Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Amazon Cognito使って認証したい?それならSpring Security使いましょう!

Ryosuke Uchitate
October 31, 2018
Programming
0
1.5k

Amazon Cognito使って認証したい?それならSpring Security使いましょう!

Spring Fest 2018 #sf_23 #jsug

Ryosuke Uchitate

October 31, 2018
Tweet

More Decks by Ryosuke Uchitate

See All by Ryosuke Uchitate
決済サービスのSpring Bootのバージョンを2系に上げた話
b1a9id
0
140
Form認証で学ぶSpring Security入門
b1a9id
0
260
パラレルキャリアがもたらす相乗効果
b1a9id
1
1.2k
ユニットテストのアサーション 流れるようなインターフェースのAssertJを添えて 入門者仕立て
b1a9id
1
110
Spring超入門-Springと出会ってから1年半-
b1a9id
1
72
Spring starterによるSpring Boot Starter
b1a9id
1
69

Other Decks in Programming

See All in Programming
Vitest Browser Mode への期待 / Vitest Browser Mode
odanado
PRO
2
1.7k
役立つログに取り組もう
irof
27
8.7k
Amazon Neptuneで始めてみるグラフDB -OpenSearchによるグラフの全文検索-
satoshi256kbyte
4
330
Hotwire or React? ~Reactの録画機能をHotwireに置き換えて得られた知見~ / hotwire_or_react
harunatsujita
9
4.1k
Nuxtベースの「WXT」でChrome拡張を作成する | Vue Fes 2024 ランチセッション
moshi1121
1
530
Vaporモードを大規模サービスに最速導入して学びを共有する
kazukishimamoto
4
4.3k
色々なIaCツールを実際に触って比較してみる
iriikeita
0
280
PLoP 2024: The evolution of the microservice architecture pattern language
cer
PRO
0
1.7k
WEBエンジニア向けAI活用入門
sutetotanuki
0
300
[PyCon Korea 2024 Keynote] 커뮤니티와 파이썬, 그리고 우리
beomi
0
110
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
440
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
170

Featured

See All Featured
Producing Creativity
orderedlist
PRO
341
39k
GitHub's CSS Performance
jonrohan
1030
460k
Code Reviewing Like a Champion
maltzj
519
39k
We Have a Design System, Now What?
morganepeng
50
7.2k
YesSQL, Process and Tooling at Scale
rocio
167
14k
BBQ
matthewcrist
85
9.3k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
41
2.1k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Become a Pro
speakerdeck
PRO
24
5k
How STYLIGHT went responsive
nonsquared
95
5.2k
It's Worth the Effort
3n
183
27k

Transcript

  1. 4QSJOH'FTUTG@KTVH ίΠχʔגࣜձࣾɹ಺ཱྑհʢ!CBJEʣ "NB[PO$PHOJUP࢖ͬͯೝূ͍ͨ͠ʁ ͦΕͳΒ4QSJOH4FDVSJUZ࢖͍·͠ΐ͏ʂ

  2. ࣗݾ঺հ w ໊લ w ಺ཱྑհʢ͏ͪͨͯΓΐ͏͚͢ʣ w झຯ w ༸෰ w

    ύϯ԰८Γ w ॴଐ w ίΠχʔגࣜձࣾ w ++6( w 'BTIJPO$IBSJUZ1SPKFDU w 5XJUUFS w !CBJEQT

  3. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  4. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  5. શମਤ

  6. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  7. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  8. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  9. ొ৔͢ΔओͳϞδϡʔϧ܈ $PSF ೝূͱೝՄػೳ 8FC 8FCΞϓϦͷ ηΩϡϦςΟରࡦ $POpH 9.-ωʔϜεϖʔεɺ +BWB$POpHΛαϙʔτ

  10. ϑϨʔϜϫʔΫͷΞʔΩςΫνϟ

  11. ϑϨʔϜϫʔΫͷΞʔΩςΫνϟ

  12. ओͳ4FDVSJUZ'JMUFS w -PHPVU'JMUFS w ϩάΞ΢τॲཧΛߦ͏ɻ w "OPOZNPVT"VUIFOUJDBUJPO'JMUFS w ಗ໊Ϣʔβೝূͱͯ͠ೝূ͢Δɻ w

