Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Amazon Cognito使って認証したい?それならSpring Security使いましょう!

Ryosuke Uchitate
October 31, 2018
Programming
0
1.3k

Amazon Cognito使って認証したい?それならSpring Security使いましょう!

Spring Fest 2018 #sf_23 #jsug

Ryosuke Uchitate

October 31, 2018
Tweet

More Decks by Ryosuke Uchitate

See All by Ryosuke Uchitate
決済サービスのSpring Bootのバージョンを2系に上げた話
b1a9id
0
120
Form認証で学ぶSpring Security入門
b1a9id
0
210
パラレルキャリアがもたらす相乗効果
b1a9id
1
1.1k
ユニットテストのアサーション 流れるようなインターフェースのAssertJを添えて 入門者仕立て
b1a9id
1
84
Spring超入門-Springと出会ってから1年半-
b1a9id
1
63
Spring starterによるSpring Boot Starter
b1a9id
1
65

Other Decks in Programming

See All in Programming
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
Changed Rules: Architectures with Lightweight Stores
manfredsteyer
PRO
0
240
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
120
PostmanでAPIの動作確認が楽になった話
h455h1
0
160
ゆるい個人開発のススメ
kuroppe1819
10
980
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
290
VS Code をプロダクトにどう取り込むか
onomax
1
350
Ruby GitHub Packages
bkuhlmann
0
630
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
PHPはいつから死んでいるかの調査
chiroruxx
1
380
Ruby Pattern Matching
bkuhlmann
0
920
Rethinking UI building strategies @ SFI 2024
letelete
0
270

Featured

See All Featured
How to Ace a Technical Interview
jacobian
272
22k
Why Our Code Smells
bkeepers
PRO
331
56k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Building Flexible Design Systems
yeseniaperezcruz
319
37k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
Automating Front-end Workflow
addyosmani
1356
200k
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Practical Orchestrator
shlominoach
182
9.7k
Building Applications with DynamoDB
mza
88
5.6k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
Building Effective Engineering Teams - LeadDev
addyosmani
28
1.8k

Transcript

  1. 4QSJOH'FTUTG@KTVH ίΠχʔגࣜձࣾɹ಺ཱྑհʢ!CBJEʣ "NB[PO$PHOJUP࢖ͬͯೝূ͍ͨ͠ʁ ͦΕͳΒ4QSJOH4FDVSJUZ࢖͍·͠ΐ͏ʂ

  2. ࣗݾ঺հ w ໊લ w ಺ཱྑհʢ͏ͪͨͯΓΐ͏͚͢ʣ w झຯ w ༸෰ w

    ύϯ԰८Γ w ॴଐ w ίΠχʔגࣜձࣾ w ++6( w 'BTIJPO$IBSJUZ1SPKFDU w 5XJUUFS w !CBJEQT

  3. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  4. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  5. શମਤ

  6. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  7. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  8. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  9. ొ৔͢ΔओͳϞδϡʔϧ܈ $PSF ೝূͱೝՄػೳ 8FC 8FCΞϓϦͷ ηΩϡϦςΟରࡦ $POpH 9.-ωʔϜεϖʔεɺ +BWB$POpHΛαϙʔτ

  10. ϑϨʔϜϫʔΫͷΞʔΩςΫνϟ

  11. ϑϨʔϜϫʔΫͷΞʔΩςΫνϟ

  12. ओͳ4FDVSJUZ'JMUFS w -PHPVU'JMUFS w ϩάΞ΢τॲཧΛߦ͏ɻ w "OPOZNPVT"VUIFOUJDBUJPO'JMUFS w ಗ໊Ϣʔβೝূͱͯ͠ೝূ͢Δɻ w

