[refactor] 사용자 권한에 따른 보안 정책 분리

Author: LeeMinwoo115

backend/src/main/java/com/back/global/config/SecurityConfig.java

@@ -1,5 +1,7 @@
 package com.back.global.config;
 
+import java.io.IOException;
+
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -14,8 +16,12 @@
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
+import com.back.global.error.code.AuthErrorCode;
+import com.back.global.error.code.ErrorCode;
 import com.back.global.properties.CorsProperties;
+import com.back.global.response.ApiResponse;
 import com.back.global.security.CustomAuthenticationFilter;
+import com.fasterxml.jackson.databind.ObjectMapper;
 
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
@@ -28,6 +34,7 @@ public class SecurityConfig {
 
 	private final CorsProperties corsProperties;
 	private final CustomAuthenticationFilter authenticationFilter;
+	private final ObjectMapper objectMapper;
 
 	@Bean
 	SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
@@ -40,8 +47,12 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 				.requestMatchers("/h2-console/**").permitAll()  // H2 콘솔 접근 허용
 				.requestMatchers("/swagger-ui/**", "/v3/api-docs/**").permitAll()  // Swagger 접근 허용
 				.requestMatchers("/.well-known/**").permitAll()
-				//.requestMatchers("/api/v1/admin/**").hasRole("ADMIN") //추후 주석 해제
+				.requestMatchers("/api/v1/auth/signup").permitAll()
+				.requestMatchers("/api/v1/auth/login").permitAll()
+				.requestMatchers("/api/v1/admin/auth/**").permitAll()
+				.requestMatchers("/api/v1/admin/**").hasRole("ADMIN")
 				.requestMatchers("/actuator/**").permitAll()    // 모니터링/Actuator 관련
+				// .requestMatchers("/api/v1/**").authenticated() // TODO: 개발 후 인증 활성화
 				.anyRequest().permitAll() // TODO: 보안 인증 설정 시 제거, 현재는 모든 API 요청을 인증없이 허용
 			)
 			.csrf(csrf -> csrf
@@ -56,27 +67,11 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			//401 403 커스텀 에러
 			.exceptionHandling(exceptionHandling -> exceptionHandling
 				.authenticationEntryPoint((request, response, authException) -> {
-					response.setContentType("application/json; charset=UTF-8");
-					response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-					response.getWriter().write("""
-						{
-							"status": "UNAUTHORIZED",
-							"message": "로그인 후 이용해주세요.",
-							"data": null
-						}
-						""");
+					writeError(response, AuthErrorCode.UNAUTHORIZED);
 				})
 
 				.accessDeniedHandler((request, response, accessDeniedException) -> {
-					response.setContentType("application/json; charset=UTF-8");
-					response.setStatus(HttpServletResponse.SC_FORBIDDEN);
-					response.getWriter().write("""
-						{
-							"status": "FORBIDDEN",
-							"message": "접근 권한이 없습니다.",
-							"data": null
-						}
-						""");
+					writeError(response, AuthErrorCode.FORBIDDEN);
 				})
 			);
 
@@ -105,4 +100,12 @@ public PasswordEncoder passwordEncoder(
 	) {
 		return new BCryptPasswordEncoder(strength);
 	}
+
+	private void writeError(HttpServletResponse response, ErrorCode code) throws IOException {
+		response.setStatus(code.getHttpStatus().value());
+		response.setContentType("application/json; charset=UTF-8");
+
+		ApiResponse<?> body = ApiResponse.fail(code);
+		response.getWriter().write(objectMapper.writeValueAsString(body));
+	}
 }

backend/src/main/java/com/back/global/error/code/AuthErrorCode.java

@@ -13,6 +13,9 @@ public enum AuthErrorCode implements ErrorCode {
 
 	UNAUTHORIZED(HttpStatus.UNAUTHORIZED, "로그인 후 이용해주세요."),
 
+	FORBIDDEN(HttpStatus.FORBIDDEN, "접근 권한이 없습니다."),
+	ADMIN_ONLY(HttpStatus.FORBIDDEN, "관리자 계정만 접근 가능합니다."),
+
 	TOKEN_EXPIRED(HttpStatus.UNAUTHORIZED, "토큰이 만료되었습니다."),
 	INVALID_TOKEN(HttpStatus.UNAUTHORIZED, "유효하지 않은 토큰입니다."),
 	REFRESH_TOKEN_REQUIRED(HttpStatus.BAD_REQUEST, "리프레시 토큰이 없습니다."),

backend/src/main/java/com/back/global/security/CustomAuthenticationFilter.java

@@ -31,8 +31,6 @@
 @Component
 @RequiredArgsConstructor
 public class CustomAuthenticationFilter extends OncePerRequestFilter {
-
-	private static final String AUTH_PATH_PREFIX = "/api/v1/auth/";
 	private static final String BEARER_PREFIX = "Bearer ";
 
 	private static final Set<String> AUTH_WHITELIST = Set.of(
@@ -93,7 +91,14 @@ private void authenticate(
 
 		long userId = ((Number)payload.get("id")).longValue();
 		String nickname = (String)payload.getOrDefault("nickname", "");
-		UserRole role = (UserRole)payload.getOrDefault("role", UserRole.NORMAL);
+		Object roleObj = payload.get("role");
+		UserRole role = UserRole.NORMAL;
+
+		if (roleObj instanceof String roleStr) {
+			role = UserRole.valueOf(roleStr);
+		} else if (roleObj instanceof UserRole userRole) {
+			role = userRole;
+		}
 
 		SecurityUser securityUser = new SecurityUser(
 			userId,

backend/src/main/java/com/back/global/security/JwtProvider.java

@@ -60,7 +60,7 @@ private Map<String, Object> createBaseClaims(User user) {
 		Map<String, Object> claims = new HashMap<>();
 		claims.put(CLAIM_ID, user.getId());
 		claims.put(CLAIM_NICKNAME, user.getNickname());
-		claims.put(CLAIM_ROLE, user.getRole());
+		claims.put(CLAIM_ROLE, user.getRole().name());
 		return claims;
 	}