️♻️ refactor: 시큐리티 구조 개선 (#73)

* refactor: 시큐리티 구조개선, 예외처리 개선

* feat: 임시로 예외 세부내용을 처리하도록 변경

Author: kimday0326

src/main/java/com/sponus/sponusbe/auth/jwt/exception/CustomExpiredJwtException.java

@@ -0,0 +1,31 @@
+package com.sponus.sponusbe.auth.jwt.exception;
+
+import java.io.IOException;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.stereotype.Component;
+
+import com.sponus.sponusbe.auth.jwt.util.HttpResponseUtil;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * 인증된 사용자가 필요한 권한없이 접근하려고 할 때 발생하는 예외 처리
+ */
+@Slf4j
+@Component
+public class JwtAccessDeniedHandler implements AccessDeniedHandler {
+
+	@Override
+	public void handle(HttpServletRequest request, HttpServletResponse response,
+		AccessDeniedException accessDeniedException) throws IOException {
+		log.warn("Access Denied: ", accessDeniedException);
+
+		HttpResponseUtil.setErrorResponse(response, HttpStatus.FORBIDDEN,
+			SecurityErrorCode.FORBIDDEN.getErrorResponse());
+	}
+}

src/main/java/com/sponus/sponusbe/auth/jwt/exception/CustomMalformedException.java

@@ -0,0 +1,40 @@
+package com.sponus.sponusbe.auth.jwt.exception;
+
+import java.io.IOException;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.stereotype.Component;
+
+import com.sponus.sponusbe.auth.jwt.util.HttpResponseUtil;
+import com.sponus.sponusbe.global.common.ApiResponse;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * 사용자가 인증되지 않은 상태에서 접근하려고 할 때 발생하는 예외 처리
+ */
+@Slf4j
+@Component
+public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
+
+	@Override
+	public void commence(HttpServletRequest request, HttpServletResponse response,
+		AuthenticationException authException)
+		throws IOException {
+		HttpStatus httpStatus;
+		ApiResponse<String> errorResponse;
+
+		log.error(">>>>>> AuthenticationException: ", authException);
+		httpStatus = HttpStatus.UNAUTHORIZED;
+		errorResponse = ApiResponse.onFailure(
+			SecurityErrorCode.UNAUTHORIZED.getCode(),
+			SecurityErrorCode.UNAUTHORIZED.getMessage(),
+			authException.getMessage());
+
+		HttpResponseUtil.setErrorResponse(response, httpStatus, errorResponse);
+	}
+}

src/main/java/com/sponus/sponusbe/auth/jwt/exception/CustomNoTokenException.java

@@ -3,9 +3,20 @@
 import com.sponus.sponusbe.global.common.BaseErrorCode;
 import com.sponus.sponusbe.global.common.exception.CustomException;
 
+import lombok.Getter;
+
+@Getter
 public class SecurityCustomException extends CustomException {
 
+	private final Throwable cause;
+
 	public SecurityCustomException(BaseErrorCode errorCode) {
 		super(errorCode);
+		this.cause = null;
+	}
+
+	public SecurityCustomException(BaseErrorCode errorCode, Throwable cause) {
+		super(errorCode);
+		this.cause = cause;
 	}
 }

src/main/java/com/sponus/sponusbe/auth/jwt/exception/CustomSignatureException.java

@@ -12,13 +12,14 @@
 @AllArgsConstructor
 public enum SecurityErrorCode implements BaseErrorCode {
 
