From 85da7076c9f33a4feb0ed4f0be74617f482f1c4d Mon Sep 17 00:00:00 2001
From: xihxxn <sihyun8870@naver.com>
Date: Mon, 1 Jun 2026 13:42:22 +0900
Subject: [PATCH 1/2] =?UTF-8?q?[Security]=20ADMIN=20=EC=A0=84=EC=9A=A9=20A?=
 =?UTF-8?q?PI=20=EC=97=94=EB=93=9C=ED=8F=AC=EC=9D=B8=ED=8A=B8=20=EC=A0=91?=
 =?UTF-8?q?=EA=B7=BC=20=EC=A0=9C=EC=96=B4=20=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../project/global/config/SecurityConfig.java | 34 +++++++++++--------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/backend/src/main/java/com/example/Piroin/project/global/config/SecurityConfig.java b/backend/src/main/java/com/example/Piroin/project/global/config/SecurityConfig.java
index bbcd7cd..aa250a8 100644
--- a/backend/src/main/java/com/example/Piroin/project/global/config/SecurityConfig.java
+++ b/backend/src/main/java/com/example/Piroin/project/global/config/SecurityConfig.java
@@ -35,18 +35,9 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                         session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authorizeHttpRequests(auth -> auth
 
-                        // 로그인 페이지는 로그인 안 된 상태에서 접근 가능
+                        // 로그인
                         .requestMatchers("/api/auth/login").permitAll()
 
-                        // curriculum: GET은 로그인한 누구나, POST/PATCH/DELETE는 ADMIN만 -> 이중 보안 느낌
-                        .requestMatchers(HttpMethod.GET, "/api/curriculums").authenticated()
-                        .requestMatchers(HttpMethod.POST, "/api/curriculums").hasRole("ADMIN")
-                        .requestMatchers(HttpMethod.PATCH, "/api/curriculums/{sessionDate}").hasRole("ADMIN")
-                        .requestMatchers(HttpMethod.DELETE, "/api/curriculums/{sessionDate}").hasRole("ADMIN")
-
-                        // understanding check: 생성은 ADMIN만 가능
-                        .requestMatchers(HttpMethod.POST, "/api/sessions/{sessionId}/understanding-checks").hasRole("ADMIN")
-
                         // Swagger
                         .requestMatchers(
                                 "/swagger-ui/**",
@@ -57,10 +48,25 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                         // Actuator health check
                         .requestMatchers("/actuator/health").permitAll()
 
-                        // 다른 도메인 권한 설정 필요 시 위 패턴 참고해서 추가
-                        // 단, 추가하지 않아도 무방함
-                        // 이유 1. anyRequest().authenticated()로 비로그인 접근 차단
-                        // 이유 2. 프론트에서 ADMIN 전용 버튼/기능을 UI 단에서 숨김 처리
+                        // ADMIN 전용 엔드포인트
+                        .requestMatchers("/api/admin/**").hasRole("ADMIN")
+
+                        .requestMatchers(HttpMethod.POST, "/api/curriculums").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.PATCH, "/api/curriculums/{sessionDate}").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.DELETE, "/api/curriculums/{sessionDate}").hasRole("ADMIN")
+
+                        .requestMatchers(HttpMethod.POST, "/api/assignments/create").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.PATCH, "/api/assignments/modify/{assignmentId}").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.DELETE, "/api/assignments/{assignmentId}").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.GET, "/api/assignments/{week}/view").hasRole("ADMIN")
+
+                        .requestMatchers(HttpMethod.GET, "/api/deposit/{userId}/deposit/view").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.PATCH, "/api/deposit/{userId}/deposit/defence").hasRole("ADMIN")
+
+                        .requestMatchers(HttpMethod.POST, "/api/sessions/{sessionId}/understanding-checks").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.PATCH, "/api/questions/{questionId}/status").hasRole("ADMIN")
+
+                        // 나머지는 로그인한 사용자면 접근 가능
                         .anyRequest().authenticated()
 
                 )

From cf8e9dba8760716c1a6722ee63b22113cb70eb64 Mon Sep 17 00:00:00 2001
From: xihxxn <sihyun8870@naver.com>
Date: Mon, 1 Jun 2026 15:35:10 +0900
Subject: [PATCH 2/2] =?UTF-8?q?[Security]=20formLogin/httpBasic=20?=
 =?UTF-8?q?=EB=B9=84=ED=99=9C=EC=84=B1=ED=99=94=20=EB=B0=8F=20ADMIN=20?=
 =?UTF-8?q?=EC=A0=84=EC=9A=A9=20=EC=97=94=EB=93=9C=ED=8F=AC=EC=9D=B8?=
 =?UTF-8?q?=ED=8A=B8=20=EC=A0=91=EA=B7=BC=20=EC=A0=9C=EC=96=B4=20=EC=B6=94?=
 =?UTF-8?q?=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../example/Piroin/project/global/config/SecurityConfig.java    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/backend/src/main/java/com/example/Piroin/project/global/config/SecurityConfig.java b/backend/src/main/java/com/example/Piroin/project/global/config/SecurityConfig.java
index aa250a8..083a9e9 100644
--- a/backend/src/main/java/com/example/Piroin/project/global/config/SecurityConfig.java
+++ b/backend/src/main/java/com/example/Piroin/project/global/config/SecurityConfig.java
@@ -31,6 +31,8 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 // 이 설정이 없으면 preflight(OPTIONS) 요청이 Security 단에서 차단되어 405 반환
                 .cors(cors -> cors.configurationSource(corsConfigurationSource))
                 .csrf(AbstractHttpConfigurer::disable)
+                .formLogin(AbstractHttpConfigurer::disable)
+                .httpBasic(AbstractHttpConfigurer::disable)
                 .sessionManagement(session ->
                         session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authorizeHttpRequests(auth -> auth