[SpringBoot] Spring Security에서 특정 url 제외하고, 제외했는데 필터 적용되는 문제 해결

@Configuration
@RequiredArgsConstructor
@EnableWebSecurity
public class SecurityConfig {
    private final JwtUtil jwtUtil;
    private final ResponseUtil responseUtil;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .formLogin(AbstractHttpConfigurer::disable)
                .csrf(AbstractHttpConfigurer::disable)
                .sessionManagement((sessionManagement) ->
                        sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(httpRequests -> httpRequests
                        .requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
                        .requestMatchers(new AntPathRequestMatcher("/")
                        , new AntPathRequestMatcher("/css/**")
                        , new AntPathRequestMatcher("/images/**")
                        ).permitAll()
                        .requestMatchers("/api/v1/member/login/oauth/google/**").permitAll()
                        .requestMatchers("/api/v1/member/login/oauth/google/callback").permitAll()
                        .requestMatchers("/favicon.ico").permitAll()
                        .requestMatchers("/api/v1/event").permitAll()
                        .anyRequest().authenticated()
                )
                .addFilterAfter(jwtAuthenticationProcessingFilter(), LogoutFilter.class)
                .addFilterBefore(new ExceptionHandlerFilter(responseUtil), JwtAuthenticationProcessingFilter.class);

        return httpSecurity.build();
    }

    @Bean
    public WebSecurityCustomizer configure() {
        return (web) -> web.ignoring().requestMatchers(PathRequest.toStaticResources().atCommonLocations());
    }

    @Bean
    public JwtAuthenticationProcessingFilter jwtAuthenticationProcessingFilter() {
        return new JwtAuthenticationProcessingFilter(jwtUtil, responseUtil);
    }
}

자꾸 이렇게 로그인 uri이랑 로그인 콜백 uri등등 인증되지 않은 유저도 접근 가능한 uri들을 등록해 주었는데도, 자꾸 jwtAuthenticationProcessingFilter(커스텀필터)를 먼저 거쳐서 토큰이 없다고 Exception이 발생하는 문제가 있었다. 

 

알고보니, jwtAuthenticationProcessingFilter를 Bean으로 등록해주어서 그런 것이었다...!!!!

 

그래서 그냥 SecurityFilterChain에 등록되도록, 

.addFilterAfter(new JwtAuthenticationProcessingFilter(jwtUtil, responseUtil), LogoutFilter.class)

아래와같이 넣어주었더니, SecurityConfig에서 허용한 uri들은 JwtAuthenticationProcessingFilter를 거치지 않았다!!!👍🏻😂

 

📚 Reference

https://velog.io/@ychxexn/5-Spring-Security%EC%97%90%EC%84%9C-%ED%8A%B9%EC%A0%95-url-%EC%A0%9C%EC%99%B8%ED%95%98%EA%B8%B0

Spring Security에서 특정 url 제외하기

정말감사합니다.. 계속 이문제때문에 열받아있었는데 당신이 절 살렸읍니다