OAuth2 를 이용하여 회원 서비스 보호

member-service/pom.xml

@@ -47,6 +47,18 @@
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
         </dependency>
+        <!--<dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-security</artifactId>
+        </dependency>-->
+        <dependency>
+            <groupId>org.springframework.security.oauth.boot</groupId>
+            <artifactId>spring-security-oauth2-autoconfigure</artifactId>
+        </dependency>
+        <!--<dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-client</artifactId>
+        </dependency>-->
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>

member-service/src/main/java/com/assu/cloud/memberservice/MemberServiceApplication.java

@@ -6,6 +6,7 @@ import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.cloud.client.loadbalancer.LoadBalanced;
 import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
 import org.springframework.context.annotation.Bean;
+import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
 import org.springframework.web.client.RestTemplate;
 
 import java.util.Collections;
@@ -13,6 +14,7 @@ import java.util.List;
 
 @SpringBootApplication
 @EnableEurekaClient
+@EnableResourceServer       // 보호 자원으로 설정
 public class MemberServiceApplication {
     public static void main(String[] args) {
         SpringApplication.run(MemberServiceApplication.class, args);

member-service/src/main/java/com/assu/cloud/memberservice/controller/MemberController.java

@@ -2,10 +2,8 @@ package com.assu.cloud.memberservice.controller;
 
 import com.assu.cloud.memberservice.client.EventRestTemplateClient;
 import com.assu.cloud.memberservice.config.CustomConfig;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.ServletRequest;
 
@@ -33,4 +31,13 @@ public class MemberController {
     public String gift(ServletRequest req, @PathVariable("name") String name) {
         return "[MEMBER] " + eventRestTemplateClient.gift(name) + " / port is " + req.getServerPort();
     }
+
+    /**
+     * ADMIN 권한 소유자만 PUT METHOD API 호출 가능하도록 설정 후 테스트
+     */
+    @PutMapping("{name}")
+    //@ResponseStatus(HttpStatus.NO_CONTENT)
+    public String member(@PathVariable("name") String name) {
+        return "[MEMBER-DELETE] " + name + " is deleted.";
+    }
 }

member-service/src/main/java/com/assu/cloud/memberservice/security/ResourceServerConfig.java

@@ -0,0 +1,33 @@
+package com.assu.cloud.memberservice.security;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
+
+/**
+ * 접근 제어 규칙 정의
+ *      인증된 사용자는 모든 서비스에 접근 가능하거나,
+ *      특정 역할을 가진 애플리케이션만 PUT URL 로 접근하는 등 세밀하기 정의 가능
+ */
+@Configuration
+public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
+    /**
+     * 모든 접근 규칙을 재정의한 configure()
+     * @param http
+     * @throws Exception
+     */
+    @Override
+    public void configure(HttpSecurity http) throws Exception {
+        // 매서드로 전달된 HttpSecurity 객체로 모든 접근 규칙 구성
+
+        // 회원 서비스의 모든 URL 에 대해 인증된 사용자만 접근하도록 제한
+        //http.authorizeRequests().anyRequest().authenticated();
+
+        http.authorizeRequests()
+                .antMatchers(HttpMethod.PUT, "/member/**")  // 쉼표로 구분하여 엔드 포인트 목록 받음
+                .hasRole("ADMIN")   // ADMIN 권한을 가진 사용자만 PUT 호출 가능
+                .anyRequest()       // 서비스의 모든 엔드포인트도 인증된 사용자만 접근 가능하도록 설정
+                .authenticated();
+    }
+}