From dd53f067ccb0e632e75306b9ad3e90af8a67114f Mon Sep 17 00:00:00 2001 From: choubung Date: Mon, 17 Nov 2025 23:56:16 +0900 Subject: [PATCH 1/3] =?UTF-8?q?fix:=20csrf=20=EC=98=A4=EB=A5=98=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../config/auth/SecurityConfig.java | 3 ++ .../openMission/web/GlobalModelAdvice.java | 20 +++++++++++++ src/main/resources/static/js/app/index.js | 30 +++++++++++++++++-- .../templates/layout/header.mustache | 10 +++---- 4 files changed, 56 insertions(+), 7 deletions(-) create mode 100644 src/main/java/com/precourse/openMission/web/GlobalModelAdvice.java diff --git a/src/main/java/com/precourse/openMission/config/auth/SecurityConfig.java b/src/main/java/com/precourse/openMission/config/auth/SecurityConfig.java index daee272..f2f3a30 100644 --- a/src/main/java/com/precourse/openMission/config/auth/SecurityConfig.java +++ b/src/main/java/com/precourse/openMission/config/auth/SecurityConfig.java @@ -21,6 +21,9 @@ public class SecurityConfig { @Bean protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http + .requiresChannel(channel -> channel + .anyRequest().requiresSecure() + ) .authorizeHttpRequests((authz) -> authz .requestMatchers("/").permitAll() diff --git a/src/main/java/com/precourse/openMission/web/GlobalModelAdvice.java b/src/main/java/com/precourse/openMission/web/GlobalModelAdvice.java new file mode 100644 index 0000000..e4f8486 --- /dev/null +++ b/src/main/java/com/precourse/openMission/web/GlobalModelAdvice.java @@ -0,0 +1,20 @@ +package com.precourse.openMission.web; + +import jakarta.servlet.http.HttpServletRequest; +import org.springframework.security.web.csrf.CsrfToken; +import org.springframework.web.bind.annotation.ControllerAdvice; +import org.springframework.web.bind.annotation.ModelAttribute; +import org.springframework.stereotype.Controller; + +/** + * 모든 컨트롤러(@Controller)의 Model에 + * 공통 속성(Attribute)을 추가하는 클래스 + */ +@ControllerAdvice(annotations = Controller.class) +public class GlobalModelAdvice { + @ModelAttribute("_csrf") + public CsrfToken csrfToken(HttpServletRequest request) { + // Spring Security가 이미 request에 저장해 둔 _csrf 토큰을 꺼내서 Model에 담아줌 + return (CsrfToken) request.getAttribute(CsrfToken.class.getName()); + } +} diff --git a/src/main/resources/static/js/app/index.js b/src/main/resources/static/js/app/index.js index bff5e10..5d23787 100644 --- a/src/main/resources/static/js/app/index.js +++ b/src/main/resources/static/js/app/index.js @@ -12,6 +12,11 @@ var main = { $('#btn-delete').on('click', function () { _this.delete(); }); + + $('#btn-logout').on('click', function (e) { + e.preventDefault(); // 태그의 링크 이동을 막음 + _this.logout(); + }); }, save : function () { // 1. [수정] DTO에 맞게 데이터 수집 @@ -71,7 +76,7 @@ var main = { dataType: 'json', contentType:'application/json; charset=utf-8', data: JSON.stringify(data), - beforeSend : function(xhr) { // 💡 (여기도) + beforeSend : function(xhr) { xhr.setRequestHeader(header, token); } }).done(function() { @@ -100,8 +105,29 @@ var main = { }).fail(function (error) { alert(error.responseJSON.message || JSON.stringify(error)); }); - } + }, + logout : function () { + // 9. 태그에서 CSRF 파라미터 이름과 토큰 값을 읽어옴 + var token = $("meta[name='_csrf']").attr("content"); + var paramName = $("meta[name='_csrf_parameter']").attr("content"); + + // 10. 동적으로
을 생성 + var $form = $('
'); + $form.attr('action', '/logout'); + $form.attr('method', 'POST'); + + // 11. 폼에 CSRF 토큰(hidden input)을 추가 + $form.append($('', { + type: 'hidden', + name: paramName, + value: token + })); + + // 12. 폼을 body에 추가하고 즉시 submit + $form.appendTo('body'); + $form.submit(); + } }; main.init(); \ No newline at end of file diff --git a/src/main/resources/templates/layout/header.mustache b/src/main/resources/templates/layout/header.mustache index df57c57..3f7827a 100644 --- a/src/main/resources/templates/layout/header.mustache +++ b/src/main/resources/templates/layout/header.mustache @@ -2,7 +2,10 @@ 메모 서비스 - + + + + @@ -20,10 +23,7 @@