-	INVALID_TOKEN(HttpStatus.BAD_REQUEST, "4001", "유효하지 않은 형식의 토큰입니다."),
-	TOKEN_EXCEPTION(HttpStatus.UNAUTHORIZED, "4011", "토큰 처리 중 예외가 발생했습니다."),
-	UNAUTHORIZED(HttpStatus.UNAUTHORIZED, "4012", "권한이 없습니다."),
-	TOKEN_EXPIRED(HttpStatus.UNAUTHORIZED, "4013", "만료된 토큰입니다."),
-	SIGNATURE_ERROR(HttpStatus.UNAUTHORIZED, "4014", "무결하지 않은 토큰입니다."),
-	TOKEN_NOT_FOUND(HttpStatus.UNAUTHORIZED, "4015", "토큰이 존재하지 않습니다."),
-	INTERNAL_SECURITY_ERROR(HttpStatus.INTERNAL_SERVER_ERROR, "5001", "서버 에러가 발생했습니다. 관리자에게 문의해주세요.");
+	INVALID_TOKEN(HttpStatus.BAD_REQUEST, "SEC4001", "잘못된 형식의 토큰입니다."),
+	UNAUTHORIZED(HttpStatus.UNAUTHORIZED, "SEC4010", "인증이 필요합니다."),
+	TOKEN_EXPIRED(HttpStatus.UNAUTHORIZED, "SEC4011", "토큰이 만료되었습니다."),
+	TOKEN_SIGNATURE_ERROR(HttpStatus.UNAUTHORIZED, "SEC4012", "토큰이 위조되었거나 손상되었습니다."),
+	FORBIDDEN(HttpStatus.FORBIDDEN, "SEC4030", "권한이 없습니다."),
+	TOKEN_NOT_FOUND(HttpStatus.UNAUTHORIZED, "SEC4041", "토큰이 존재하지 않습니다."),
+	INTERNAL_SECURITY_ERROR(HttpStatus.INTERNAL_SERVER_ERROR, "SEC5000", "인증 처리 중 서버 에러가 발생했습니다."),
+	INTERNAL_TOKEN_SERVER_ERROR(HttpStatus.INTERNAL_SERVER_ERROR, "SEC5001", "토큰 처리 중 서버 에러가 발생했습니다.");
 
 	private final HttpStatus httpStatus;
 	private final String code;

src/main/java/com/sponus/sponusbe/auth/jwt/exception/JwtAccessDeniedHandler.java

@@ -27,7 +27,7 @@
 import lombok.RequiredArgsConstructor;
 
 @RequiredArgsConstructor
-public class JwtFilter extends OncePerRequestFilter {
+public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
 	private final JwtUtil jwtUtil;
 	private final RedisUtil redisUtil;
@@ -51,8 +51,7 @@ protected void doFilterInternal(
 			}
 
 			// logout 처리된 accessToken
-			if (redisUtil.get(accessToken) != null &&
-				redisUtil.get(accessToken).equals("logout")) {
+			if (redisUtil.get(accessToken) != null && redisUtil.get(accessToken).equals("logout")) {
 				logger.info("[*] Logout accessToken");
 				filterChain.doFilter(cachedHttpServletRequest, response);
 				return;
@@ -63,7 +62,6 @@ protected void doFilterInternal(
 			filterChain.doFilter(cachedHttpServletRequest, response);
 		} catch (ExpiredJwtException e) {
 			logger.warn("[*] case : accessToken Expired");
-
 			// accessToken 만료 시 Body에 있는 refreshToken 확인
 			String refreshToken = request.getHeader("refreshToken");
 
@@ -75,12 +73,12 @@ protected void doFilterInternal(
 					JwtPair reissueTokens = jwtUtil.reissueToken(refreshToken);
 					setSuccessResponse(response, CREATED, reissueTokens);
 				}
-			} catch (ExpiredJwtException e1) {
+			} catch (ExpiredJwtException eje) {
 				logger.info("[*] case : accessToken, refreshToken expired");
-				throw new SecurityCustomException(SecurityErrorCode.TOKEN_EXPIRED);
-			} catch (IllegalArgumentException e2) {
+				throw new SecurityCustomException(SecurityErrorCode.TOKEN_EXPIRED, eje);
+			} catch (IllegalArgumentException iae) {
 				logger.info("[*] case : Invalid refreshToken");
-				throw new SecurityCustomException(SecurityErrorCode.INVALID_TOKEN);
+				throw new SecurityCustomException(SecurityErrorCode.INVALID_TOKEN, iae);
 			}
 		}
 	}
@@ -101,7 +99,7 @@ private void authenticateAccessToken(String accessToken) {
 			null,
 			userDetails.getAuthorities());
 
