SecurityFilter와 ServletFilter

이름은 똑같이 Filter이지만 Servlet에서 관리되는 Filter와 구조가 다르다.

여기서는 ServletFilter와 SecurityFilter로 구분하겠다.

https://docs.spring.io/spring-security/site/docs/3.0.x/reference/security-filter-chain.html

<filter>
  <filter-name>myFilter</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
  <filter-name>myFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-name>myFilter</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

</filter>

<filter-mapping>

<filter-name>myFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

DelegateFilterProxy만 ServletFilter이다.

다른 SecurityFilter는 이 하위에서 동작한다.

ex) API와 웹화면이 별도의 체인 사용

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
  <sec:filter-chain-map path-type="ant">
     <sec:filter-chain pattern="/webServices/**" filters="
           securityContextPersistenceFilterWithASCFalse,
           basicAuthenticationFilter,
           exceptionTranslationFilter,
           filterSecurityInterceptor" />
     <sec:filter-chain pattern="/**" filters="
           securityContextPersistenceFilterWithASCTrue,
           formLoginFilter,
           exceptionTranslationFilter,
           filterSecurityInterceptor" />
  </sec:filter-chain-map>
</bean>

<sec:filter-chain-map path-type="ant">

<sec:filter-chain pattern="/webServices/**" filters="

securityContextPersistenceFilterWithASCFalse,

basicAuthenticationFilter,

exceptionTranslationFilter,

filterSecurityInterceptor" />

<sec:filter-chain pattern="/**" filters="

securityContextPersistenceFilterWithASCTrue,

formLoginFilter,

exceptionTranslationFilter,

filterSecurityInterceptor" />

</sec:filter-chain-map>

</bean>

SecurityFilter중 하나인 LogoutFilter의 선언부

public class LogoutFilter extends GenericFilterBean {
}

public abstract class GenericFilterBean implements Filter, BeanNameAware, EnvironmentAware,
		EnvironmentCapable, ServletContextAware, InitializingBean, DisposableBean {
}

public class LogoutFilter extends GenericFilterBean {

}

public abstract class GenericFilterBean implements Filter, BeanNameAware, EnvironmentAware,

EnvironmentCapable, ServletContextAware, InitializingBean, DisposableBean {

}

SecurityFilter도 javax.servlet.Filter를 상속받지만 아예 다른 형태로 만드는게 혼란이 없지 않았을까 하는 생각이 든다.

Cors필터나 기타 인증필터를 추가해서 Security인증을 하고싶다면 ServetFilter가 아닌 SecurityFilterChain에 추가를 해야한다.

Security의 핵심인 FilterChain

https://stackoverflow.com/questions/41480102/how-spring-security-filter-chain-works

SpringSecurity JavaConfig 기본설정부분의 일부

@Configuration
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
	override fun configure(http: HttpSecurity?) {
		http!!.csrf().disable()
				.cors().and()
				.authorizeRequests()
				.anyRequest().authenticated()
				.and()
	}
}

@Configuration

@EnableWebSecurity

class SecurityConfig : WebSecurityConfigurerAdapter() {

override fun configure(http: HttpSecurity?) {

http!!.csrf().disable()

.cors().and()

.authorizeRequests()

.anyRequest().authenticated()

.and()

}

기본적으로 셋팅되는 필터들

서로간에 강한 의존성을 가지며 순서가 중요하다.

FilterChainProxy

1 WebAsyncManagerIntegrationFilter
2 SecurityContextPersistenceFilter
3 HeaderWriterFilter
4 CorsFilter --optional
5 LogoutFilter
6 UsernamePasswordAuthenticationFilter
7 RequestCacheAwareFilter
8 SecurityContextHolderAwareRequestFilter
9 AnonymousAuthenticationFilter
0 SessionManagementFilter
1 ExceptionTranslationFilter
2 FilterSecurityInterceptor

FilterChainProxy

1 WebAsyncManagerIntegrationFilter

2 SecurityContextPersistenceFilter

3 HeaderWriterFilter

4 CorsFilter --optional

5 LogoutFilter

6 UsernamePasswordAuthenticationFilter

7 RequestCacheAwareFilter

8 SecurityContextHolderAwareRequestFilter

9 AnonymousAuthenticationFilter

0 SessionManagementFilter

1 ExceptionTranslationFilter

2 FilterSecurityInterceptor

FilterChain을 구동시키는 Filter만

JWT나 CORS 필터 적용이 필요하다면 Security에 올리는게 좋다.

RoleVoter