    #BTJD"VUIFOUJDBUJPO'JMUFS w #BTJDೝূΛߦ͏ࡍʹ࢖͏ɻ

  13. 4FDVSJUZ'JMUFSͷॱং final class FilterComparator implements Comparator<Filter>, Serializable { private static

    final int INITIAL_ORDER = 100; private static final int ORDER_STEP = 100; private final Map<String, Integer> filterToOrder = new HashMap<>(); FilterComparator() { Step order = new FilterComparator.Step(INITIAL_ORDER, ORDER_STEP); put(ChannelProcessingFilter.class, order.next()); put(ConcurrentSessionFilter.class, order.next()); put(WebAsyncManagerIntegrationFilter.class, order.next()); put(SecurityContextPersistenceFilter.class, order.next()); put(HeaderWriterFilter.class, order.next()); put(CorsFilter.class, order.next()); put(CsrfFilter.class, order.next()); put(LogoutFilter.class, order.next()); // …… 'JMUFS$PNQBSBUPSKBWB

  14. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  15. ೝূ "VUIFOUJDBUJPO w ର৅͕୭ʢԿʣͰ͋Δ͔Λ֬ೝ͢Δ͜ͱɻ w ຊਓೝূʹ༻͍ΒΕΔ৘ใ͸ݻ༗৘ใͰͳ͚ Ε͹ͳΒͳ͍ɻ

  16. ೝূͷཁૉ આ໌ ݻ༗৘ใ ੜମ৘ใ ੜ෺ݻ༗ͷ৘ใɾಛੑ ࢦ໲ɺ੩຺ɺ إɺ੠໲ ஌ࣝ৘ใ ຊਓ͔͠ ஌Βͳ͍৘ใ

    ʢϫϯλΠϜʣύεϫʔυɺ ൿີͷ࣭໰ ॴ࣋৘ใ ຊਓ͔࣋ͬͯ͠ͳ͍ ৘ใ΍෺ *$Χʔυɺ ϋʔυ΢ΣΞτʔΫϯ

  17. ೝূॲཧͷ࢓૊Έ

  18. ೝূॲཧͷ࢓૊Έ

  19. ೝূॲཧͷ࢓૊Έ

  20. ʹΜ͠ΐ͏͠ΐΓͷ͘͠Έ

  21. ΞδΣϯμ  ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ " 4QSJOH4FDVSJUZ֓ཁ # ೝূॲཧͷ࢓૊Έ $ ೝՄॲཧͷ࢓૊Έ

     '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP  $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  22. ೝՄ "VUIPSJ[BUJPO w ͋Δಛఆͷ৚݅ʹରͯ͠ɺΞΫηεݖݶΛ༩͑ Δ͜ͱɻ

  23. ೝՄॲཧͷ࢓૊Έ

  24. ೝՄॲཧͷ࢓૊Έ

  25. ೝՄॲཧͷ࢓૊Έ

  26. "DDFTT%FDJTJPO7PUFSKBWB w ΞΫηεݖͷ෇༩͢Δ͔Λ౤ථ͢Δɻ w 8FC&YQSFTTJPO7PUFSKBWB͕σϑΥϧτద༻ɻ public interface AccessDecisionVoter<S> { int

    ACCESS_GRANTED = 1; int ACCESS_ABSTAIN = 0; int ACCESS_DENIED = -1; (3"/5&%ɿࢍ੒ "#45"*/ɿغ٫ʢ࣍ͷ7PUFS΁ʣ %&/*&%ɿڋ൱

  27. "DDFTT%FDJTJPO.BOBHFSKBWB w ౤ථ݁Ռ͔Β࠷ऴతͳΞΫηεݖΛ൑அɻ w "DDFTT%FDJTJPO7PUFSΛݺΜͰΞΫηεݖΛ౤ ථͯ͠΋Β͏ɻ ࣮૷Ϋϥε "GpSNBUJWF#BTFEKBWB $POTFOTVT#BTFEKBWB 6OBOJNPVT#BTFEKBWB

