jpablog : password encryption

jpablog/src/main/java/com/example/jpablog/config/SecurityConfig.java

@@ -1,22 +1,30 @@
 package com.example.jpablog.config;
 
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 
 @Configuration // bean 등록
 @EnableWebSecurity // 시큐리티 필터 등록
 @EnableGlobalMethodSecurity(prePostEnabled = true) // 특정 주소 접근시 먼저 권한 및 인증 체크
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
+    @Bean
+    public BCryptPasswordEncoder encodePWD() {
+        return new BCryptPasswordEncoder();
+    }
+
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http
+                .csrf().disable() // csrf 토큰 비활성화
                 .authorizeRequests()
-                .antMatchers("/auth/**").permitAll()
+                .antMatchers("/", "/auth/**", "/js/**", "/css/**", "/images/**").permitAll()
                 .anyRequest().authenticated()
                 .and().formLogin().loginPage("/auth/loginForm");
     }

jpablog/src/main/java/com/example/jpablog/controller/api/UserApiController.java

@@ -6,6 +6,7 @@ import com.example.jpablog.model.User;
 import com.example.jpablog.service.UserService;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -21,7 +22,6 @@ public class UserApiController {
 
     @PostMapping("/auth/joinProc")
     public ResponseDto<Integer> save(@RequestBody User user) {
-        user.setRole(RoleType.USER);
         int result = userService.회원가입(user);
         return new ResponseDto<>(result, HttpStatus.OK.value());
     }

jpablog/src/main/java/com/example/jpablog/service/UserService.java

@@ -1,8 +1,10 @@
 package com.example.jpablog.service;
 
+import com.example.jpablog.model.RoleType;
 import com.example.jpablog.model.User;
 import com.example.jpablog.repository.UserRepository;
 import lombok.RequiredArgsConstructor;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -14,9 +16,13 @@ import java.util.Optional;
 public class UserService {
 
     private final UserRepository userRepository;
+    private final BCryptPasswordEncoder encoder;
 
     @Transactional
     public int 회원가입(User user) {
+        String encPassword = encoder.encode(user.getPassword());
+        user.setPassword(encPassword);
+        user.setRole(RoleType.USER);
         userRepository.save(user);
         return 1;
     }

jpablog/src/main/resources/application.yml

@@ -22,7 +22,7 @@ spring:
   jpa:
     open-in-view: true
     hibernate:
-      ddl-auto: update
+      ddl-auto: create
 #      naming:
 #        physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
       use-new-id-generator-mappings: false