Spring-Security

SecurityFilterChain 등록 과정

neal89 2025. 5. 20. 04:10

① spring-boot-starter-security 의존성 추가

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-security'
}
  • 이 단계에서 Spring Boot는 내부적으로 SecurityAutoConfiguration과 같은 자동 설정 클래스를 로딩할 준비를 합니다.
/*
 * Copyright 2012-2023 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.boot.autoconfigure.security.servlet;

import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
import org.springframework.boot.autoconfigure.security.ConditionalOnDefaultWebSecurity;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.BeanIds;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

import static org.springframework.security.config.Customizer.withDefaults;

/**
 * {@link Configuration @Configuration} class securing servlet applications.
 *
 * @author Madhura Bhave
 */
@Configuration(proxyBeanMethods = false)
@ConditionalOnWebApplication(type = Type.SERVLET)
class SpringBootWebSecurityConfiguration {

	/**
	 * The default configuration for web security. It relies on Spring Security's
	 * content-negotiation strategy to determine what sort of authentication to use. If
	 * the user specifies their own {@link SecurityFilterChain} bean, this will back-off
	 * completely and the users should specify all the bits that they want to configure as
	 * part of the custom security configuration.
	 */
	@Configuration(proxyBeanMethods = false)
	@ConditionalOnDefaultWebSecurity
	static class SecurityFilterChainConfiguration {

		@Bean
		@Order(SecurityProperties.BASIC_AUTH_ORDER)
		SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
			http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
			http.formLogin(withDefaults());
			http.httpBasic(withDefaults());
			return http.build();
		}

	}

	/**
	 * Adds the {@link EnableWebSecurity @EnableWebSecurity} annotation if Spring Security
	 * is on the classpath. This will make sure that the annotation is present with
	 * default security auto-configuration and also if the user adds custom security and
	 * forgets to add the annotation. If {@link EnableWebSecurity @EnableWebSecurity} has
	 * already been added or if a bean with name
	 * {@value BeanIds#SPRING_SECURITY_FILTER_CHAIN} has been configured by the user, this
	 * will back-off.
	 */
	@Configuration(proxyBeanMethods = false)
	@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
	@ConditionalOnClass(EnableWebSecurity.class)
	@EnableWebSecurity
	static class WebSecurityEnablerConfiguration {

	}

}

 

② SecurityAutoConfiguration → SecurityFilterAutoConfiguration 활성화

  • Spring Boot는 자동 설정 클래스 중 SecurityFilterAutoConfiguration를 통해 보안 필터 설정을 시작합니다.
  • 이 설정 클래스는 SecurityFilterChain 빈이 존재하지 않으면 기본 설정을 적용합니다.

③ @EnableWebSecurity → WebSecurityConfiguration 활성화

  • @EnableWebSecurity에 의해 WebSecurityConfiguration 클래스가 활성화됩니다.
  • 이 클래스는 내부적으로 HttpSecurity를 생성하고 초기화합니다.
  • 이때 내부에서 SecurityBuilder 역할을 하는 HttpSecurity 객체가 만들어집니다.

④ HttpSecurity 생성 및 구성

  • HttpSecurity는 보안 설정의 중심 객체입니다.
  • 개발자가 @Bean으로 정의한 SecurityFilterChain 메서드의 파라미터로 주입됩니다.
  • @Bean public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception { http.authorizeHttpRequests()... http.formLogin()... return http.build(); }

⑤ SecurityConfigurer 들 적용

  • authorizeHttpRequests(), formLogin() 등을 호출하면 내부적으로 각각의 SecurityConfigurer 구현체들이 HttpSecurity에 등록됩니다.
  • 예: FormLoginConfigurer, AuthorizeHttpRequestsConfigurer 등이 내부 필터를 등록합니다.
  • 이 과정에서 보안 필터들이 생성되고, 내부 필터 체인에 등록됩니다. (ex: UsernamePasswordAuthenticationFilter 등)

⑥ http.build() 호출

  • HttpSecurity.build()를 호출하면:
    • 지금까지 조립한 모든 필터들을 FilterChainProxy로 묶은 SecurityFilterChain 객체를 생성합니다.
    • 이 객체는 Spring Security가 실제로 사용하는 보안 필터 체인입니다.

⑦ SecurityFilterChain 반환 및 빈으로 등록

  • 위 메서드에서 반환된 SecurityFilterChain은 @Bean 메서드의 결과로 Spring ApplicationContext에 빈으로 등록됩니다.
  • 이후, DispatcherServlet 앞단에서 FilterChainProxy를 통해 이 필터 체인이 작동합니다.

🧠 정리: 전체 흐름 순서

1. Gradle에 security 의존성 추가
2. Spring Boot 자동 설정 → SecurityAutoConfiguration
3. @EnableWebSecurity → WebSecurityConfiguration 동작
4. HttpSecurity 생성 및 초기화
5. SecurityConfigurer (ex: formLogin 등) 적용 → 필터 생성 및 등록
6. http.build() → SecurityFilterChain 생성
7. @Bean 메서드 반환 → SecurityFilterChain 빈 등록
8. 웹 요청 처리 시 FilterChainProxy가 해당 필터 체인을 실행

 

  1. Add Security DependencyThis triggers Spring Boot's auto-configuration for security.
  2. implementation 'org.springframework.boot:spring-boot-starter-security'
  3. Auto-Configuration Activation
    SecurityAutoConfiguration and SecurityFilterAutoConfiguration classes are loaded.
  4. EnableWebSecurity → WebSecurityConfiguration
    @EnableWebSecurity activates WebSecurityConfiguration, which is responsible for setting up HttpSecurity.
  5. HttpSecurity Initialization
    Spring injects an HttpSecurity object into the @Bean SecurityFilterChain method.
  6. Configurer Registration
    Methods like http.authorizeHttpRequests() or http.formLogin() internally activate their respective SecurityConfigurer implementations, which register security filters.
  7. http.build()
    When http.build() is called, a SecurityFilterChain is created from the assembled filters.
  8. Register SecurityFilterChain Bean
    The returned object from the @Bean method becomes a registered bean.
  9. Web Request Handling
    During request handling, the FilterChainProxy uses the registered SecurityFilterChain to apply security filters to the request.

'Spring-Security' 카테고리의 다른 글

기본인증 httpBasic() / BasicAuthenticationFilter  (0) 2025.05.21
폼 인증 필터 / UsernamePasswordAuthenticationFilter  (0) 2025.05.20
SecurityFilterChain 등록 / 사용자 설정  (0) 2025.05.20
Spring security 필터링 메커니즘  (0) 2025.05.20
WebSecurity / HttpSecurity  (0) 2025.05.20

'Spring-Security'의 다른글

  • 현재글SecurityFilterChain 등록 과정

관련글

티스토리툴바