  28. "GpSNBUJWF#BTFEKBWB w ෳ਺͋Δ7PUFSͷ͏ͪ̍ͭͰ΋ࢍ੒͢Ε͹ΞΫ ηεڐՄ͢Δɻ

  29. $POTFOTVT#BTFEKBWB w 7PUFSͷࢍ੒ථͱ൓ରථͷଟ͍ํʹै͏ɻ

  30. 6OBOJNPVT#BTFEKBWB w 7PUFSͷ͏ͪͭͰ΋൓ର͢Ε͹ΞΫηεΛڋ ൱͢Δɻ

  31. ʹΜ͔͠ΐΓͷ͘͠Έ ౤ථ݁Ռͷѻ͍ํΛܾΊΔ ౤ථ͢Δ

  32. ͲΜͳͱ͖ʹ7PUFS࣮૷͢Δʁ

  33. ͜Μͳͱ͖ʹ7PUFS࣮૷ͯ͠Έͯ͸ʁ w ࣌͸ಛఆͷ3PMFͷϢʔβ͸ΞΫηεෆՄ w ࡀҎ্͸ΞΫηεෆՄ

  34. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  35. $PHOJUPೝূ࡞Δલͷ͏ͪͨͯͷϨϕϧ w "VUIFOUJDBUJPŐ̋ͱ͔̋̋'JMUFSଟ͘ͳ͍ʁ w Ϋϥε໊΍ͨΒ௕͍ w 4QSJOH4FDVSJUZͬͯෳࡶͳΠϝʔδ w ೝূɾೝՄͬͯͲ͏͍͏ྲྀΕͰߦΘΕΕΔʁ εϓϦϯάηΩϡϦςΟίϫΠ

  36. جຊͷ'03.ೝূ͔Β ݟͯΈΔ͔ʂ

  37. ϩάΠϯϑΥʔϜ

  38. ϑΥʔϜೝূͷྲྀΕ

  39. ࣮૷͢ΔΫϥε w 8FC4FDVSJUZ$POpHKBWB w 4QSJOH4FDVSJUZ༻ͷઃఆ w 6TFS%FUBJMT4FSWJDF*NQMKBWB w 6TFS%FUBJMT4FSWJDFΠϯλʔϑΣʔεͷ࣮૷ɻࢿ֨৘ใͱϢʔβͷঢ়ଶΛ σʔλετΞ͔Βऔಘ

  40. 8FC4FDVSJUZ$POpHKBWB @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private

    final UserDetailsServiceImpl userDetailsService; // …… @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/js/**", "/css/**", "/webjars/**").permitAll() .antMatchers("/users/**").hasRole(Role.STAFF.name()) .antMatchers("/**").authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .defaultSuccessUrl("/success", true) .failureUrl("/login?error=true").permitAll(); } }

  41. 8FC4FDVSJUZ$POpHKBWB @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private

    final UserDetailsServiceImpl userDetailsService; // …… @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/js/**", "/css/**", "/webjars/**").permitAll() .antMatchers("/users/**").hasRole(Role.STAFF.name()) .antMatchers("/**").authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .defaultSuccessUrl("/success", true) .failureUrl("/login?error=true").permitAll(); } } ୭Ͱ΋ΞΫηεՄ KT  DTT  XFCKBST 45"''ϩʔϧͷΈΞΫηεՄ VTFST ೝূϢʔβͷΈΞΫηεՄ  '03.ೝূͷઃఆ ϩά ΠϯϖʔδɿMPHJO ࢿ֨৘ใ1045ઌɿMPHJO ೝূ੒ޭޙͷϦμΠϨΫτઌɿTVDDFTF ೝূࣦഊޙͷϦμΠϨΫτઌɿMPHJO FSSPSUSVF

  42. 'PSN-PHJO$POpHVSFSKBWB public FormLoginConfigurer() { super(new UsernamePasswordAuthenticationFilter(),null); usernameParameter("username"); passwordParameter("password"); } '03.ϩάΠϯͷઃఆΛߦ͏ɻ

  43. ϩάΠϯϘλϯΛ ԡͨ͠ޙͷྲྀΕ

  44. "VUIFOUJDBUJPO'JMUFSKBWBͰೝূ

  45. 6TFSOBNF1BTTXPSE"VUIFOUJDBUJPO'JMUFSBUUFNQU"VUIFOUJDBUJPO public Authentication attemptAuthentication( HttpServletRequest request, HttpServletResponse response) throws AuthenticationException

