CLAP-109 Feat: security config 재설정 및 adapter config와 통합

<footer>
- 관련: #59

Author: joowojr

src/main/java/clap/server/config/security/SecurityAdapterConfig.java

@@ -1,15 +1,17 @@
 package clap.server.config.security;
 
+import clap.server.adapter.inbound.security.LoginAttemptFilter;
+import clap.server.adapter.inbound.security.filter.JwtAuthenticationFilter;
+import clap.server.adapter.inbound.security.filter.JwtExceptionFilter;
 import lombok.RequiredArgsConstructor;
 import org.springframework.boot.autoconfigure.security.ConditionalOnDefaultWebSecurity;
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Profile;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpMethod;
-import org.springframework.security.config.Customizer;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -19,44 +21,48 @@
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.web.cors.CorsConfigurationSource;
 
 import static clap.server.config.security.WebSecurityUrl.*;
 
+
 @Configuration
 @EnableWebSecurity
 @ConditionalOnDefaultWebSecurity
 @RequiredArgsConstructor
 public class SecurityConfig {
-    private final SecurityAdapterConfig securityAdapterConfig;
+    private final JwtAuthenticationFilter jwtAuthenticationFilter;
+    private final JwtExceptionFilter jwtExceptionFilter;
+    private final LoginAttemptFilter loginAttemptFilter;
+
+    private final DaoAuthenticationProvider daoAuthenticationProvider;
     private final CorsConfigurationSource corsConfigurationSource;
     private final AccessDeniedHandler accessDeniedHandler;
     private final AuthenticationEntryPoint authenticationEntryPoint;
 
     @Bean
-    @Profile({"local", "dev"})
     @Order(SecurityProperties.BASIC_AUTH_ORDER)
-    public SecurityFilterChain filterChainForDev(HttpSecurity http) throws Exception {
+    public SecurityFilterChain defaultFilterChain(HttpSecurity http) throws Exception {
         return defaultSecurity(http)
+                .exceptionHandling(
+                        exception -> exception
+                                .accessDeniedHandler(accessDeniedHandler)
+                                .authenticationEntryPoint(authenticationEntryPoint)
+                )
                 .cors(cors -> cors.configurationSource(corsConfigurationSource))
+                .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
+                .addFilterBefore(jwtExceptionFilter, JwtAuthenticationFilter.class)
+                .addFilterBefore(loginAttemptFilter, JwtExceptionFilter.class)
                 .authorizeHttpRequests(
                         auth ->
                                 defaultAuthorizeHttpRequest(auth)
                                         .requestMatchers(SWAGGER_ENDPOINTS).permitAll()
+                                        .requestMatchers(LOGIN_ENDPOINT).permitAll()
                                         .anyRequest().authenticated()
                 ).build();
     }
 
-    @Bean
-    @Profile({"prod"})
-    @Order(SecurityProperties.BASIC_AUTH_ORDER)
-    public SecurityFilterChain filterChainForProd(HttpSecurity http) throws Exception {
-        return defaultSecurity(http)
-                .cors(cors -> cors.configurationSource(corsConfigurationSource))
-                .authorizeHttpRequests(auth -> defaultAuthorizeHttpRequest(auth).anyRequest().authenticated()
-                ).build();
-    }
-
     private HttpSecurity defaultSecurity(HttpSecurity http) throws Exception {
         return http
                 .httpBasic(AbstractHttpConfigurer::disable)
@@ -66,12 +72,8 @@ private HttpSecurity defaultSecurity(HttpSecurity http) throws Exception {
                 )
                 .formLogin(AbstractHttpConfigurer::disable)
                 .logout(AbstractHttpConfigurer::disable)
-                .with(securityAdapterConfig, Customizer.withDefaults())
-                .exceptionHandling(
-                        exception -> exception
-                                .accessDeniedHandler(accessDeniedHandler)
-                                .authenticationEntryPoint(authenticationEntryPoint)
-                );
+                .authenticationProvider(daoAuthenticationProvider)
+                ;
     }
 
     private AbstractRequestMatcherRegistry<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizedUrl> defaultAuthorizeHttpRequest(
@@ -83,8 +85,7 @@ private AbstractRequestMatcherRegistry<AuthorizeHttpRequestsConfigurer<HttpSecur
                 .requestMatchers(HttpMethod.GET, READ_ONLY_PUBLIC_ENDPOINTS).permitAll()
                 .requestMatchers(HEALTH_CHECK_ENDPOINT).permitAll()
                 .requestMatchers(REISSUANCE_ENDPOINTS).permitAll()
-                .requestMatchers(AUTHENTICATED_ENDPOINTS).authenticated()
-                .requestMatchers(ANONYMOUS_ENDPOINTS).permitAll();
+                .requestMatchers(SWAGGER_ENDPOINTS).permitAll();
     }
 
 }

src/main/java/clap/server/config/security/SecurityConfig.java

@@ -1,8 +1,10 @@
 package clap.server.config.security;
 
-import clap.server.application.port.outbound.auth.JwtProvider;
+import clap.server.adapter.inbound.security.LoginAttemptFilter;
 import clap.server.adapter.inbound.security.filter.JwtAuthenticationFilter;
 import clap.server.adapter.inbound.security.filter.JwtExceptionFilter;
+import clap.server.application.port.outbound.auth.JwtProvider;
+import clap.server.application.service.auth.LoginAttemptService;
 import lombok.AccessLevel;
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
@@ -14,6 +16,7 @@
 @RequiredArgsConstructor(access = AccessLevel.PROTECTED)
 public class SecurityFilterConfig {
 	private final UserDetailsService securityUserDetails;
+	private final LoginAttemptService loginAttemptService;
 	private final JwtProvider accessTokenProvider;
 	private final JwtProvider temporaryTokenProvider;
 	private final AccessDeniedHandler accessDeniedHandler;
@@ -27,4 +30,9 @@ public JwtExceptionFilter jwtExceptionFilter() {
 	public JwtAuthenticationFilter jwtAuthenticationFilter() {
 		return new JwtAuthenticationFilter(securityUserDetails, accessTokenProvider, temporaryTokenProvider, accessDeniedHandler);
 	}
+
+	@Bean
+	public LoginAttemptFilter loginAttemptFilter() {
+		return new LoginAttemptFilter(loginAttemptService);
+	}
 }

src/main/java/clap/server/config/security/SecurityFilterConfig.java

@@ -7,8 +7,7 @@ private WebSecurityUrl() {
 
     protected static final String [] HEALTH_CHECK_ENDPOINT = {"/health"};
     protected static final String[] READ_ONLY_PUBLIC_ENDPOINTS = {"/favicon.ico"};
-    protected static final String[] AUTHENTICATED_ENDPOINTS = {};
-    protected static final String[] ANONYMOUS_ENDPOINTS = {"/api/auths/login"};
+    protected static final String LOGIN_ENDPOINT = "/api/auths/login";
     protected static final String[] SWAGGER_ENDPOINTS = {
             "/swagger/api-docs/**", "/swagger/v3/api-docs/**",
             "/swagger-ui/**", "/swagger"