Spring method security 가 적용된 Controller에 @ExceptionHandler 는 작동하지 않는다.

[raycon]

@WebMvcTest 환경에서 @RestController로 선언된 A 컨트롤러가 있을 때, @PreAuthorize("hasAuthority('SOME_AUTHORITY')")가 적용된 메소드가 있을 경우 컨트롤러의 다른 메소드에서 예외를 던지면 컨트롤러 내부에 @ExceptionHandler로 선언된 메소드가 있어도, 여기서 잡지 않는다.

왜이러는거야??

실제로 어플리케이션을 실행하면 잘 작동 한다.

Spring security 문서에 이런 내용이 있다. https://docs.spring.io/spring-security/site/docs/5.4.6/reference/html5/#test-mockmvc

스프링 부트 테스트 문서 https://docs.spring.io/spring-boot/docs/current/reference/html/howto.html#howto-use-test-with-spring-security

@WebMvcTest가 자동으로 구성하는 Configuration 목록:

org.springframework.boot.autoconfigure.cache.CacheAutoConfiguration org.springframework.boot.autoconfigure.context.MessageSourceAutoConfiguration org.springframework.boot.autoconfigure.data.web.SpringDataWebAutoConfiguration org.springframework.boot.autoconfigure.freemarker.FreeMarkerAutoConfiguration org.springframework.boot.autoconfigure.groovy.template.GroovyTemplateAutoConfiguration org.springframework.boot.autoconfigure.gson.GsonAutoConfiguration org.springframework.boot.autoconfigure.hateoas.HypermediaAutoConfiguration org.springframework.boot.autoconfigure.http.HttpMessageConvertersAutoConfiguration org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration org.springframework.boot.autoconfigure.jsonb.JsonbAutoConfiguration org.springframework.boot.autoconfigure.mustache.MustacheAutoConfiguration org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration org.springframework.boot.autoconfigure.task.TaskExecutionAutoConfiguration org.springframework.boot.autoconfigure.thymeleaf.ThymeleafAutoConfiguration org.springframework.boot.autoconfigure.validation.ValidationAutoConfiguration org.springframework.boot.autoconfigure.web.servlet.HttpEncodingAutoConfiguration org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration org.springframework.boot.test.autoconfigure.web.servlet.MockMvcAutoConfiguration org.springframework.boot.test.autoconfigure.web.servlet.MockMvcSecurityConfiguration org.springframework.boot.test.autoconfigure.web.servlet.MockMvcWebClientAutoConfiguration org.springframework.boot.test.autoconfigure.web.servlet.MockMvcWebDriverAutoConfiguration

공식적으로 메소드 단위의 시큐리티 적용은 서비스 레이어에 하는걸 추천한다.

Generally we would recommend applying method security at the service layer rather than on individual web controllers.

https://stackoverflow.com/questions/3087548/can-spring-security-use-preauthorize-on-spring-controllers-methods/11347824#11347824

GlobalMethodSecurity 를 사용하지 않고, WebSecurityConfigurer 에서 각각의 Endpoint 에 대해 .antMatchers("url").hasAuthority("some_authority")를 지정하면 프록시가 적용되지 않고 의도한대로 동작한다.

[raycon]

https://github.com/spring-projects/spring-framework/issues/25842