    { // …… String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); }

  46. 6TFSOBNF1BTTXPSE"VUIFOUJDBUJPO'JMUFSBUUFNQU"VUIFOUJDBUJPO public Authentication attemptAuthentication( HttpServletRequest request, HttpServletResponse response) throws AuthenticationException

    { // …… String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); setDetails(request, authRequest); return this.getAuthenticationManager().authenticate(authRequest); }

  47. 1SPWJEFS.BOBHFSKBWBʹҕৡ

  48. 1SPWJEFS.BOBHFSBVUIFOUJDBUF public Authentication authenticate(Authentication authentication) throws AuthenticationException { // ……

    for (AuthenticationProvider provider : getProviders()) { if (!provider.supports(toTest)) { continue; } // …… try { result = provider.authenticate(authentication); if (result != null) { copyDetails(authentication, result); break; } } // ……

  49. ೝূॲཧΛߦ͏

  50. %BP"VUIFOUJDBUJPO1SPWJEFSSFUSJFWF6TFS protected final UserDetails retrieveUser( String username, UsernamePasswordAuthenticationToken authentication) throws

    AuthenticationException { // …… try { UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username); if (loadedUser == null) { // …… } return loadedUser; } // …… } Ϣʔβ৘ใΛऔಘ

  51. 6TFS%FUBJMT4FSWJDF*NQMKBWB @Service @RequiredArgsConstructor public class UserDetailsServiceImpl implements UserDetailsService { private

    final UserRepository userRepository; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByUsername(username) .orElseThrow( () -> new UsernameNotFoundException("username not found")); return new org.springframework.security.core.userdetails.User( user.getUsername(), user.getPassword(), createAuthorityList("ROLE_" + user.getRole().name())); } } ࢿ֨৘ใͱϢʔβͷঢ়ଶΛσʔλετΞ͔Βऔಘ͢Δ

  52. %BP"VUIFOUJDBUJPO1SPWJEFSBEEJUJPOBM"VUIFOUJDBUJPO$IFDLT protected void additionalAuthenticationChecks( UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException

    { // …… String presentedPassword = authentication.getCredentials().toString(); if (!passwordEncoder.matches( presentedPassword, userDetails.getPassword())) { // …… throw new BadCredentialsException(messages.getMessage( "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); } } ύεϫʔυͷൺֱ

  53. ೝূ੒ޭͱࣦഊ

  54. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  55. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP BܦҢ C"NB[PO$PHOJUPͱ͸ʁ

     $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  56. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP BܦҢ C"NB[PO$PHOJUPͱ͸ʁ

     $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  57. ܦҢ

  58. ܦҢ

  59. ܦҢ $PHOJUPΛ࢖ͬͯΈΔ͔ʂ

  60. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP BܦҢ C"NB[PO$PHOJUPͱ͸ʁ

     $PHOJUPೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZͷςετ

  61. "NB[PO$PHOJUPͱ͸ʁ w 8FC΍ϞόΠϧΞϓϦͷೝূɾೝՄɺϢʔβ ؅ཧΛαϙʔτ w ௚઀͔αʔυύʔςΟΛ௨ͯ͡αΠϯΠϯ w ओͳίϯϙʔωϯτ͸Ϣʔβϓʔϧͱ*%ϓʔϧ w 40$

    1$*%44 *40ͳͲʹ४ڌ ࠓճ͸Ϣʔβϓʔϧͷ࿩ͷΈ

  62. Ϣʔβϓʔϧ w "NB[PO$PHOJUPͷϢʔβσΟϨΫτϦ w 8FC·ͨ͸ϞόΠϧΞϓϦʹϩά ΠϯͰ͖Δ w αΠϯΞοϓ͓ΑͼαΠϯΠϯ w ೝূ੒ޭޙʹϢʔβϓʔϧτʔΫϯ͕ฦΔ

