Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Amazon Cognito使って認証したい?それならSpring Security使いましょう!

Ryosuke Uchitate
October 31, 2018
Programming
0
1.5k

Amazon Cognito使って認証したい?それならSpring Security使いましょう!

Spring Fest 2018 #sf_23 #jsug

Ryosuke Uchitate

October 31, 2018
Tweet

More Decks by Ryosuke Uchitate

See All by Ryosuke Uchitate
決済サービスのSpring Bootのバージョンを2系に上げた話
b1a9id
0
140
Form認証で学ぶSpring Security入門
b1a9id
0
260
パラレルキャリアがもたらす相乗効果
b1a9id
1
1.2k
ユニットテストのアサーション 流れるようなインターフェースのAssertJを添えて 入門者仕立て
b1a9id
1
110
Spring超入門-Springと出会ってから1年半-
b1a9id
1
72
Spring starterによるSpring Boot Starter
b1a9id
1
71

Other Decks in Programming

See All in Programming
Jakarta EE meets AI
ivargrimstad
0
600
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
2
1.1k
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
200
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
900
初めてDefinitelyTypedにPRを出した話
syumai
0
420
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
350
リアーキテクチャxDDD 1年間の取り組みと進化
hsawaji
1
220
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k
Remix on Hono on Cloudflare Workers
yusukebe
1
300
ふかぼれ!CSSセレクターモジュール / Fukabore! CSS Selectors Module
petamoriken
0
150
EMになってからチームの成果を最大化するために取り組んだこと/ Maximize team performance as EM
nashiusagi
0
100

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
459
33k
A designer walks into a library…
pauljervisheath
204
24k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Building an army of robots
kneath
302
43k
What's new in Ruby 2.0
geeforr
343
31k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Agile that works and the tools we love
rasmusluckow
327
21k
Thoughts on Productivity
jonyablonski
67
4.3k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Embracing the Ebb and Flow
colly
84
4.5k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
430

Transcript

  1. 4QSJOH'FTUTG@KTVH ίΠχʔגࣜձࣾɹ಺ཱྑհʢ!CBJEʣ "NB[PO$PHOJUP࢖ͬͯೝূ͍ͨ͠ʁ ͦΕͳΒ4QSJOH4FDVSJUZ࢖͍·͠ΐ͏ʂ

  2. ࣗݾ঺հ w ໊લ w ಺ཱྑհʢ͏ͪͨͯΓΐ͏͚͢ʣ w झຯ w ༸෰ w

    ύϯ԰८Γ w ॴଐ w ίΠχʔגࣜձࣾ w ++6( w 'BTIJPO$IBSJUZ1SPKFDU w 5XJUUFS w !CBJEQT

  3. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  4. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  5. શମਤ

  6. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  7. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  8. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  9. ొ৔͢ΔओͳϞδϡʔϧ܈ $PSF ೝূͱೝՄػೳ 8FC 8FCΞϓϦͷ ηΩϡϦςΟରࡦ $POpH 9.-ωʔϜεϖʔεɺ +BWB$POpHΛαϙʔτ

  10. ϑϨʔϜϫʔΫͷΞʔΩςΫνϟ

  11. ϑϨʔϜϫʔΫͷΞʔΩςΫνϟ

  12. ओͳ4FDVSJUZ'JMUFS w -PHPVU'JMUFS w ϩάΞ΢τॲཧΛߦ͏ɻ w "OPOZNPVT"VUIFOUJDBUJPO'JMUFS w ಗ໊Ϣʔβೝূͱͯ͠ೝূ͢Δɻ w

    #BTJD"VUIFOUJDBUJPO'JMUFS w #BTJDೝূΛߦ͏ࡍʹ࢖͏ɻ

  13. 4FDVSJUZ'JMUFSͷॱং final class FilterComparator implements Comparator<Filter>, Serializable { private static

    final int INITIAL_ORDER = 100; private static final int ORDER_STEP = 100; private final Map<String, Integer> filterToOrder = new HashMap<>(); FilterComparator() { Step order = new FilterComparator.Step(INITIAL_ORDER, ORDER_STEP); put(ChannelProcessingFilter.class, order.next()); put(ConcurrentSessionFilter.class, order.next()); put(WebAsyncManagerIntegrationFilter.class, order.next()); put(SecurityContextPersistenceFilter.class, order.next()); put(HeaderWriterFilter.class, order.next()); put(CorsFilter.class, order.next()); put(CsrfFilter.class, order.next()); put(LogoutFilter.class, order.next()); // …… 'JMUFS$PNQBSBUPSKBWB

