From 49eb8fbe857d081e870348b1e693611d6c2c2390 Mon Sep 17 00:00:00 2001 From: curry772 Date: Tue, 23 Jun 2026 09:55:20 +0900 Subject: [PATCH] =?UTF-8?q?API=EC=97=90=20scope=EC=9D=B4=20=EC=A0=81?= =?UTF-8?q?=EC=9A=A9=EB=90=98=EC=96=B4=20=EC=9E=88=EC=A7=80=20=EC=95=8A?= =?UTF-8?q?=EC=9D=80=20=EA=B2=BD=EC=9A=B0,=20Client=EC=97=90=20API=20?= =?UTF-8?q?=EC=A0=81=EC=9A=A9=EC=97=AC=EB=B6=80=EB=A5=BC=20=ED=99=95?= =?UTF-8?q?=EC=9D=B8=ED=95=98=EB=8F=84=EB=A1=9D=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../http/dynamic/filter/ApiAuthFilter.java | 36 +++++++++++-------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/src/main/java/com/eactive/eai/adapter/http/dynamic/filter/ApiAuthFilter.java b/src/main/java/com/eactive/eai/adapter/http/dynamic/filter/ApiAuthFilter.java index afe5c72..1375027 100644 --- a/src/main/java/com/eactive/eai/adapter/http/dynamic/filter/ApiAuthFilter.java +++ b/src/main/java/com/eactive/eai/adapter/http/dynamic/filter/ApiAuthFilter.java @@ -24,6 +24,8 @@ import com.nimbusds.jose.JWSVerifier; import com.nimbusds.jose.crypto.RSASSAVerifier; import com.nimbusds.jose.util.IOUtils; import com.nimbusds.jwt.SignedJWT; + +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang3.StringUtils; import org.springframework.core.io.ClassPathResource; import org.springframework.core.io.Resource; @@ -141,26 +143,32 @@ public class ApiAuthFilter implements HttpAdapterFilter { OAuth2Manager manager = OAuth2Manager.getInstance(); HashSet scopeSet = manager.getApiScopeMap().get(apiId); - - String[] scopeArr = signedJWT.getJWTClaimsSet().getStringArrayClaim(PAYLOAD_PARAM_NAME_SCOPE); - if (scopeArr == null || scopeArr.length == 0) { - throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL, - String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString())); - } - for (String scope : scopeArr) { - if (StringUtils.equals(scope, "oob") || StringUtils.equals(scope, "public")) { - isPassScope = true; - } - } + // API에 scope 설정이 안되어 있는 경우, scope 체크를 pass하고 나중에 client API 맵을 체크한다. + if(CollectionUtils.isEmpty(scopeSet)) + isPassScope = true; - if (!isPassScope) { - if (!verifyScope(scopeSet, signedJWT)) { + if(!isPassScope) { + String[] scopeArr = signedJWT.getJWTClaimsSet().getStringArrayClaim(PAYLOAD_PARAM_NAME_SCOPE); + if (scopeArr == null || scopeArr.length == 0) { throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL, String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString())); } + + for (String scope : scopeArr) { + if (StringUtils.equals(scope, "oob") || StringUtils.equals(scope, "public")) { + isPassScope = true; + } + } + + if (!isPassScope) { + if (!verifyScope(scopeSet, signedJWT)) { + throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL, + String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString())); + } + } } - + // header 값으로 전송된 clientId와 토큰 소유 clientId check if (!verifyClientId(prop, signedJWT)) { throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "client_id not matched(header/token)");