    ϢʔβϓʔϧτʔΫϯ *%τʔΫϯ ΞΫηετʔΫϯ ߋ৽τʔΫϯ

  63. ΞΫηετʔΫϯ w ೝূ͞ΕͨϢʔβʹؔ͢ΔΫϨʔϜؚ͕·Ε ͍ͯΔɻ w +40/8FCτʔΫϯ +85 Ͱ͋Δɻ w ༗ޮظݶ͸࣌ؒ

  64. $PHJOJUP"1*Ͱͷೝূ࣌ͷొ৔ਓ෺ w ೝূλΠϓʢBVUI5ZQFʣ w ηογϣϯʢTFTTJPOʣ w ΞΫηετʔΫϯʢBDDFTT5PLFOʣ w ϦϑϨογϡτʔΫϯʢSFGSTI5PLFOʣ w

    *%τʔΫϯʢJE5PLFOʣ ࠓճ͸࢖Θͳ͍ ࠓճ͸࢖Θͳ͍

  65. αΠϯΞοϓ͔ΒαΠϯΠϯ

  66. αΠϯΞοϓ͔ΒαΠϯΠϯ

  67. αΠϯΞοϓ͔ΒαΠϯΠϯ

  68. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  69. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ

    B*%ɺύεϫʔυೝূ CΞΫηετʔΫϯೝূ  4QSJOH4FDVSJUZͷςετ

  70. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ

    B*%ɺύεϫʔυೝূ CΞΫηετʔΫϯೝূ  4QSJOH4FDVSJUZͷςετ

  71. *%ɺύεϫʔυೝূ *%ͱύεϫʔυ͕ਖ਼͚͠Ε͹τʔΫϯΛฦ͢ɻ

  72. ΞδΣϯμ  ࠓճͷΰʔϧ  4QSJOH4FDVSJUZͱ͸ʁ  '03.ೝূ࣮૷ͯ͠Έͨ  4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ

    B*%ɺύεϫʔυೝূ CΞΫηετʔΫϯೝূ  4QSJOH4FDVSJUZͷςετ

  73. ΞΫηετʔΫϯೝূ

  74. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  75. $VTUPN1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSKBWB public class CustomPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter { @Override protected Object

    getPreAuthenticatedPrincipal( HttpServletRequest request) { return ""; } @Override protected Object getPreAuthenticatedCredentials( HttpServletRequest request) { String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION); if (StringUtils.isEmpty(accessToken) || !accessToken.startsWith("Bearer ")) { return ""; } return accessToken.split(" ")[1]; } }

  76. $VTUPN1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSKBWB public class CustomPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter { @Override protected Object

    getPreAuthenticatedPrincipal( HttpServletRequest request) { return ""; } @Override protected Object getPreAuthenticatedCredentials( HttpServletRequest request) { String accessToken = request.getHeader(HttpHeaders.AUTHORIZATION); if (StringUtils.isEmpty(accessToken) || !accessToken.startsWith("Bearer ")) { return ""; } return accessToken.split(" ")[1]; } }

  77. "CTUSBDU1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSEP"VUIFOUJDBUF private void doAuthenticate( HttpServletRequest request, HttpServletResponse response) throws IOException,

    ServletException { Authentication authResult; Object principal = getPreAuthenticatedPrincipal(request); Object credentials = getPreAuthenticatedCredentials(request); // …… try { PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken( principal, credentials); authRequest.setDetails( authenticationDetailsSource.buildDetails(request)); authResult = authenticationManager.authenticate(authRequest); successfulAuthentication(request, response, authResult); } catch (AuthenticationException failed) { // …… } } $VTUPN1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSͰ ΦʔόʔϥΠυ

  78. "CTUSBDU1SF"VUIFOUJDBUFE1SPDFTTJOH'JMUFSEP"VUIFOUJDBUF private void doAuthenticate( HttpServletRequest request, HttpServletResponse response) throws IOException,