-		// 세션에 사용자 등록
+		// 컨텍스트 홀더에 저장
 		SecurityContextHolder.getContext().setAuthentication(authToken);
 	}
 }

src/main/java/com/sponus/sponusbe/auth/jwt/exception/JwtAuthenticationEntryPoint.java

@@ -25,16 +25,20 @@ protected void doFilterInternal(
 		@NonNull HttpServletRequest request,
 		@NonNull HttpServletResponse response,
 		@NonNull FilterChain filterChain) throws IOException {
-		// TODO : entrypoint로 처리하도록 변경
 		try {
 			filterChain.doFilter(request, response);
 		} catch (SecurityCustomException e) {
 			log.warn(">>>>> SecurityCustomException : ", e);
 			BaseErrorCode errorCode = e.getErrorCode();
+			ApiResponse<String> errorResponse = ApiResponse.onFailure(
+				errorCode.getCode(),
+				errorCode.getMessage(),
+				e.getMessage()
+			);
 			HttpResponseUtil.setErrorResponse(
 				response,
 				errorCode.getHttpStatus(),
-				errorCode.getErrorResponse()
+				errorResponse
 			);
 		} catch (Exception e) {
 			log.error(">>>>> Exception : ", e);

src/main/java/com/sponus/sponusbe/auth/jwt/exception/SecurityCustomException.java

@@ -16,7 +16,11 @@
 import com.sponus.sponusbe.auth.jwt.exception.SecurityErrorCode;
 import com.sponus.sponusbe.auth.user.CustomUserDetails;
 
+import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.MalformedJwtException;
+import io.jsonwebtoken.UnsupportedJwtException;
+import io.jsonwebtoken.security.SignatureException;
 import jakarta.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 
@@ -44,32 +48,6 @@ public JwtUtil(
 		redisUtil = redis;
 	}
 
-	public Long getId(String token) {
-		return Long.parseLong(Jwts.parser().verifyWith(secretKey).build().parseSignedClaims(token).getPayload()
-			.getSubject());
-	}
-
-	public String getEmail(String token) {
-		return Jwts.parser().verifyWith(secretKey).build().parseSignedClaims(token).getPayload()
-			.get("email", String.class);
-	}
-
-	public String getAuthority(String token) {
-		return Jwts.parser().verifyWith(secretKey).build().parseSignedClaims(token).getPayload()
-			.get(AUTHORITIES_CLAIM_NAME, String.class);
-	}
-
-	public Boolean isExpired(String token) {
-		// 여기서 토큰 형식 이상한 것도 걸러짐
-		return Jwts.parser().verifyWith(secretKey).build().parseSignedClaims(token).getPayload().getExpiration()
-			.before(Date.from(Instant.now()));
-	}
-
-	public Long getExpTime(String token) {
-		return Jwts.parser().verifyWith(secretKey).build().parseSignedClaims(token).getPayload().getExpiration()
-			.getTime();
-	}
-
 	public String createJwtAccessToken(CustomUserDetails customUserDetails) {
 		Instant issuedAt = Instant.now();
 		Instant expiration = issuedAt.plusMillis(accessExpMs);
@@ -132,14 +110,11 @@ public String resolveAccessToken(HttpServletRequest request) {
 		String authorization = request.getHeader("Authorization");
 
 		if (authorization == null || !authorization.startsWith("Bearer ")) {
-
 			log.warn("[*] No token in req");
-
 			return null;
 		}
 