    #BTJD"VUIFOUJDBUJPO'JMUFS w #BTJDೝূΛߦ͏ࡍʹ࢖͏ɻ

  13. 4FDVSJUZ'JMUFSͷॱং final class FilterComparator implements Comparator<Filter>, Serializable { private static

    final int INITIAL_ORDER = 100; private static final int ORDER_STEP = 100; private final Map<String, Integer> filterToOrder = new HashMap<>(); FilterComparator() { Step order = new FilterComparator.Step(INITIAL_ORDER, ORDER_STEP); put(ChannelProcessingFilter.class, order.next()); put(ConcurrentSessionFilter.class, order.next()); put(WebAsyncManagerIntegrationFilter.class, order.next()); put(SecurityContextPersistenceFilter.class, order.next()); put(HeaderWriterFilter.class, order.next()); put(CorsFilter.class, order.next()); put(CsrfFilter.class, order.next()); put(LogoutFilter.class, order.next()); // …… 'JMUFS$PNQBSBUPSKBWB

  14. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  15. ೝূ "VUIFOUJDBUJPO w ର৅͕୭ʢԿʣͰ͋Δ͔Λ֬ೝ͢Δ͜ͱɻ w ຊਓೝূʹ༻͍ΒΕΔ৘ใ͸ݻ༗৘ใͰͳ͚ Ε͹ͳΒͳ͍ɻ

  16. ೝূͷཁૉ આ໌ ݻ༗৘ใ ੜମ৘ใ ੜ෺ݻ༗ͷ৘ใɾಛੑ ࢦ໲ɺ੩຺ɺ إɺ੠໲ ஌ࣝ৘ใ ຊਓ͔͠ ஌Βͳ͍৘ใ

    ʢϫϯλΠϜʣύεϫʔυɺ ൿີͷ࣭໰ ॴ࣋৘ใ ຊਓ͔࣋ͬͯ͠ͳ͍ ৘ใ΍෺ *$Χʔυɺ ϋʔυ΢ΣΞτʔΫϯ

  17. ೝূॲཧͷ࢓૊Έ

  18. ೝূॲཧͷ࢓૊Έ

  19. ೝূॲཧͷ࢓૊Έ

  20. ʹΜ͠ΐ͏͠ΐΓͷ͘͠Έ

  21. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  22. ೝՄ "VUIPSJ[BUJPO w ͋Δಛఆͷ৚݅ʹରͯ͠ɺΞΫηεݖݶΛ༩͑ Δ͜ͱɻ

  23. ೝՄॲཧͷ࢓૊Έ

  24. ೝՄॲཧͷ࢓૊Έ

  25. ೝՄॲཧͷ࢓૊Έ

  26. "DDFTT%FDJTJPO7PUFSKBWB w ΞΫηεݖͷ෇༩͢Δ͔Λ౤ථ͢Δɻ w 8FC&YQSFTTJPO7PUFSKBWB͕σϑΥϧτద༻ɻ public interface AccessDecisionVoter<S> { int

    ACCESS_GRANTED = 1; int ACCESS_ABSTAIN = 0; int ACCESS_DENIED = -1; (3"/5&%ɿࢍ੒ "#45"*/ɿغ٫ʢ࣍ͷ7PUFS΁ʣ %&/*&%ɿڋ൱

  27. "DDFTT%FDJTJPO.BOBHFSKBWB w ౤ථ݁Ռ͔Β࠷ऴతͳΞΫηεݖΛ൑அɻ w "DDFTT%FDJTJPO7PUFSΛݺΜͰΞΫηεݖΛ౤ ථͯ͠΋Β͏ɻ ࣮૷Ϋϥε "GpSNBUJWF#BTFEKBWB $POTFOTVT#BTFEKBWB 6OBOJNPVT#BTFEKBWB