    ServletException { Authentication authResult; Object principal = getPreAuthenticatedPrincipal(request); Object credentials = getPreAuthenticatedCredentials(request); // …… try { PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken( principal, credentials); // …… authResult = authenticationManager.authenticate(authRequest); successfulAuthentication(request, response, authResult); } catch (AuthenticationException failed) { // …… } }

  79. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  80. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  81. 6TFS"DDFTT5PLFO"VUIFOUJDBUJPO1SPWJEFSBVUIFOUJDBUF public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken

    = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… ΞΫηετʔΫϯͷݕূ String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }

  82. 6TFS"DDFTT5PLFO"VUIFOUJDBUJPO1SPWJEFSBVUIFOUJDBUF public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken

    = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… ΞΫηετʔΫϯͷݕূ String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); } ΞΫηετʔΫϯͷݕূ +85ͷߏ଄Λ֬ೝ͢Δɻ +85ॺ໊Λݕূ͢Δɻ ΫϨʔϜΛݕূ͢Δɻ

  83. 6TFS"DDFTT5PLFO"VUIFOUJDBUJPO1SPWJEFSBVUIFOUJDBUF public Authentication authenticate(Authentication auth) throws AuthenticationException { String accessToken

    = Optional.ofNullable(auth.getCredentials()) .map(Object::toString) .orElse(null); if (accessToken == null) { throw new BadCredentialsException("access token not found."); } DecodedJWT decodedAccessToken = JWTUtils.decode(accessToken); // …… JWTͷݕূ String username = decodedAccessToken.getClaim("username").asString(); UserDetails ud = userDetailsService.loadUserDetails( new PreAuthenticatedAuthenticationToken( username, auth.getCredentials()); return new PreAuthenticatedAuthenticationToken( ud, authentication.getCredentials(), ud.getAuthorities()); }

  84. ͋ͤ͘͢ͱʔ͘ΜʹΜ͠ΐ͏

  85. $VTUPN"VUIFOUJDBUJPO6TFS%FUBJMT4FSWJDFKBWB @Service public class CustomAuthenticationUserDetailsService implements AuthenticationUserDetailsService { private final

    CustomUserDetailsService userDetailsService; // …… @Override public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException { String username = token.getPrincipal().toString(); String accessToken = token.getCredentials().toString(); return Optional.ofNullable( userDetailsService.loadUserByUsername(username)) .map(u -> new CustomUserDetails( ((CustomUserDetails) u).getUser(), accessToken)) .orElseThrow(() -> new UsernameNotFoundException("user not found")); } }

  86. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ

  87. ঺հ͢Δςετ w '03.ೝূͷςετ w 30-&Ͱύεͷ੍ݶ͕Ͱ͖ͯΔ͔ͷςετ

  88. ґଘؔ܎Λ௥Ճ <dependencies> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-test</artifactId> <scope>test</scope> </dependency> </dependencies> testCompile “org.springframework.security:spring-

    security-test:5.1.1.RELEASE”

  89. 4FDVSJUZ'JMUFSΛ௥Ճ @BeforeEach void beforeEach() { mockMvc = MockMvcBuilders .webAppContextSetup(context) .apply(springSecurity())

    .build(); } 4FDVSJUZ.PDL.WD$POpHVSFSTTQSJOH4FDVSJUZ

  90. '03.ೝূͷςετ @Test void loginSuccess() throws Exception { MvcResult result =

    mockMvc .perform(formLogin() .user("ruchitate").password("password")) .andReturn(); Assertions.assertThat(result.getResponse()) .extracting( MockHttpServletResponse::getStatus, MockHttpServletResponse::getRedirectedUrl) .containsExactly(302, "/success"); } 4FDVSJUZ.PDL.WD3FRVFTU#VJEFSTGPSN-PHJO ϩά ΠϯϢʔβ Λઃఆ

