feat: Spring Security CORS, 인가 규칙 및 Stateless 세션 설정 추가

Author: larama-C

src/main/java/com/back/web7_9_codecrete_be/global/security/SecurityConfig.java

@@ -8,8 +8,13 @@
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+
+import java.util.List;
 
 @Configuration
 @RequiredArgsConstructor
@@ -36,6 +41,10 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                 // H2 Console 설정
                 .headers(headers -> headers.frameOptions(frame -> frame.disable()))
 
+                // 세션 관리 설정 - Stateless
+                .sessionManagement((session) -> session
+                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+
                 // Authorization 설정
                 .authorizeHttpRequests(auth -> auth
                         .requestMatchers(
@@ -45,6 +54,13 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                                 "/h2-console/**",       // H2 Console
                                 "/api/v1/concerts/**"     // concert 정보 조회 도메인
                         ).permitAll()
+
+                        // ADMIN 전용
+                        .requestMatchers("/api/v1/admin/**").hasRole("ADMIN")
+
+                        // USER, ADMIN 허용
+                        .requestMatchers("/api/v1/users/**").hasAnyRole("USER", "ADMIN")
+
                         .anyRequest().authenticated()
                 )
 
@@ -60,4 +76,23 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
     public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception {
         return configuration.getAuthenticationManager();
     }
+
+    // CORS 설정(로컬 프론트 통신 허용)
+    @Bean
+    public UrlBasedCorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration configuration =new CorsConfiguration();
+
+        configuration.setAllowedOrigins(List.of("http://localhost:3000"));
+        configuration.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
+
+        configuration.setAllowedHeaders(List.of("*"));
+
+        //쿠키 자동으로 넘어가게 설정
+        configuration.setAllowCredentials(true);
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        source.registerCorsConfiguration("/api/**", configuration);
+
+        return source;
+    }
 }