scope체크로직 수정

This commit is contained in:
Yunsam.Eo
2025-12-14 16:36:18 +09:00
parent 6b71d4414c
commit efb829403f
@@ -109,6 +109,7 @@ public class ApiAuthFilter implements HttpAdapterFilter {
return message;
}
boolean isPassScope = false;
switch (eaiMessage.getAuthType()){
case "oauth":
try {
@@ -127,10 +128,25 @@ public class ApiAuthFilter implements HttpAdapterFilter {
OAuth2Manager manager = OAuth2Manager.getInstance();
HashSet<String> scopeSet = manager.getApiScopeMap().get(apiId);
if (!verifyScope(scopeSet, signedJWT)) {
String[] scopeArr = signedJWT.getJWTClaimsSet().getStringArrayClaim(PAYLOAD_PARAM_NAME_SCOPE);
if (scopeArr == null || scopeArr.length == 0) {
throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL,
String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString()));
}
for (String scope : scopeArr) {
if (StringUtils.equals(scope, "oob") || StringUtils.equals(scope, "public")) {
isPassScope = true;
}
}
if (!isPassScope) {
if (!verifyScope(scopeSet, signedJWT)) {
throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL,
String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString()));
}
}
// header 값으로 전송된 clientId와 토큰 소유 clientId check
if (!verifyClientId(prop, signedJWT)) {
@@ -144,26 +160,6 @@ public class ApiAuthFilter implements HttpAdapterFilter {
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Token invalid");
}
break;
// case "bearer":
// try {
// String token = ApiAuthFilter.extractJWTToken(request);
// BearerTokenInfo CATokenInfo = CATokenStore.get(token);
//
// if (CATokenInfo == null) {
// throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Token invalid");
// }
//
// if (CATokenInfo.isExpired()) {
// throw new JwtAuthException(ERROR_TOKEN_EXPIRED, "Access token expired");
// }
// } catch (JwtAuthException e) {
// logger.debug(e.getMessage());
// throw e;
// } catch (Exception e) {
// logger.error(e.getMessage());
// throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Token invalid");
// }
// break;
case "api_key":
String apiKeyName = PropManager.getInstance().getProperty("ApiConfig", "api.key.name", "x-api-key");
String apiKey = request.getHeader(apiKeyName);
@@ -171,19 +167,22 @@ public class ApiAuthFilter implements HttpAdapterFilter {
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Invalid or missing API key \""+apiKeyName+"\" in Http Header");
}
prop.setProperty(HttpAdapterServiceSupport.PROPERTIES_NAME_CLIENT_ID, apiKey);
isPassScope = true;
break;
case "none":
return message;
}
String clientId = prop.getProperty(HttpAdapterServiceSupport.PROPERTIES_NAME_CLIENT_ID);
ClientVO clientVO = OAuth2Manager.getInstance().getClientVO(clientId);
if(clientVO == null){
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered APP");
}
if (isPassScope) {
String clientId = prop.getProperty(HttpAdapterServiceSupport.PROPERTIES_NAME_CLIENT_ID);
ClientVO clientVO = OAuth2Manager.getInstance().getClientVO(clientId);
if(clientVO == null){
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered APP");
}
if(clientVO.getApiMap().containsKey(eaiSvcCd) == false){
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered API ["+eaiSvcCd+"] in ["+clientVO.getClientName()+"] APP");
if(clientVO.getApiMap().containsKey(eaiSvcCd) == false){
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered API ["+eaiSvcCd+"] in ["+clientVO.getClientName()+"] APP");
}
}
return message;