  28. "GpSNBUJWF#BTFEKBWB w ෳ਺͋Δ7PUFSͷ͏ͪ̍ͭͰ΋ࢍ੒͢Ε͹ΞΫ ηεڐՄ͢Δɻ

  29. $POTFOTVT#BTFEKBWB w 7PUFSͷࢍ੒ථͱ൓ରථͷଟ͍ํʹै͏ɻ

  30. 6OBOJNPVT#BTFEKBWB w 7PUFSͷ͏ͪͭͰ΋൓ର͢Ε͹ΞΫηεΛڋ ൱͢Δɻ

  31. ʹΜ͔͠ΐΓͷ͘͠Έ ౤ථ݁Ռͷѻ͍ํΛܾΊΔ ౤ථ͢Δ

  32. ͲΜͳͱ͖ʹ7PUFS࣮૷͢Δʁ

  33. ͜Μͳͱ͖ʹ7PUFS࣮૷ͯ͠Έͯ͸ʁ w ࣌͸ಛఆͷ3PMFͷϢʔβ͸ΞΫηεෆՄ w ࡀҎ্͸ΞΫηεෆՄ

  34. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  35. $PHOJUPೝূ࡞Δલͷ͏ͪͨͯͷϨϕϧ w "VUIFOUJDBUJPŐ̋ͱ͔̋̋'JMUFSଟ͘ͳ͍ʁ w Ϋϥε໊΍ͨΒ௕͍ w 4QSJOH4FDVSJUZͬͯෳࡶͳΠϝʔδ w ೝূɾೝՄͬͯͲ͏͍͏ྲྀΕͰߦΘΕΕΔʁ εϓϦϯάηΩϡϦςΟίϫΠ

  36. جຊͷ'03.ೝূ͔Β ݟͯΈΔ͔ʂ

  37. ϩάΠϯϑΥʔϜ

  38. ϑΥʔϜೝূͷྲྀΕ

  39. ࣮૷͢ΔΫϥε w 8FC4FDVSJUZ$POpHKBWB w 4QSJOH4FDVSJUZ༻ͷઃఆ w 6TFS%FUBJMT4FSWJDF*NQMKBWB w 6TFS%FUBJMT4FSWJDFΠϯλʔϑΣʔεͷ࣮૷ɻࢿ֨৘ใͱϢʔβͷঢ়ଶΛ σʔλετΞ͔Βऔಘ

  40. 8FC4FDVSJUZ$POpHKBWB @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private

    final UserDetailsServiceImpl userDetailsService; // …… @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/js/**", "/css/**", "/webjars/**").permitAll() .antMatchers("/users/**").hasRole(Role.STAFF.name()) .antMatchers("/**").authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .defaultSuccessUrl("/success", true) .failureUrl("/login?error=true").permitAll(); } }

  41. 8FC4FDVSJUZ$POpHKBWB @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private

    final UserDetailsServiceImpl userDetailsService; // …… @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/js/**", "/css/**", "/webjars/**").permitAll() .antMatchers("/users/**").hasRole(Role.STAFF.name()) .antMatchers("/**").authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .defaultSuccessUrl("/success", true) .failureUrl("/login?error=true").permitAll(); } } ୭Ͱ΋ΞΫηεՄ KT  DTT  XFCKBST 45"''ϩʔϧͷΈΞΫηεՄ VTFST ೝূϢʔβͷΈΞΫηεՄ  '03.ೝূͷઃఆ ϩά ΠϯϖʔδɿMPHJO ࢿ֨৘ใ1045ઌɿMPHJO ೝূ੒ޭޙͷϦμΠϨΫτઌɿTVDDFTF ೝূࣦഊޙͷϦμΠϨΫτઌɿMPHJO FSSPSUSVF

  42. 'PSN-PHJO$POpHVSFSKBWB public FormLoginConfigurer() { super(new UsernamePasswordAuthenticationFilter(),null); usernameParameter("username"); passwordParameter("password"); } '03.ϩάΠϯͷઃఆΛߦ͏ɻ

  43. ϩάΠϯϘλϯΛ ԡͨ͠ޙͷྲྀΕ

  44. "VUIFOUJDBUJPO'JMUFSKBWBͰೝূ

  45. 6TFSOBNF1BTTXPSE"VUIFOUJDBUJPO'JMUFSBUUFNQU"VUIFOUJDBUJPO public Authentication attemptAuthentication( HttpServletRequest request, HttpServletResponse response) throws AuthenticationException

    { // …… String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); }

  46. 6TFSOBNF1BTTXPSE"VUIFOUJDBUJPO'JMUFSBUUFNQU"VUIFOUJDBUJPO public Authentication attemptAuthentication( HttpServletRequest request, HttpServletResponse response) throws AuthenticationException

    { // …… String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); }

  47. 1SPWJEFS.BOBHFSKBWBʹҕৡ

  48. 1SPWJEFS.BOBHFSBVUIFOUJDBUF public Authentication authenticate(Authentication authentication) throws AuthenticationException { // ……

    for (AuthenticationProvider provider : getProviders()) { if (!provider.supports(toTest)) { continue; } // …… try { result = provider.authenticate(authentication); if (result != null) { copyDetails(authentication, result); break; } } // ……