  14. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  15. ೝূ "VUIFOUJDBUJPO w ର৅͕୭ʢԿʣͰ͋Δ͔Λ֬ೝ͢Δ͜ͱɻ w ຊਓೝূʹ༻͍ΒΕΔ৘ใ͸ݻ༗৘ใͰͳ͚ Ε͹ͳΒͳ͍ɻ

  16. ೝূͷཁૉ આ໌ ݻ༗৘ใ ੜମ৘ใ ੜ෺ݻ༗ͷ৘ใɾಛੑ ࢦ໲ɺ੩຺ɺ إɺ੠໲ ஌ࣝ৘ใ ຊਓ͔͠ ஌Βͳ͍৘ใ

    ʢϫϯλΠϜʣύεϫʔυɺ ൿີͷ࣭໰ ॴ࣋৘ใ ຊਓ͔࣋ͬͯ͠ͳ͍ ৘ใ΍෺ *$Χʔυɺ ϋʔυ΢ΣΞτʔΫϯ

  17. ೝূॲཧͷ࢓૊Έ

  18. ೝূॲཧͷ࢓૊Έ

  19. ೝূॲཧͷ࢓૊Έ

  20. ʹΜ͠ΐ͏͠ΐΓͷ͘͠Έ

  21. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  22. ೝՄ "VUIPSJ[BUJPO w ͋Δಛఆͷ৚݅ʹରͯ͠ɺΞΫηεݖݶΛ༩͑ Δ͜ͱɻ

  23. ೝՄॲཧͷ࢓૊Έ

  24. ೝՄॲཧͷ࢓૊Έ

  25. ೝՄॲཧͷ࢓૊Έ

  26. "DDFTT%FDJTJPO7PUFSKBWB w ΞΫηεݖͷ෇༩͢Δ͔Λ౤ථ͢Δɻ w 8FC&YQSFTTJPO7PUFSKBWB͕σϑΥϧτద༻ɻ public interface AccessDecisionVoter<S> { int

    ACCESS_GRANTED = 1; int ACCESS_ABSTAIN = 0; int ACCESS_DENIED = -1; (3"/5&%ɿࢍ੒ "#45"*/ɿغ٫ʢ࣍ͷ7PUFS΁ʣ %&/*&%ɿڋ൱

  27. "DDFTT%FDJTJPO.BOBHFSKBWB w ౤ථ݁Ռ͔Β࠷ऴతͳΞΫηεݖΛ൑அɻ w "DDFTT%FDJTJPO7PUFSΛݺΜͰΞΫηεݖΛ౤ ථͯ͠΋Β͏ɻ ࣮૷Ϋϥε "GpSNBUJWF#BTFEKBWB $POTFOTVT#BTFEKBWB 6OBOJNPVT#BTFEKBWB

  28. "GpSNBUJWF#BTFEKBWB w ෳ਺͋Δ7PUFSͷ͏ͪ̍ͭͰ΋ࢍ੒͢Ε͹ΞΫ ηεڐՄ͢Δɻ

  29. $POTFOTVT#BTFEKBWB w 7PUFSͷࢍ੒ථͱ൓ରථͷଟ͍ํʹै͏ɻ

  30. 6OBOJNPVT#BTFEKBWB w 7PUFSͷ͏ͪͭͰ΋൓ର͢Ε͹ΞΫηεΛڋ ൱͢Δɻ

  31. ʹΜ͔͠ΐΓͷ͘͠Έ ౤ථ݁Ռͷѻ͍ํΛܾΊΔ ౤ථ͢Δ

  32. ͲΜͳͱ͖ʹ7PUFS࣮૷͢Δʁ

  33. ͜Μͳͱ͖ʹ7PUFS࣮૷ͯ͠Έͯ͸ʁ w ࣌͸ಛఆͷ3PMFͷϢʔβ͸ΞΫηεෆՄ w ࡀҎ্͸ΞΫηεෆՄ

  34. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  35. $PHOJUPೝূ࡞Δલͷ͏ͪͨͯͷϨϕϧ w "VUIFOUJDBUJPŐ̋ͱ͔̋̋'JMUFSଟ͘ͳ͍ʁ w Ϋϥε໊΍ͨΒ௕͍ w 4QSJOH4FDVSJUZͬͯෳࡶͳΠϝʔδ w ೝূɾೝՄͬͯͲ͏͍͏ྲྀΕͰߦΘΕΕΔʁ εϓϦϯάηΩϡϦςΟίϫΠ

