bugfix 및 token 거래 GET 방식 추가.

토큰거래 GET 방식으로 하는것 보안상 좋지않음.
(GET 파라미터같은 경우 웹서버에 로깅이 되어버림, clientSecret 같은 것들이 파일로그에 남아서 그대로 노출됨)

사유 : 고객요청.
This commit is contained in:
cho
2026-01-21 16:57:31 +09:00
parent 730196cefb
commit 61e6aa6b19
4 changed files with 53 additions and 24 deletions
@@ -10,6 +10,7 @@ import java.time.LocalDateTime;
import java.util.Base64;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.crypto.Cipher;
@@ -29,9 +30,11 @@ import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.endpoint.TokenEndpoint;
import org.springframework.security.oauth2.provider.token.TokenEnhancer;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import com.eactive.eai.adapter.http.dynamic.filter.JwtAuthException;
@@ -64,6 +67,31 @@ public class KjbMGOAuth2Controller {
@ResponseBody
public ResponseEntity<String> token(@RequestBody KjbMGOAuth2AccessTokenRequest tokenRequest,
HttpServletRequest request, HttpServletResponse response) {
return issueToken(tokenRequest, request, response);
}
@GetMapping(value = "/mapi/oauth2/token", produces = "application/json; charset=UTF-8")
@ResponseBody
public ResponseEntity<String> tokenGet(@RequestParam Map<String, String> params, HttpServletRequest request,
HttpServletResponse response) {
KjbMGOAuth2AccessTokenRequest tokenRequest = new KjbMGOAuth2AccessTokenRequest();
tokenRequest.setGrantType(params.get("grant_type"));
tokenRequest.setClientId(params.get("client_id"));
tokenRequest.setClientSecret(params.get("client_secret"));
tokenRequest.setScope(params.get("scope"));
tokenRequest.setResource(params.get("resource"));
return issueToken(tokenRequest, request, response);
}
private ResponseEntity<String> issueToken(
KjbMGOAuth2AccessTokenRequest tokenRequest,
HttpServletRequest request,
HttpServletResponse response) {
if (logger.isDebug()) {
logger.debug(tokenRequest.toString());
}
@@ -142,8 +170,10 @@ public class KjbMGOAuth2Controller {
String errorJson = MessageUtil.makeJsonErrorMessage(MessageUtil.ERROR_CODE_AUTH_FAIL, "Unauthorized. [Unknown]");
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(errorJson);
}
}
private void verifyClient(ClientDetails clientDetails, String clientId, String clientSecret, Set<String> scopeSet)
throws JwtAuthException {