 		log.info("[*] Token exists");
-
 		return authorization.split(" ")[1];
 	}
 
@@ -154,4 +129,35 @@ public boolean validateRefreshToken(String refreshToken) {
 		}
 		return true;
 	}
+
+	public Long getId(String token) {
+		return Long.parseLong(getClaims(token).getSubject());
+	}
+
+	public String getEmail(String token) {
+		return getClaims(token).get("email", String.class);
+	}
+
+	public String getAuthority(String token) {
+		return getClaims(token).get(AUTHORITIES_CLAIM_NAME, String.class);
+	}
+
+	public Boolean isExpired(String token) {
+		// 여기서 토큰 형식 이상한 것도 걸러짐
+		return getClaims(token).getExpiration().before(Date.from(Instant.now()));
+	}
+
+	public Long getExpTime(String token) {
+		return getClaims(token).getExpiration().getTime();
+	}
+
+	private Claims getClaims(String token) {
+		try {
+			return Jwts.parser().verifyWith(secretKey).build().parseSignedClaims(token).getPayload();
+		} catch (UnsupportedJwtException | MalformedJwtException | IllegalArgumentException e) {
+			throw new SecurityCustomException(SecurityErrorCode.INVALID_TOKEN, e);
+		} catch (SignatureException e) {
+			throw new SecurityCustomException(SecurityErrorCode.TOKEN_SIGNATURE_ERROR, e);
+		}
+	}
 }

src/main/java/com/sponus/sponusbe/auth/jwt/exception/SecurityErrorCode.java

@@ -65,4 +65,16 @@ protected ResponseEntity<ApiResponse<Map<String, String>>> handleMethodArgumentN
 			failedValidations);
 		return ResponseEntity.status(ex.getStatusCode()).body(errorResponse);
 	}
+	//
+	// @ExceptionHandler({SecurityCustomException.class})
+	// public ResponseEntity<ApiResponse<String>> handleAuthenticationException(Exception e) {
+	// 	log.error(">>>>> Security Server Error : ", e);
+	// 	BaseErrorCode errorCode = SecurityErrorCode.INTERNAL_TOKEN_SERVER_ERROR;
+	// 	ApiResponse<String> errorResponse = ApiResponse.onFailure(
+	// 		errorCode.getCode(),
+	// 		errorCode.getMessage(),
+	// 		e.getMessage()
+	// 	);
+	// 	return ResponseEntity.internalServerError().body(errorResponse);
+	// }
 }

src/main/java/com/sponus/sponusbe/auth/jwt/filter/JwtFilter.java src/main/java/com/sponus/sponusbe/auth/jwt/filter/JwtAuthenticationFilter.java

@@ -14,12 +14,13 @@
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
-import org.springframework.security.web.authentication.logout.LogoutFilter;
 
+import com.sponus.sponusbe.auth.jwt.exception.JwtAccessDeniedHandler;
+import com.sponus.sponusbe.auth.jwt.exception.JwtAuthenticationEntryPoint;
 import com.sponus.sponusbe.auth.jwt.filter.CustomLoginFilter;
 import com.sponus.sponusbe.auth.jwt.filter.CustomLogoutHandler;
+import com.sponus.sponusbe.auth.jwt.filter.JwtAuthenticationFilter;
 import com.sponus.sponusbe.auth.jwt.filter.JwtExceptionFilter;
-import com.sponus.sponusbe.auth.jwt.filter.JwtFilter;
 import com.sponus.sponusbe.auth.jwt.util.JwtUtil;
 import com.sponus.sponusbe.auth.jwt.util.RedisUtil;
 
@@ -30,6 +31,9 @@
 @RequiredArgsConstructor
 public class SecurityConfig {
 
+	private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
+	private final JwtAccessDeniedHandler jwtAccessDeniedHandler;
+
 	private final String[] swaggerUrls = {"/swagger-ui/**", "/v3/**"};
 	private final String[] authUrls = {
 		"/",
@@ -92,11 +96,16 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			.addFilterAt(loginFilter, UsernamePasswordAuthenticationFilter.class);
 
 		http
-			.addFilterBefore(new JwtFilter(jwtUtil, redisUtil), CustomLoginFilter.class);
+			.addFilterBefore(new JwtAuthenticationFilter(jwtUtil, redisUtil), CustomLoginFilter.class);
+
+		http
+			.addFilterBefore(new JwtExceptionFilter(), JwtAuthenticationFilter.class);
 
-		// Exception Handle filter
 		http
-			.addFilterBefore(new JwtExceptionFilter(), LogoutFilter.class);
+			.exceptionHandling(exception -> exception
+				.authenticationEntryPoint(jwtAuthenticationEntryPoint)
+				.accessDeniedHandler(jwtAccessDeniedHandler)
+			);
 
 		// 세션 사용 안함
 		http