내 로그에서 Spring이 내 요청을 승인하는 동안 두 개의 개별 필터 체인을 호출한다는 것을 알았습니다. 그래서 제 질문은 왜 Spring 이 원래 필터 체인 뿐만 아니라 추가 필터 체인을 호출합니까 ? 이 동작으로 인해 내 응용 프로그램이 요청을 처리하는 동안 사용자를 두 번 인증하기 때문입니다. 특히 내 AuthenticationFilter를 불필요하게 다시 한 번 호출하고 있습니다.
여기에서 로그를 볼 수 있습니다.
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/account/@me'; against '/api/account/**'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/account/@me at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/account/@me at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/account/@me at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/account/@me at position 4 of 10 in additional filter chain; firing Filter: 'TokenAuthenticationFilter'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] d.t.o.a.a.TokenAuthenticationFilter : Request is to process authentication
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.authentication.ProviderManager : Authentication attempt using dev.teamnight.oauth2.authserver.authentication.ApplicationAuthenticationProvider
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.authentication.ProviderManager : Authentication attempt using dev.teamnight.oauth2.authserver.authentication.BearerAuthenticationProvider
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] d.t.o.a.a.TokenAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: dev.teamnight.oauth2.authserver.authentication.TokenAuthenticationToken@aeed7374: Principal: dev.teamnight.oauth2.authserver.authentication.OAuth2Principal@46a2793d; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: SCOPE_account.email, BEARER_ACCOUNT_1, SCOPE_account.basic, BEARER_ACCESS
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/account/@me at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/account/@me at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/account/@me at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'dev.teamnight.oauth2.authserver.authentication.TokenAuthenticationToken@aeed7374: Principal: dev.teamnight.oauth2.authserver.authentication.OAuth2Principal@46a2793d; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: SCOPE_account.email, BEARER_ACCOUNT_1, SCOPE_account.basic, BEARER_ACCESS'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/account/@me at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@5f8a02cf
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/account/@me at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/account/@me at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher : Request '/api/account/@me' matched by universal pattern '/**'
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/account/@me; Attributes: [hasAnyAuthority('READ_ALL','BEARER_ACCESS')]
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: dev.teamnight.oauth2.authserver.authentication.TokenAuthenticationToken@aeed7374: Principal: dev.teamnight.oauth2.authserver.authentication.OAuth2Principal@46a2793d; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: SCOPE_account.email, BEARER_ACCOUNT_1, SCOPE_account.basic, BEARER_ACCESS
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.a.h.RoleHierarchyImpl : getReachableGrantedAuthorities() - From the roles [SCOPE_account.email, BEARER_ACCOUNT_1, SCOPE_account.basic, BEARER_ACCESS] one can reach [SCOPE_account.email, BEARER_ACCOUNT_1, SCOPE_account.basic, BEARER_ACCESS] in zero or more steps.
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@2830c7a3, returned: 1
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
<< Additional Filter Chain Ends >> 27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : /api/account/@me reached end of additional filter chain; proceeding with original chain
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] d.t.o.a.a.TokenAuthenticationFilter : Request is to process authentication
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.authentication.ProviderManager : Authentication attempt using dev.teamnight.oauth2.authserver.authentication.ApplicationAuthenticationProvider
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.authentication.ProviderManager : Authentication attempt using dev.teamnight.oauth2.authserver.authentication.BearerAuthenticationProvider
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] d.t.o.a.a.TokenAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: dev.teamnight.oauth2.authserver.authentication.TokenAuthenticationToken@c97cfb62: Principal: dev.teamnight.oauth2.authserver.authentication.OAuth2Principal@571022e9; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: SCOPE_account.email, BEARER_ACCOUNT_1, SCOPE_account.basic, BEARER_ACCESS
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.a.i.a.MethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public dev.teamnight.oauth2.authserver.entities.json.AccountDTO dev.teamnight.oauth2.authserver.controllers.ApiController.getBearedAccount(javax.servlet.http.HttpServletRequest); target is of class [dev.teamnight.oauth2.authserver.controllers.ApiController]; Attributes: [[authorize: 'hasAuthority('BEARER_ACCESS')', filter: 'null', filterTarget: 'null']]
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.a.i.a.MethodSecurityInterceptor : Previously Authenticated: dev.teamnight.oauth2.authserver.authentication.TokenAuthenticationToken@c97cfb62: Principal: dev.teamnight.oauth2.authserver.authentication.OAuth2Principal@571022e9; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: SCOPE_account.email, BEARER_ACCOUNT_1, SCOPE_account.basic, BEARER_ACCESS
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.a.h.RoleHierarchyImpl : getReachableGrantedAuthorities() - From the roles [SCOPE_account.email, BEARER_ACCOUNT_1, SCOPE_account.basic, BEARER_ACCESS] one can reach [SCOPE_account.email, BEARER_ACCOUNT_1, SCOPE_account.basic, BEARER_ACCESS] in zero or more steps.
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@35948508, returned: 1
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.a.i.a.MethodSecurityInterceptor : Authorization successful
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.a.i.a.MethodSecurityInterceptor : RunAsManager did not change Authentication object
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@37c5e3bd
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
27-01-2021 DEBUG 10784 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
이것은 내 WebSecurity 구성입니다.
@Bean
@Qualifier("accountApiAuthenticationFilter")
public TokenAuthenticationFilter accountApiAuthenticationFilter(TokenAuthenticationFailureHandler failureHandler,
TokenAuthenticationSuccessHandler successHandler) throws Exception {
TokenAuthenticationFilter filter = new TokenAuthenticationFilter();
filter.setAuthenticationManager(authenticationManagerBean());
filter.setAuthenticationFailureHandler(failureHandler);
filter.setAuthenticationSuccessHandler(successHandler);
filter.setAllowedTokenTypes(TokenType.APPLICATION, TokenType.BEARER);
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/account/**")
.addFilterBefore(accountApiAuthenticationFilter(null, null), UsernamePasswordAuthenticationFilter.class)
.authorizeRequests()
.antMatchers("**").hasAnyAuthority("READ_ALL", "BEARER_ACCESS")
.anyRequest().authenticated()
.and()
.authenticationProvider(this.appProvider)
.authenticationProvider(this.bearerProvider)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(new TokenAuthenticationEntryPoint())
.and()
.cors().disable()
.formLogin().disable()
.csrf().disable()
.logout().disable();
}