  36. جຊͷ'03.ೝূ͔Β ݟͯΈΔ͔ʂ

  37. ϩάΠϯϑΥʔϜ

  38. ϑΥʔϜೝূͷྲྀΕ

  39. ࣮૷͢ΔΫϥε w 8FC4FDVSJUZ$POpHKBWB w 4QSJOH4FDVSJUZ༻ͷઃఆ w 6TFS%FUBJMT4FSWJDF*NQMKBWB w 6TFS%FUBJMT4FSWJDFΠϯλʔϑΣʔεͷ࣮૷ɻࢿ֨৘ใͱϢʔβͷঢ়ଶΛ σʔλετΞ͔Βऔಘ

  40. 8FC4FDVSJUZ$POpHKBWB @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private

    final UserDetailsServiceImpl userDetailsService; // …… @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/js/**", "/css/**", "/webjars/**").permitAll() .antMatchers("/users/**").hasRole(Role.STAFF.name()) .antMatchers("/**").authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .defaultSuccessUrl("/success", true) .failureUrl("/login?error=true").permitAll(); } }

  41. 8FC4FDVSJUZ$POpHKBWB @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private

    final UserDetailsServiceImpl userDetailsService; // …… @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/js/**", "/css/**", "/webjars/**").permitAll() .antMatchers("/users/**").hasRole(Role.STAFF.name()) .antMatchers("/**").authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .defaultSuccessUrl("/success", true) .failureUrl("/login?error=true").permitAll(); } } ୭Ͱ΋ΞΫηεՄ KT  DTT  XFCKBST 45"''ϩʔϧͷΈΞΫηεՄ VTFST ೝূϢʔβͷΈΞΫηεՄ  '03.ೝূͷઃఆ ϩά ΠϯϖʔδɿMPHJO ࢿ֨৘ใ1045ઌɿMPHJO ೝূ੒ޭޙͷϦμΠϨΫτઌɿTVDDFTF ೝূࣦഊޙͷϦμΠϨΫτઌɿMPHJO FSSPSUSVF

  42. 'PSN-PHJO$POpHVSFSKBWB public FormLoginConfigurer() { super(new UsernamePasswordAuthenticationFilter(),null); usernameParameter("username"); passwordParameter("password"); } '03.ϩάΠϯͷઃఆΛߦ͏ɻ

  43. ϩάΠϯϘλϯΛ ԡͨ͠ޙͷྲྀΕ

  44. "VUIFOUJDBUJPO'JMUFSKBWBͰೝূ

  45. 6TFSOBNF1BTTXPSE"VUIFOUJDBUJPO'JMUFSBUUFNQU"VUIFOUJDBUJPO public Authentication attemptAuthentication( HttpServletRequest request, HttpServletResponse response) throws AuthenticationException

    { // …… String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); }

  46. 6TFSOBNF1BTTXPSE"VUIFOUJDBUJPO'JMUFSBUUFNQU"VUIFOUJDBUJPO public Authentication attemptAuthentication( HttpServletRequest request, HttpServletResponse response) throws AuthenticationException

    { // …… String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); }

  47. 1SPWJEFS.BOBHFSKBWBʹҕৡ

  48. 1SPWJEFS.BOBHFSBVUIFOUJDBUF public Authentication authenticate(Authentication authentication) throws AuthenticationException { // ……

    for (AuthenticationProvider provider : getProviders()) { if (!provider.supports(toTest)) { continue; } // …… try { result = provider.authenticate(authentication); if (result != null) { copyDetails(authentication, result); break; } } // ……

  49. ೝূॲཧΛߦ͏

  50. %BP"VUIFOUJDBUJPO1SPWJEFSSFUSJFWF6TFS protected final UserDetails retrieveUser( String username, UsernamePasswordAuthenticationToken authentication) throws

    AuthenticationException { // …… try { UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username); if (loadedUser == null) { // …… } return loadedUser; } // …… } Ϣʔβ৘ใΛऔಘ

