fix(security): 인증 에러 401 응답 + CORS 헤더 누락 수정

- AuthenticationEntryPoint 추가: 미인증 요청에 403 대신 401 반환
- AccessDeniedHandler 추가: 권한 부족 시 403 + JSON body 반환
- CORS 설정 범위를 /api/** → /** 로 확장하여 에러 응답에도 CORS 헤더 포함
- exposedHeaders에 Authorization 추가

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/main/java/com/gcsc/guide/config/SecurityConfig.java

@@ -1,10 +1,13 @@
 package com.gcsc.guide.config;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.gcsc.guide.auth.JwtAuthenticationFilter;
+import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.MediaType;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -14,7 +17,9 @@ import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
+import java.time.LocalDateTime;
 import java.util.List;
+import java.util.Map;
 
 @Configuration
 @EnableWebSecurity
@@ -22,6 +27,7 @@ import java.util.List;
 public class SecurityConfig {
 
     private final JwtAuthenticationFilter jwtAuthenticationFilter;
+    private final ObjectMapper objectMapper;
 
     @Value("${app.cors.allowed-origins:http://localhost:5173,https://guide.gc-si.dev}")
     private List<String> allowedOrigins;
@@ -46,6 +52,30 @@ public class SecurityConfig {
                 .requestMatchers("/api/admin/**").authenticated()
                 .anyRequest().authenticated()
             )
+            .exceptionHandling(ex -> ex
+                .authenticationEntryPoint((request, response, authException) -> {
+                    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+                    response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+                    response.setCharacterEncoding("UTF-8");
+                    objectMapper.writeValue(response.getOutputStream(), Map.of(
+                        "status", 401,
+                        "error", "Unauthorized",
+                        "message", "인증이 필요합니다. JWT 토큰을 Authorization 헤더에 포함하세요.",
+                        "timestamp", LocalDateTime.now().toString()
+                    ));
+                })
+                .accessDeniedHandler((request, response, accessDeniedException) -> {
+                    response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+                    response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+                    response.setCharacterEncoding("UTF-8");
+                    objectMapper.writeValue(response.getOutputStream(), Map.of(
+                        "status", 403,
+                        "error", "Forbidden",
+                        "message", "접근 권한이 없습니다.",
+                        "timestamp", LocalDateTime.now().toString()
+                    ));
+                })
+            )
             .headers(headers -> headers.frameOptions(frame -> frame.sameOrigin()))
             .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
 
@@ -58,11 +88,12 @@ public class SecurityConfig {
         config.setAllowedOrigins(allowedOrigins);
         config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
         config.setAllowedHeaders(List.of("*"));
+        config.setExposedHeaders(List.of("Authorization"));
         config.setAllowCredentials(true);
         config.setMaxAge(3600L);
 
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-        source.registerCorsConfiguration("/api/**", config);
+        source.registerCorsConfiguration("/**", config);
         return source;
     }
 }