  91. 30-&Ͱύε੍ݶͰ͖ͯΔ͔ͷςετ @Test void useWith200() throws Exception { MvcResult result =

    mockMvc.perform(get("/users/{id}", 1) .with(user("ruchitate").roles("STAFF"))) .andExpect(status().isOk()) .andReturn(); assertEquals( "{\"name\":\"಺ཱ ྑհ\",\"username\":\"ruchitate\", \"createdAt\":\"2018-10-01T00:00:00\",\"lastSignInAt\":null}", result.getResponse().getContentAsString()); }

  92. 30-&Ͱύε੍ݶͰ͖ͯΔ͔ͷςετ @Test void useWith403ForAdmin() throws Exception { mockMvc.perform(get("/users/{id}", 1) .with(user("ruchitate").roles("ADMIN")))

    .andExpect(status().isForbidden()) .andReturn(); }

  93. ΞδΣϯμ ࠓճͷΰʔϧ 4QSJOH4FDVSJUZͱ͸ʁ '03.ೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZ8JUI"NB[PO$PHOJUP $PHOJUPೝূ࣮૷ͯ͠Έͨ 4QSJOH4FDVSJUZͷςετ ͓·͚ʢϝιουηΩϡϦςΟʣ

  94. ͭͷΞ ϊςʔγϣϯ w !1SF"VUIPSJ[F w !1PTU"VUIPSJ[F w !1SF'JMUFS w !1PTU'JMUFS

  95. !1SF"VUIPSJ[F @PreAuthorize("hasRole('ADMIN')") public List<User> list() { return userRepository.findAll(); } @PreAuthorize("#role

    == 'ADMIN'") public List<User> list(String role) { return userRepository.findAll(); } @PreAuthorize("#r.name == 'ruchitate'") public List<User> list(@P("r") UserRequest request) { return userRepository.findAll(); } ϝιουʹೖΔલʹνΣοΫॲཧΛߦ͏ɻ GBMTFͷͱ͖ɺ"DDFTT%FOJFE&YDFQUJPOΛεϩʔ

  96. !1PTU"VUIPSJ[F @PostAuthorize("returnObject != null && returnObject.username == 'ruchitate'") public User

    get(Integer id) { return userRepository.findById(id).orElse(null); } ϝιου௨աޙʹ໭Γ஋ʹରͯ͠νΣοΫॲཧΛߦ͏ɻ GBMTFͷͱ͖ɺ"DDFTT%FOJFE&YDFQUJPOΛεϩʔ

  97. !1SF'JMUFS @PreFilter("filterObject.name.equals('ruchitate')") public List<User> list(List<UserRequest> requests) { List<String> usernameList =

    requests.stream() .map(UserRequest::getName) .collect(Collectors.toList()); return userRepository .findAllByUsernameIn(usernameList); } ϝιουʹೖΔલʹҾ਺ͷதͰ৚݅ʹҰக͢ΔΦϒδΣ ΫτͷΈநग़ɻ

  98. !1PTU'JMUFS @PostFilter("filterObject.username == 'ruchitate'") public List<User> list() { return userRepository.findAll();

    } ৚݅ʹҰக͢ΔΦϒδΣΫτͷΈ໭Γ஋͔Βநग़ɻ

  99. ·ͱΊ w ೝূɾೝՄͷྲྀΕΛཧղ͢Δʹ͸ެࣜϦϑΝ Ϩϯε w ͍࣮͟૷͠Α͏ͱͳΔͱࣅͨΑ͏ͳ'JMUFS΍ "VUIFOUJDBUJPO1SPWJEFSͷ࣮૷ΛݟΔ͔͠ w 4QSJOH4FDVSJUZ͓΋͠Ζ͍

  100. ͓ΘΓ

  101. ࢀߟ w IUUQTEFWDMBTTNFUIPEKQTFDVSJUZ BVUIFOUJDBUJPOBOEBVUIPSJ[BUJPO w IUUQXXXBUNBSLJUDPKQBJUBSUJDMFT OFXTIUNM

  102. ιʔείʔυ w IUUQTHJUIVCDPNCBJETQSJOHTFDVSJUZ XJUIDPHOJUP