OAuth2를 적용하는 중에 인텔리제이에서 deprecated 됐다는 경고가 떠서 급하게 코드를 수정해보았습니다
동작은 동일한 코드지만 문법에서 차이가 있지만 크게 변화된건 없으니 쉽게 변경할 수 있었습니다!
코드 변경 전
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf().disable()
.httpBasic().disable()
.formLogin().disable()
.logout().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(tokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
http.authorizeHttpRequests()
.requestMatchers("/api/token").permitAll()
.requestMatchers("/api/**").authenticated()
.anyRequest().permitAll();
http.oauth2Login()
.loginPage("/login")
.authorizationEndpoint()
.authorizationRequestRepository(oAuth2AuthorizationRequestBseOnCookieRepository())
.and()
.successHandler(oAuth2SuccessHandler())
.userInfoEndpoint()
.userService(oAuth2UserCustomService);
http.logout()
.logoutSuccessUrl("/login");
http.exceptionHandling()
.defaultAuthenticationEntryPointFor(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED),
new AntPathRequestMatcher("/api/**"));
return http.build();
}
코드 변경 후
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.csrf(AbstractHttpConfigurer::disable)
.httpBasic(HttpBasicConfigurer::disable)
.formLogin(FormLoginConfigurer::disable)
.logout(LogoutConfigurer::disable);
http.sessionManagement(configure -> configure.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.addFilterBefore(tokenAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
http.authorizeHttpRequests(authorize ->
authorize.requestMatchers("/api/token").permitAll()
.requestMatchers("/api/**").authenticated()
.anyRequest().permitAll());
http.oauth2Login(oauth2Login ->
oauth2Login.loginPage("/page")
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint.authorizationRequestRepository(oAuth2AuthorizationRequestBseOnCookieRepository()))
.successHandler(oAuth2SuccessHandler())
.userInfoEndpoint(userInfoEndpoint -> userInfoEndpoint.userService(oAuth2UserCustomService)));
http.logout(logout -> logout
.logoutSuccessUrl("/login"));
http.exceptionHandling(exceptionHandling ->
exceptionHandling.defaultAuthenticationEntryPointFor(
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED), new AntPathRequestMatcher("/api/**")));
return http.build();
}
참고
OAuth Migrations :: Spring Security
OAuth Migrations :: Spring Security
The method extractAuthorities will be removed. Instead of extending JwtAuthenticationConverter, please supply a custom granted authorities converter with JwtAuthenticationConverter#setJwtGrantedAuthoritiesConverter.
docs.spring.io