  • {{#googleName}} Logged in as: {{googleName}} -
    - - -
    +     Logout {{/googleName}} {{^googleName}} Login From 6adbed39d6b3c75db9b5ef59be5febb6b5f60931 Mon Sep 17 00:00:00 2001 From: choubung Date: Tue, 18 Nov 2025 00:22:06 +0900 Subject: [PATCH 2/3] =?UTF-8?q?test(integration):=20.secure(true)=EB=A5=BC?= =?UTF-8?q?=20=EC=B6=94=EA=B0=80=ED=95=98=EC=97=AC=20HTTPS=20=EB=A6=AC?= =?UTF-8?q?=EB=94=94=EB=A0=89=EC=85=98=20=EC=98=A4=EB=A5=98=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../integration/IndexControllerTest.java | 3 ++- .../integration/MemoIntegrationTest.java | 18 ++++++++++++++---- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/src/test/java/com/precourse/openMission/integration/IndexControllerTest.java b/src/test/java/com/precourse/openMission/integration/IndexControllerTest.java index b2543be..41b8f1e 100644 --- a/src/test/java/com/precourse/openMission/integration/IndexControllerTest.java +++ b/src/test/java/com/precourse/openMission/integration/IndexControllerTest.java @@ -37,7 +37,8 @@ public void setup() { @Test public void 메인페이지_로딩() throws Exception { // when & then - mvc.perform(get("/")) + mvc.perform(get("/") + .secure(true)) .andExpect(status().isOk()) .andExpect(content().string(containsString("메모 서비스"))); } diff --git a/src/test/java/com/precourse/openMission/integration/MemoIntegrationTest.java b/src/test/java/com/precourse/openMission/integration/MemoIntegrationTest.java index 58305b2..bf6ec28 100644 --- a/src/test/java/com/precourse/openMission/integration/MemoIntegrationTest.java +++ b/src/test/java/com/precourse/openMission/integration/MemoIntegrationTest.java @@ -114,6 +114,7 @@ public void tearDown() throws Exception { ResultActions resultActions = mockMvc.perform(post("/home/memos") .with(csrf()) .sessionAttr("user", sessionUser) + .secure(true) .contentType(MediaType.APPLICATION_JSON) .content(json)) .andExpect(status().isOk()); @@ -146,6 +147,7 @@ public void tearDown() throws Exception { // when, then mockMvc.perform(post("/home/memos") .with(csrf()) + .secure(true) .contentType(MediaType.APPLICATION_JSON) .content(json)) .andExpect(status().isUnauthorized()); @@ -171,6 +173,7 @@ public void tearDown() throws Exception { mockMvc.perform(put("/home/memos/{targetId}", targetId) .with(csrf()) .sessionAttr("user", sessionUser) + .secure(true) .contentType(MediaType.APPLICATION_JSON) .content(json)) .andExpect(status().isOk()); @@ -204,6 +207,7 @@ public void tearDown() throws Exception { mockMvc.perform(put("/home/memos/{invalidId}", invalidId) .with(csrf()) .sessionAttr("user", sessionUser) + .secure(true) .contentType(MediaType.APPLICATION_JSON) .content(json)) .andExpect(status().isNotFound()); @@ -218,6 +222,7 @@ public void tearDown() throws Exception { // when ResultActions resultActions = mockMvc.perform(get("/home/memos") + .secure(true) .contentType(MediaType.APPLICATION_JSON)); // then @@ -237,6 +242,7 @@ public void tearDown() throws Exception { // when ResultActions resultActions = mockMvc.perform(get("/home/memos/{targetId}", targetId) + .secure(true) .sessionAttr("user", sessionUser)); // then @@ -254,7 +260,8 @@ public void tearDown() throws Exception { Long invalidId = publicMemo.getId(); // when, then - mockMvc.perform(get("/home/memos/{invalidId}", invalidId)) + mockMvc.perform(get("/home/memos/{invalidId}", invalidId) + .secure(true)) .andExpect(status().isNotFound()); } @@ -269,7 +276,8 @@ public void tearDown() throws Exception { // when mockMvc.perform(delete("/home/memos/{targetId}", targetId) .with(csrf()) - .sessionAttr("user", sessionUser)) + .sessionAttr("user", sessionUser) + .secure(true)) .andExpect(status().isNoContent()); // then @@ -296,7 +304,8 @@ public void tearDown() throws Exception { // when, then mockMvc.perform(delete("/home/memos/{memoId}", memoId) .with(csrf()) - .sessionAttr("user", sessionUser)) + .sessionAttr("user", sessionUser) + .secure(true)) .andExpect(status().isBadRequest()); } @@ -313,7 +322,8 @@ public void tearDown() throws Exception { // when, then mockMvc.perform(delete("/home/memos/{invalidId}", invalidId) .with(csrf()) - .sessionAttr("user", sessionUser)) + .sessionAttr("user", sessionUser) + .secure(true)) .andExpect(status().isNotFound()); } } From 0a32c05965ca935e68baf8792abf4c07a820c508 Mon Sep 17 00:00:00 2001 From: choubung Date: Tue, 18 Nov 2025 00:37:26 +0900 Subject: [PATCH 3/3] =?UTF-8?q?refactor(SecurityConfig):=20=EB=B0=B0?= =?UTF-8?q?=ED=8F=AC=EC=99=80=20=EA=B0=9C=EB=B0=9C=20=ED=99=98=EA=B2=BD=20?= =?UTF-8?q?bean=20=EB=B6=84=EB=A6=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/cd.yml | 2 ++ Dockerfile | 2 +- .../config/auth/SecurityConfig.java | 28 +++++++++++++++---- 3 files changed, 25 insertions(+), 7 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 915c248..02e52d6 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -70,6 +70,8 @@ jobs: # Cloud Run 컨테이너에 환경 변수 주입 env_vars: | + SPRING_PROFILES_ACTIVE=prod + DB_URL=jdbc:mysql://google/mydb?socketFactory=com.google.cloud.sql.mysql.SocketFactory&cloudSqlInstance=${{ secrets.GCP_SQL_CONNECTION_NAME }}&useSSL=false&serverTimezone=UTC&characterEncoding=UTF-8 DB_USERNAME=${{ secrets.DB_USERNAME }} DB_PASSWORD=${{ secrets.DB_PASSWORD }} diff --git a/Dockerfile b/Dockerfile index f52d639..c7b6584 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,6 @@ ARG JAR_FILE=build/libs/*.jar COPY ${JAR_FILE} app.jar -EXPOSE 8080 +EXPOSE 9090 ENTRYPOINT ["java", "-jar", "/app.jar"] diff --git a/src/main/java/com/precourse/openMission/config/auth/SecurityConfig.java b/src/main/java/com/precourse/openMission/config/auth/SecurityConfig.java index f2f3a30..d66c069 100644 --- a/src/main/java/com/precourse/openMission/config/auth/SecurityConfig.java +++ b/src/main/java/com/precourse/openMission/config/auth/SecurityConfig.java @@ -4,6 +4,7 @@ import lombok.RequiredArgsConstructor; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Profile; import org.springframework.http.HttpMethod; import org.springframework.http.HttpStatus; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; @@ -18,12 +19,29 @@ public class SecurityConfig { private final CustomOAuth2UserService customOAuth2UserService; + // (운영/배포) 환경 전용 SecurityFilterChain @Bean - protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + @Profile("prod") + public SecurityFilterChain prodFilterChain(HttpSecurity http) throws Exception { + http.requiresChannel(channel -> channel + .anyRequest().requiresSecure() + ); + + commonSecurityConfig(http); + + return http.build(); + } + + @Bean + @Profile("!prod") + public SecurityFilterChain devFilterChain(HttpSecurity http) throws Exception { + commonSecurityConfig(http); + + return http.build(); + } + + private void commonSecurityConfig(HttpSecurity http) throws Exception { http - .requiresChannel(channel -> channel - .anyRequest().requiresSecure() - ) .authorizeHttpRequests((authz) -> authz .requestMatchers("/").permitAll() @@ -48,8 +66,6 @@ protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception { .userService(customOAuth2UserService) ) ); - - return http.build(); } @Bean