diff --git a/src/main/java/com/kamco/cd/kamcoback/auth/MenuAuthorizationManager.java b/src/main/java/com/kamco/cd/kamcoback/auth/MenuAuthorizationManager.java index 0cc3db39..021332e9 100644 --- a/src/main/java/com/kamco/cd/kamcoback/auth/MenuAuthorizationManager.java +++ b/src/main/java/com/kamco/cd/kamcoback/auth/MenuAuthorizationManager.java @@ -45,19 +45,50 @@ public class MenuAuthorizationManager implements AuthorizationManager allowedMenus = menuAuthQueryRepository.findAllowedMenuUrlsByRole(role); + boolean isAdmin = "ADMIN".equalsIgnoreCase(role); + // URL별 권한 조회 + List matchedMenus = menuAuthQueryRepository.findMenusByRequestPath(requestPath); + + boolean isProtectedUrl = matchedMenus != null && !matchedMenus.isEmpty(); + + // URL별 권한에 라벨러, 검수자 권한이 있으면 , ADMIN도 false + if (isProtectedUrl) { + List allowedMenus = menuAuthQueryRepository.findAllowedMenuUrlsByRole(role); + if (allowedMenus == null || allowedMenus.isEmpty()) { + return new AuthorizationDecision(false); + } + + for (MenuEntity menu : allowedMenus) { + String baseUri = menu.getMenuUrl(); + if (baseUri == null || baseUri.isBlank()) { + continue; + } + + if (matchUri(baseUri, requestPath)) { + return new AuthorizationDecision(true); + } + } + return new AuthorizationDecision(false); + } + + // ✅ 3) 보호 URL이 아니면 ADMIN은 전부 허용 + if (isAdmin) { + return new AuthorizationDecision(true); + } + + // ✅ 4) 일반 role은 기존대로 매핑 기반 + List allowedMenus = menuAuthQueryRepository.findAllowedMenuUrlsByRole(role); if (allowedMenus == null || allowedMenus.isEmpty()) { return new AuthorizationDecision(false); } - // menu_url(prefix) 기반 접근 허용 판단 for (MenuEntity menu : allowedMenus) { String baseUri = menu.getMenuUrl(); if (baseUri == null || baseUri.isBlank()) { continue; } + if (matchUri(baseUri, requestPath)) { return new AuthorizationDecision(true); } diff --git a/src/main/java/com/kamco/cd/kamcoback/config/SecurityConfig.java b/src/main/java/com/kamco/cd/kamcoback/config/SecurityConfig.java index 1acaf5f4..dca50109 100644 --- a/src/main/java/com/kamco/cd/kamcoback/config/SecurityConfig.java +++ b/src/main/java/com/kamco/cd/kamcoback/config/SecurityConfig.java @@ -83,9 +83,10 @@ public class SecurityConfig { .requestMatchers("/api/user/**") .authenticated() .anyRequest() - // .access(redisAuthorizationManager) + .access(menuAuthorizationManager) - .authenticated()) + // .authenticated() + ) .addFilterBefore( jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter diff --git a/src/main/java/com/kamco/cd/kamcoback/postgres/repository/menu/MenuRepositoryCustom.java b/src/main/java/com/kamco/cd/kamcoback/postgres/repository/menu/MenuRepositoryCustom.java index 775ff647..c1e7db63 100644 --- a/src/main/java/com/kamco/cd/kamcoback/postgres/repository/menu/MenuRepositoryCustom.java +++ b/src/main/java/com/kamco/cd/kamcoback/postgres/repository/menu/MenuRepositoryCustom.java @@ -22,4 +22,12 @@ public interface MenuRepositoryCustom { * @return */ List findAllowedMenuUrlsByRole(String role); + + /** + * url별 역할 + * + * @param requestPath + * @return + */ + List findMenusByRequestPath(String requestPath); } diff --git a/src/main/java/com/kamco/cd/kamcoback/postgres/repository/menu/MenuRepositoryImpl.java b/src/main/java/com/kamco/cd/kamcoback/postgres/repository/menu/MenuRepositoryImpl.java index 62a91213..b4919fd4 100644 --- a/src/main/java/com/kamco/cd/kamcoback/postgres/repository/menu/MenuRepositoryImpl.java +++ b/src/main/java/com/kamco/cd/kamcoback/postgres/repository/menu/MenuRepositoryImpl.java @@ -79,4 +79,21 @@ public class MenuRepositoryImpl implements MenuRepositoryCustom { .orderBy(menuEntity.menuOrder.asc().nullsLast()) .fetch(); } + + @Override + public List findMenusByRequestPath(String requestPath) { + return queryFactory + .selectDistinct(menuEntity) + .from(menuMappEntity) + .join(menuMappEntity.menuUid, menuEntity) + .where( + menuMappEntity.deleted.isFalse(), + menuEntity.deleted.isFalse(), + menuEntity.isUse.isTrue(), + menuEntity.menuUrl.isNotNull(), + menuEntity.menuUrl.isNotEmpty(), + menuEntity.menuUrl.eq(requestPath)) + .orderBy(menuEntity.menuOrder.asc().nullsLast()) + .fetch(); + } }