  49. ೝূॲཧΛߦ͏

  50. %BP"VUIFOUJDBUJPO1SPWJEFSSFUSJFWF6TFS protected final UserDetails retrieveUser( String username, UsernamePasswordAuthenticationToken authentication) throws

    AuthenticationException { // …… try { UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username); if (loadedUser == null) { // …… } return loadedUser; } // …… } Ϣʔβ৘ใΛऔಘ

  51. 6TFS%FUBJMT4FSWJDF*NQMKBWB @Service @RequiredArgsConstructor public class UserDetailsServiceImpl implements UserDetailsService { private

    final UserRepository userRepository; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByUsername(username) .orElseThrow( () -> new UsernameNotFoundException("username not found")); return new org.springframework.security.core.userdetails.User( user.getUsername(), user.getPassword(), createAuthorityList("ROLE_" + user.getRole().name())); } } ࢿ֨৘ใͱϢʔβͷঢ়ଶΛσʔλετΞ͔Βऔಘ͢Δ

  52. %BP"VUIFOUJDBUJPO1SPWJEFSBEEJUJPOBM"VUIFOUJDBUJPO$IFDLT protected void additionalAuthenticationChecks( UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException

    { // …… String presentedPassword = authentication.getCredentials().toString(); if (!passwordEncoder.matches( presentedPassword, userDetails.getPassword())) { // …… throw new BadCredentialsException(messages.getMessage( "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } } ύεϫʔυͷൺֱ

  53. ೝূ੒ޭͱࣦഊ

  54. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  55. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP BܦҢ C"NB[PO$PHOJUPͱ͸ʁ

     $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  56. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP BܦҢ C"NB[PO$PHOJUPͱ͸ʁ

     $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  57. ܦҢ

  58. ܦҢ

  59. ܦҢ $PHOJUPΛ࢖ͬͯΈΔ͔ʂ

  60. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP BܦҢ C"NB[PO$PHOJUPͱ͸ʁ

     $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  61. "NB[PO$PHOJUPͱ͸ʁ w 8FC΍ϞόΠϧΞϓϦͷೝূɾೝՄɺϢʔβ ؅ཧΛαϙʔτ w ௚઀͔αʔυύʔςΟΛ௨ͯ͡αΠϯΠϯ w ओͳίϯϙʔωϯτ͸Ϣʔβϓʔϧͱ*%ϓʔϧ w 40$

    1$*%44 *40ͳͲʹ४ڌ ࠓճ͸Ϣʔβϓʔϧͷ࿩ͷΈ

  62. Ϣʔβϓʔϧ w "NB[PO$PHOJUPͷϢʔβσΟϨΫτϦ w 8FC·ͨ͸ϞόΠϧΞϓϦʹϩά ΠϯͰ͖Δ w αΠϯΞοϓ͓ΑͼαΠϯΠϯ w ೝূ੒ޭޙʹϢʔβϓʔϧτʔΫϯ͕ฦΔ

    ϢʔβϓʔϧτʔΫϯ *%τʔΫϯ ΞΫηετʔΫϯ ߋ৽τʔΫϯ

  63. ΞΫηετʔΫϯ w ೝূ͞ΕͨϢʔβʹؔ͢ΔΫϨʔϜؚ͕·Ε ͍ͯΔɻ w +40/8FCτʔΫϯ +85 Ͱ͋Δɻ w ༗ޮظݶ͸࣌ؒ

  64. $PHJOJUP"1*Ͱͷೝূ࣌ͷొ৔ਓ෺ w ೝূλΠϓʢBVUI5ZQFʣ w ηογϣϯʢTFTTJPOʣ w ΞΫηετʔΫϯʢBDDFTT5PLFOʣ w ϦϑϨογϡτʔΫϯʢSFGSTI5PLFOʣ w

    *%τʔΫϯʢJE5PLFOʣ ࠓճ͸࢖Θͳ͍ ࠓճ͸࢖Θͳ͍

  65. αΠϯΞοϓ͔ΒαΠϯΠϯ

  66. αΠϯΞοϓ͔ΒαΠϯΠϯ

  67. αΠϯΞοϓ͔ΒαΠϯΠϯ

  68. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  69. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ

    B*%ɺύεϫʔυೝূ CΞΫηετʔΫϯೝূ  4QSJOH4FDVSJUZͷςετ

  70. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ

    B*%ɺύεϫʔυೝূ CΞΫηετʔΫϯೝূ  4QSJOH4FDVSJUZͷςετ

  71. *%ɺύεϫʔυೝূ *%ͱύεϫʔυ͕ਖ਼͚͠Ε͹τʔΫϯΛฦ͢ɻ

  72. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ

    B*%ɺύεϫʔυೝূ CΞΫηετʔΫϯೝূ  4QSJOH4FDVSJUZͷςετ

  73. ΞΫηετʔΫϯೝূ

  74. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  75. $VTUPN1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSKBWB public class CustomPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter { @Override protected Object

    getPreAuthenticatedPrincipal( HttpServletRequest request) { return ""; } @Override protected Object getPreAuthenticatedCredentials( HttpServletRequest request) { String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION); if (StringUtils.isEmpty(accessToken) || !accessToken.startsWith("Bearer ")) { return ""; } return accessToken.split(" ")[1]; } }

  76. $VTUPN1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSKBWB public class CustomPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter { @Override protected Object

    getPreAuthenticatedPrincipal( HttpServletRequest request) { return ""; } @Override protected Object getPreAuthenticatedCredentials( HttpServletRequest request) { String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION); if (StringUtils.isEmpty(accessToken) || !accessToken.startsWith("Bearer ")) { return ""; } return accessToken.split(" ")[1]; } }

  77. "CTUSBDU1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSEP"VUIFOUJDBUF private void doAuthenticate( HttpServletRequest request, HttpServletResponse response) throws IOException,

    ServletException { Authentication authResult; Object principal = getPreAuthenticatedPrincipal(request); Object credentials = getPreAuthenticatedCredentials(request); // …… try { PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken( principal, credentials); authRequest.setDetails( authenticationDetailsSource.buildDetails(request)); authResult = authenticationManager.authenticate(authRequest); successfulAuthentication(request, response, authResult); } catch (AuthenticationException failed) { // …… } } $VTUPN1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSͰ ΦʔόʔϥΠυ

  78. "CTUSBDU1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSEP"VUIFOUJDBUF private void doAuthenticate( HttpServletRequest request, HttpServletResponse response) throws IOException,

    ServletException { Authentication authResult; Object principal = getPreAuthenticatedPrincipal(request); Object credentials = getPreAuthenticatedCredentials(request); // …… try { PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken( principal, credentials); // …… authResult = authenticationManager.authenticate(authRequest); successfulAuthentication(request, response, authResult); } catch (AuthenticationException failed) { // …… } }

  79. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  80. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  81. 6TFS"DDFTT5PLFO"VUIFOUJDBUJPO1SPWJEFSBVUIFOUJDBUF public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken

    = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… ΞΫηετʔΫϯͷݕূ String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }

  82. 6TFS"DDFTT5PLFO"VUIFOUJDBUJPO1SPWJEFSBVUIFOUJDBUF public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken

    = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… ΞΫηετʔΫϯͷݕূ String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); } ΞΫηετʔΫϯͷݕূ +85ͷߏ଄Λ֬ೝ͢Δɻ +85ॺ໊Λݕূ͢Δɻ ΫϨʔϜΛݕূ͢Δɻ

  83. 6TFS"DDFTT5PLFO"VUIFOUJDBUJPO1SPWJEFSBVUIFOUJDBUF public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken

    = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… JWTͷݕূ String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }

  84. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  85. $VTUPN"VUIFOUJDBUJPO6TFS%FUBJMT4FSWJDFKBWB @Service public class CustomAuthenticationUserDetailsService implements AuthenticationUserDetailsService { private final

    CustomUserDetailsService userDetailsService; // …… @Override public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException { String username = token.getPrincipal().toString(); String accessToken = token.getCredentials().toString(); return Optional.ofNullable( userDetailsService.loadUserByUsername(username)) .map(u -> new CustomUserDetails( ((CustomUserDetails) u).getUser(), accessToken)) .orElseThrow(() -> new UsernameNotFoundException("user not found")); } }

  86. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  87. ঺հ͢Δςετ w '03.ೝূͷςετ w 30-&Ͱύεͷ੍ݶ͕Ͱ͖ͯΔ͔ͷςετ

  88. ґଘؔ܎Λ௥Ճ <dependencies> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-test</artifactId> <scope>test</scope> </dependency> </dependencies> testCompile “org.springframework.security:spring-

    security-test:5.1.1.RELEASE”

  89. 4FDVSJUZ'JMUFSΛ௥Ճ @BeforeEach void beforeEach() { mockMvc = MockMvcBuilders .webAppContextSetup(context) .apply(springSecurity())