  51. 6TFS%FUBJMT4FSWJDF*NQMKBWB @Service @RequiredArgsConstructor public class UserDetailsServiceImpl implements UserDetailsService { private

    final UserRepository userRepository; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByUsername(username) .orElseThrow( () -> new UsernameNotFoundException("username not found")); return new org.springframework.security.core.userdetails.User( user.getUsername(), user.getPassword(), createAuthorityList("ROLE_" + user.getRole().name())); } } ࢿ֨৘ใͱϢʔβͷঢ়ଶΛσʔλετΞ͔Βऔಘ͢Δ

  52. %BP"VUIFOUJDBUJPO1SPWJEFSBEEJUJPOBM"VUIFOUJDBUJPO$IFDLT protected void additionalAuthenticationChecks( UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException

    { // …… String presentedPassword = authentication.getCredentials().toString(); if (!passwordEncoder.matches( presentedPassword, userDetails.getPassword())) { // …… throw new BadCredentialsException(messages.getMessage( "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } } ύεϫʔυͷൺֱ

  53. ೝূ੒ޭͱࣦഊ

  54. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  55. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP BܦҢ C"NB[PO$PHOJUPͱ͸ʁ

     $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  56. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP BܦҢ C"NB[PO$PHOJUPͱ͸ʁ

     $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  57. ܦҢ

  58. ܦҢ

  59. ܦҢ $PHOJUPΛ࢖ͬͯΈΔ͔ʂ

  60. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP BܦҢ C"NB[PO$PHOJUPͱ͸ʁ

     $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  61. "NB[PO$PHOJUPͱ͸ʁ w 8FC΍ϞόΠϧΞϓϦͷೝূɾೝՄɺϢʔβ ؅ཧΛαϙʔτ w ௚઀͔αʔυύʔςΟΛ௨ͯ͡αΠϯΠϯ w ओͳίϯϙʔωϯτ͸Ϣʔβϓʔϧͱ*%ϓʔϧ w 40$

    1$*%44 *40ͳͲʹ४ڌ ࠓճ͸Ϣʔβϓʔϧͷ࿩ͷΈ

  62. Ϣʔβϓʔϧ w "NB[PO$PHOJUPͷϢʔβσΟϨΫτϦ w 8FC·ͨ͸ϞόΠϧΞϓϦʹϩά ΠϯͰ͖Δ w αΠϯΞοϓ͓ΑͼαΠϯΠϯ w ೝূ੒ޭޙʹϢʔβϓʔϧτʔΫϯ͕ฦΔ

    ϢʔβϓʔϧτʔΫϯ *%τʔΫϯ ΞΫηετʔΫϯ ߋ৽τʔΫϯ

  63. ΞΫηετʔΫϯ w ೝূ͞ΕͨϢʔβʹؔ͢ΔΫϨʔϜؚ͕·Ε ͍ͯΔɻ w +40/8FCτʔΫϯ +85 Ͱ͋Δɻ w ༗ޮظݶ͸࣌ؒ

  64. $PHJOJUP"1*Ͱͷೝূ࣌ͷొ৔ਓ෺ w ೝূλΠϓʢBVUI5ZQFʣ w ηογϣϯʢTFTTJPOʣ w ΞΫηετʔΫϯʢBDDFTT5PLFOʣ w ϦϑϨογϡτʔΫϯʢSFGSTI5PLFOʣ w

    *%τʔΫϯʢJE5PLFOʣ ࠓճ͸࢖Θͳ͍ ࠓճ͸࢖Θͳ͍

  65. αΠϯΞοϓ͔ΒαΠϯΠϯ

  66. αΠϯΞοϓ͔ΒαΠϯΠϯ

  67. αΠϯΞοϓ͔ΒαΠϯΠϯ

  68. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  69. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ

    B*%ɺύεϫʔυೝূ CΞΫηετʔΫϯೝূ  4QSJOH4FDVSJUZͷςετ

  70. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ

    B*%ɺύεϫʔυೝূ CΞΫηετʔΫϯೝূ  4QSJOH4FDVSJUZͷςετ

  71. *%ɺύεϫʔυೝূ *%ͱύεϫʔυ͕ਖ਼͚͠Ε͹τʔΫϯΛฦ͢ɻ

  72. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ

    B*%ɺύεϫʔυೝূ CΞΫηετʔΫϯೝূ  4QSJOH4FDVSJUZͷςετ

  73. ΞΫηετʔΫϯೝূ

  74. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  75. $VTUPN1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSKBWB public class CustomPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter { @Override protected Object

    getPreAuthenticatedPrincipal( HttpServletRequest request) { return ""; } @Override protected Object getPreAuthenticatedCredentials( HttpServletRequest request) { String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION); if (StringUtils.isEmpty(accessToken) || !accessToken.startsWith("Bearer ")) { return ""; } return accessToken.split(" ")[1]; } }

