetailsService.loadUserByUsername(userId);
-            UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
-                userDetails, null, userDetails.getAuthorities());
-            SecurityContextHolder.getContext().setAuthentication(auth);
-
-            log.info("SecurityContextHolder.getContext().getAuthentication() : {}",
-                SecurityContextHolder.getContext().getAuthentication());
+
+        for (MethodUrlPair methodUrlPair : WHITE_LIST_URLS) {
+            if (methodUrlPair.getMethod().contains(request.getMethod()) &&
+                methodUrlPair.getUrl().equals(request.getRequestURI())) {
+                filterChain.doFilter(request, response);
+                return;
+            }
+        }
+
+        try {
+            String userId = jwtTokenProvider.validateTokenAndGetUserId(request,
+                ACCESS_TOKEN_COOKIE_NAME);
+            if (userId != null) {
+                UserDetails userDetails = userDetailsService.loadUserByUsername(userId);
+                UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
+                    userDetails, null, userDetails.getAuthorities());
+                SecurityContextHolder.getContext().setAuthentication(auth);
+
+                log.info("SecurityContextHolder.getContext().getAuthentication() : {}",
+                    SecurityContextHolder.getContext().getAuthentication());
+            }
+        } catch (UsernameNotFoundException ex) {
+            Cookie cookie = new Cookie(ACCESS_TOKEN_COOKIE_NAME, null);
+            cookie.setPath("/");
+            cookie.setMaxAge(0);
+            response.addCookie(cookie);
+            response.sendRedirect("/");
+            return;
         }
 
         filterChain.doFilter(request, response);

bm-controller/src/main/java/org/benchmarker/security/constant/URLConsts.java

@@ -0,0 +1,14 @@
+package org.benchmarker.security.constant;
+
+import java.util.Arrays;
+import java.util.List;
+import org.benchmarker.security.util.MethodUrlPair;
+
+public interface URLConsts {
+
+    List<MethodUrlPair> WHITE_LIST_URLS = List.of(
+        new MethodUrlPair(Arrays.asList("POST","GET"), "/login"),
+        new MethodUrlPair(Arrays.asList("POST"), "/user")
+    );
+
+}

bm-controller/src/main/java/org/benchmarker/security/util/MethodUrlPair.java

@@ -0,0 +1,15 @@
+package org.benchmarker.security.util;
+
+import java.util.List;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.ToString;
+import org.springframework.http.HttpMethod;
+
+@AllArgsConstructor
+@Getter
+@ToString
+public class MethodUrlPair {
+    private final List<String> method;
+    private final String url;
+}

bm-controller/src/test/java/org/benchmarker/security/JwtAuthFilterTest.java

@@ -8,6 +8,8 @@
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
 
@@ -40,8 +42,12 @@ public void testDoFilterInternal_ValidToken() throws Exception {
         when(userDetails.getAuthorities())
             .thenReturn((Collection) authenticationToken.getAuthorities());
 
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setRequestURI("/test");
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
         // when
-        jwtAuthFilter.doFilterInternal(null, null, (req, res) -> {
+        jwtAuthFilter.doFilterInternal(request, response, (req, res) -> {
         });
 
         // then
@@ -56,8 +62,12 @@ public void testDoFilterInternal_InvalidToken() throws Exception {
         // given
         when(jwtTokenProvider.validateTokenAndGetUserId(any(), any())).thenReturn(null);
 
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setRequestURI("/test");
+        MockHttpServletResponse response = new MockHttpServletResponse();
+
         // when
-        jwtAuthFilter.doFilterInternal(null, null, (req, res) -> {
+        jwtAuthFilter.doFilterInternal(request, response, (req, res) -> {
         });
 
         // then