목차
Spring Security 권한 계층 사용하기 - @RoleHierarcy
Spring Security - DelegateFilterProxy
Spring Security - Remember Me와 관련된 인증 API - RememberMeConfigurer
Spring Security - RembmerMeAuthenticationFilter
Spring Security - SessionManagementFilter & ConcurrentSessionFilter
Spring Security - 인가 API ExpressionUrlAuthorizationConfigurer
Spring Security - Security 설정을 위한 WebSecurityConfigurerAdatper
Spring Security - AuthenticationProvider
Spring Security - AuthenticationManager
Spring Security - UsernamePasswordAuthenticationFilter & AbstractAuthenticationProcessingFilter
Spring Security - SecurityContextHolder 와 SecurityContext
Spring Security - Authentication 객체
참고
https://docs.spring.io/spring-security/reference/servlet/authentication/rememberme.html
RembmerMeAuthenticationFilter
Client 로부터 Request(요청) 이 오게 되면 Request 객체 Cookie 에 Remember Me Token 이 있는지 확인한다.
Token 을 이용해 인증을 진행한 후 SecurityContext 에 Authentication 객체를 저장한다.
RememberMeAuthenticationFilter.java
private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { // SecurityContext 내 Authentication 객체가 있는지 확인 한다. if (SecurityContextHolder.getContext().getAuthentication() != null) { this.logger.debug(LogMessage .of(() -> "SecurityContextHolder not populated with remember-me token, as it already contained: '" + SecurityContextHolder.getContext().getAuthentication() + "'")); chain.doFilter(request, response); return; } // Remember Me 인증을 진행한 후 Authentication 객체를 반환받는다. Authentication rememberMeAuth = this.rememberMeServices.autoLogin(request, response); if (rememberMeAuth != null) { // Attempt authenticaton via AuthenticationManager try { // RememberMeAuthenticationToken 객체내 Key 값에 대한 Hash 비교를 통해 유효성 인증을 진행 후 객체를 그대로 반환받는다. rememberMeAuth = this.authenticationManager.authenticate(rememberMeAuth); // SecurityContextHolder 에 인증 받은 Authentication 객체를 저장한다. SecurityContextHolder.getContext().setAuthentication(rememberMeAuth); // 인증 성공 후 후작업을 진행한다. onSuccessfulAuthentication(request, response, rememberMeAuth); this.logger.debug(LogMessage.of(() -> "SecurityContextHolder populated with remember-me token: '" + SecurityContextHolder.getContext().getAuthentication() + "'")); if (this.eventPublisher != null) { this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent( SecurityContextHolder.getContext().getAuthentication(), this.getClass())); } if (this.successHandler != null) { this.successHandler.onAuthenticationSuccess(request, response, rememberMeAuth); return; } } catch (AuthenticationException ex) { this.logger.debug(LogMessage .format("SecurityContextHolder not populated with remember-me token, as AuthenticationManager " + "rejected Authentication returned by RememberMeServices: '%s'; " + "invalidating remember-me token", rememberMeAuth), ex); this.rememberMeServices.loginFail(request, response); onUnsuccessfulAuthentication(request, response, ex); } } chain.doFilter(request, response);}
AbstractRememberMeServices