  76. $VTUPN1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSKBWB public class CustomPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter { @Override protected Object

    getPreAuthenticatedPrincipal( HttpServletRequest request) { return ""; } @Override protected Object getPreAuthenticatedCredentials( HttpServletRequest request) { String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION); if (StringUtils.isEmpty(accessToken) || !accessToken.startsWith("Bearer ")) { return ""; } return accessToken.split(" ")[1]; } }

  77. "CTUSBDU1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSEP"VUIFOUJDBUF private void doAuthenticate( HttpServletRequest request, HttpServletResponse response) throws IOException,

    ServletException { Authentication authResult; Object principal = getPreAuthenticatedPrincipal(request); Object credentials = getPreAuthenticatedCredentials(request); // …… try { PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken( principal, credentials); authRequest.setDetails( authenticationDetailsSource.buildDetails(request)); authResult = authenticationManager.authenticate(authRequest); successfulAuthentication(request, response, authResult); } catch (AuthenticationException failed) { // …… } } $VTUPN1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSͰ ΦʔόʔϥΠυ

  78. "CTUSBDU1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSEP"VUIFOUJDBUF private void doAuthenticate( HttpServletRequest request, HttpServletResponse response) throws IOException,

    ServletException { Authentication authResult; Object principal = getPreAuthenticatedPrincipal(request); Object credentials = getPreAuthenticatedCredentials(request); // …… try { PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken( principal, credentials); // …… authResult = authenticationManager.authenticate(authRequest); successfulAuthentication(request, response, authResult); } catch (AuthenticationException failed) { // …… } }

  79. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  80. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  81. 6TFS"DDFTT5PLFO"VUIFOUJDBUJPO1SPWJEFSBVUIFOUJDBUF public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken

    = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… ΞΫηετʔΫϯͷݕূ String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }

  82. 6TFS"DDFTT5PLFO"VUIFOUJDBUJPO1SPWJEFSBVUIFOUJDBUF public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken

    = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… ΞΫηετʔΫϯͷݕূ String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); } ΞΫηετʔΫϯͷݕূ +85ͷߏ଄Λ֬ೝ͢Δɻ +85ॺ໊Λݕূ͢Δɻ ΫϨʔϜΛݕূ͢Δɻ

  83. 6TFS"DDFTT5PLFO"VUIFOUJDBUJPO1SPWJEFSBVUIFOUJDBUF public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken

    = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… JWTͷݕূ String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }

  84. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  85. $VTUPN"VUIFOUJDBUJPO6TFS%FUBJMT4FSWJDFKBWB @Service public class CustomAuthenticationUserDetailsService implements AuthenticationUserDetailsService { private final

    CustomUserDetailsService userDetailsService; // …… @Override public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException { String username = token.getPrincipal().toString(); String accessToken = token.getCredentials().toString(); return Optional.ofNullable( userDetailsService.loadUserByUsername(username)) .map(u -> new CustomUserDetails( ((CustomUserDetails) u).getUser(), accessToken)) .orElseThrow(() -> new UsernameNotFoundException("user not found")); } }

  86. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  87. ঺հ͢Δςετ w '03.ೝূͷςετ w 30-&Ͱύεͷ੍ݶ͕Ͱ͖ͯΔ͔ͷςετ

  88. ґଘؔ܎Λ௥Ճ <dependencies> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-test</artifactId> <scope>test</scope> </dependency> </dependencies> testCompile “org.springframework.security:spring-

    security-test:5.1.1.RELEASE”

  89. 4FDVSJUZ'JMUFSΛ௥Ճ @BeforeEach void beforeEach() { mockMvc = MockMvcBuilders .webAppContextSetup(context) .apply(springSecurity())