    .build(); } 4FDVSJUZ.PDL.WD$POpHVSFSTTQSJOH4FDVSJUZ

  90. '03.ೝূͷςετ @Test void loginSuccess() throws Exception { MvcResult result =

    mockMvc .perform(formLogin() .user("ruchitate").password("password")) .andReturn(); Assertions.assertThat(result.getResponse()) .extracting( MockHttpServletResponse::getStatus, MockHttpServletResponse::getRedirectedUrl) .containsExactly(302, "/success"); } 4FDVSJUZ.PDL.WD3FRVFTU#VJEFSTGPSN-PHJO ϩά ΠϯϢʔβ Λઃఆ

  91. 30-&Ͱύε੍ݶͰ͖ͯΔ͔ͷςετ @Test void useWith200() throws Exception { MvcResult result =

    mockMvc.perform(get("/users/{id}", 1) .with(user("ruchitate").roles("STAFF"))) .andExpect(status().isOk()) .andReturn(); assertEquals( "{\"name\":\"಺ཱ ྑհ\",\"username\":\"ruchitate\", \"createdAt\":\"2018-10-01T00:00:00\",\"lastSignInAt\":null}", result.getResponse().getContentAsString()); }

  92. 30-&Ͱύε੍ݶͰ͖ͯΔ͔ͷςετ @Test void useWith403ForAdmin() throws Exception { mockMvc.perform(get("/users/{id}", 1) .with(user("ruchitate").roles("ADMIN")))

    .andExpect(status().isForbidden()) .andReturn(); }

  93. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ ͓·͚ʢϝιουηΩϡϦςΟʣ

  94. ͭͷΞ ϊςʔγϣϯ w !1SF"VUIPSJ[F w !1PTU"VUIPSJ[F w !1SF'JMUFS w !1PTU'JMUFS

  95. !1SF"VUIPSJ[F @PreAuthorize("hasRole('ADMIN')") public List<User> list() { return userRepository.findAll(); } @PreAuthorize("#role

    == 'ADMIN'") public List<User> list(String role) { return userRepository.findAll(); } @PreAuthorize("#r.name == 'ruchitate'") public List<User> list(@P("r") UserRequest request) { return userRepository.findAll(); } ϝιουʹೖΔલʹνΣοΫॲཧΛߦ͏ɻ GBMTFͷͱ͖ɺ"DDFTT%FOJFE&YDFQUJPOΛεϩʔ

  96. !1PTU"VUIPSJ[F @PostAuthorize("returnObject != null && returnObject.username == 'ruchitate'") public User

    get(Integer id) { return userRepository.findById(id).orElse(null); } ϝιου௨աޙʹ໭Γ஋ʹରͯ͠νΣοΫॲཧΛߦ͏ɻ GBMTFͷͱ͖ɺ"DDFTT%FOJFE&YDFQUJPOΛεϩʔ

  97. !1SF'JMUFS @PreFilter("filterObject.name.equals('ruchitate')") public List<User> list(List<UserRequest> requests) { List<String> usernameList =

    requests.stream() .map(UserRequest::getName) .collect(Collectors.toList()); return userRepository .findAllByUsernameIn(usernameList); } ϝιουʹೖΔલʹҾ਺ͷதͰ৚݅ʹҰக͢ΔΦϒδΣ ΫτͷΈநग़ɻ

  98. !1PTU'JMUFS @PostFilter("filterObject.username == 'ruchitate'") public List<User> list() { return userRepository.findAll();

    } ৚݅ʹҰக͢ΔΦϒδΣΫτͷΈ໭Γ஋͔Βநग़ɻ

  99. ·ͱΊ w ೝূɾೝՄͷྲྀΕΛཧղ͢Δʹ͸ެࣜϦϑΝ Ϩϯε w ͍࣮͟૷͠Α͏ͱͳΔͱࣅͨΑ͏ͳ'JMUFS΍ "VUIFOUJDBUJPO1SPWJEFSͷ࣮૷ΛݟΔ͔͠ w 4QSJOH4FDVSJUZ͓΋͠Ζ͍

  100. ͓ΘΓ

  101. ࢀߟ w IUUQTEFWDMBTTNFUIPEKQTFDVSJUZ BVUIFOUJDBUJPOBOEBVUIPSJ[BUJPO w IUUQXXXBUNBSLJUDPKQBJUBSUJDMFT OFXTIUNM

  102. ιʔείʔυ w IUUQTHJUIVCDPNCBJETQSJOHTFDVSJUZ XJUIDPHOJUP