    .build(); } 4FDVSJUZ.PDL.WD$POpHVSFSTTQSJOH4FDVSJUZ

  90. '03.ೝূͷςετ @Test void loginSuccess() throws Exception { MvcResult result =

    mockMvc .perform(formLogin() .user("ruchitate").password("password")) .andReturn(); Assertions.assertThat(result.getResponse()) .extracting( MockHttpServletResponse::getStatus, MockHttpServletResponse::getRedirectedUrl) .containsExactly(302, "/success"); } 4FDVSJUZ.PDL.WD3FRVFTU#VJEFSTGPSN-PHJO ϩά ΠϯϢʔβ Λઃఆ

  91. 30-&Ͱύε੍ݶͰ͖ͯΔ͔ͷςετ @Test void useWith200() throws Exception { MvcResult result =

    mockMvc.perform(get("/users/{id}", 1) .with(user("ruchitate").roles("STAFF"))) .andExpect(status().isOk()) .andReturn(); assertEquals( "{\"name\":\"಺ཱ ྑհ\",\"username\":\"ruchitate\", \"createdAt\":\"2018-10-01T00:00:00\",\"lastSignInAt\":null}", result.getResponse().getContentAsString()); }

  92. 30-&Ͱύε੍ݶͰ͖ͯΔ͔ͷςετ @Test void useWith403ForAdmin() throws Exception { mockMvc.perform(get("/users/{id}", 1) .with(user("ruchitate").roles("ADMIN")))

    .andExpect(status().isForbidden()) .andReturn(); }

  93. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ ͓·͚ʢϝιουηΩϡϦςΟʣ

  94. ͭͷΞ ϊςʔγϣϯ w !1SF"VUIPSJ[F w !1PTU"VUIPSJ[F w !1SF'JMUFS w !1PTU'JMUFS

  95. !1SF"VUIPSJ[F @PreAuthorize("hasRole('ADMIN')") public List<User> list() { return userRepository.findAll(); } @PreAuthorize("#role

    == 'ADMIN'") public List<User> list(String role) { return userRepository.findAll(); } @PreAuthorize("#r.name == 'ruchitate'") public List<User> list(@P("r") UserRequest request) { return userRepository.findAll(); } ϝιουʹೖΔલʹνΣοΫॲཧΛߦ͏ɻ GBMTFͷͱ͖ɺ"DDFTT%FOJFE&YDFQUJPOΛεϩʔ

  96. !1PTU"VUIPSJ[F @PostAuthorize("returnObject != null && returnObject.username == 'ruchitate'") public User

    get(Integer id) { return userRepository.findById(id).orElse(null); } ϝιου௨աޙʹ໭Γ஋ʹରͯ͠νΣοΫॲཧΛߦ͏ɻ GBMTFͷͱ͖ɺ"DDFTT%FOJFE&YDFQUJPOΛεϩʔ

  97. !1SF'JMUFS @PreFilter("filterObject.name.equals('ruchitate')") public List<User> list(List<UserRequest> requests) { List<String> usernameList =

    requests.stream() .map(UserRequest::getName) .collect(Collectors.toList()); return userRepository .findAllByUsernameIn(usernameList); } ϝιουʹೖΔલʹҾ਺ͷதͰ৚݅ʹҰக͢ΔΦϒδΣ ΫτͷΈநग़ɻ

  98. !1PTU'JMUFS @PostFilter("filterObject.username == 'ruchitate'") public List<User> list() { return userRepository.findAll();

    } ৚݅ʹҰக͢ΔΦϒδΣΫτͷΈ໭Γ஋͔Βநग़ɻ

  99. ·ͱΊ w ೝূɾೝՄͷྲྀΕΛཧղ͢Δʹ͸ެࣜϦϑΝ Ϩϯε w ͍࣮͟૷͠Α͏ͱͳΔͱࣅͨΑ͏ͳ'JMUFS΍ "VUIFOUJDBUJPO1SPWJEFSͷ࣮૷ΛݟΔ͔͠ w 4QSJOH4FDVSJUZ͓΋͠Ζ͍

  100. ͓ΘΓ

  101. ࢀߟ w IUUQTEFWDMBTTNFUIPEKQTFDVSJUZ BVUIFOUJDBUJPOBOEBVUIPSJ[BUJPO w IUUQXXXBUNBSLJUDPKQBJUBSUJDMFT OFXTIUNM

  102. ιʔείʔυ w IUUQTHJUIVCDPNCBJETQSJOHTFDVSJUZ XJUIDPHOJUP