728x90
보안
패키지 생성(보안 관련)
package com.itwillbs.security;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
public class CustomAccessDeniedHandler implements AccessDeniedHandler{
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
System.out.println("CustomAccessDeniedHandler Access()");
response.sendRedirect(request.getContextPath()+"/sample/accessError");
}
}
security-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 객체 생성 -->
<bean id="customAccessDenied" class="com.itwillbs.security.CustomAccessDeniedHandler"></bean>
<!-- 웹 주소 연결 -->
<security:http>
<!-- 특정한 URL에 접근할 때 인터셉터를 이용해서 접근을 제한하는 설정. pattern과 access 속성을 지정 -->
<security:intercept-url pattern="/sample/all" access="permitAll"/>
<security:intercept-url pattern="/sample/member" access="hasRole('ROLE_MEMBER')"/>
<security:intercept-url pattern="/sample/admin" access="hasRole('ROLE_ADMIN')"/>
<!-- 로그인 페이지 -->
<security:form-login/>
<!-- HTTP 상태 403 - 금지됨 => 페이지 연결 -->
<!-- <security:access-denied-handler error-page="가상주소"/> -->
<!-- <security:access-denied-handler error-page="/sample/accessError"/> -->
<security:access-denied-handler ref="customAccessDenied" />
</security:http>
<!--
인증 관련 내용
security:authentication-manager 인증 매니저
<- provider manager
<- 이용해서 authentication-provider : 인증 작업
<- UserdetailService : 인증된 정보 권한에 대한 정보를 같이 전달, 사용자의 정보와 사용자가 가진 권한의 정보를 처리해서 반환
-->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<!-- There is no PasswordEncoder mapped for the id "null" -->
<!-- noop : PasswordEncoder 없이 사용 -->
<security:user name="member" password="{noop}1234" authorities="ROLE_MEMBER"/>
<security:user name="admin" password="{noop}1234" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
로그인 페이지 만들기
SampleController.java 주소 매핑
package com.itwillbs.sec;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping("/sample/*")
public class SampleController {
@GetMapping("/all")
public void doAll() {
System.out.println("doAll()");
}
@GetMapping("/member")
public void doMember() {
System.out.println("doMember()");
}
@GetMapping("/admin")
public void doAdmin() {
System.out.println("doAdmin()");
}
@GetMapping("/accessError")
public void doAccessError(Model model, Authentication auth) {
System.out.println("doAccessError()");
System.out.println(auth);
model.addAttribute("msg","Access Denied");
}
//sample/customLogin
@GetMapping("/customLogin")
public void doCustomLogin() {
System.out.println("doCustomLogin()");
}
}
sample/customLogin.jsp 생성
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>sample/customLogin.jsp</title>
</head>
<body>
<h1>sample/customLogin.jsp</h1>
</body>
</html>
security-context.xml 수정
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 객체 생성 -->
<bean id="customAccessDenied" class="com.itwillbs.security.CustomAccessDeniedHandler"></bean>
<!-- 웹 주소 연결 -->
<security:http>
<!-- 특정한 URL에 접근할 때 인터셉터를 이용해서 접근을 제한하는 설정. pattern과 access 속성을 지정 -->
<security:intercept-url pattern="/sample/all" access="permitAll"/>
<security:intercept-url pattern="/sample/member" access="hasRole('ROLE_MEMBER')"/>
<security:intercept-url pattern="/sample/admin" access="hasRole('ROLE_ADMIN')"/>
<!-- 로그인 페이지 -->
<!-- <security:form-login/> -->
<security:form-login login-page="/sample/customLogin"/>
<!-- HTTP 상태 403 - 금지됨 => 페이지 연결 -->
<!-- <security:access-denied-handler error-page="가상주소"/> -->
<!-- <security:access-denied-handler error-page="/sample/accessError"/> -->
<security:access-denied-handler ref="customAccessDenied" />
</security:http>
<!--
인증 관련 내용
security:authentication-manager 인증 매니저
<= provider manager
<= 이용해서 authentication-provider : 인증 작업
<= UserdetailService : 인증된 정보 권한에 대한 정보를 같이 전달, 사용자의 정보와 사용자가 가진 권한의 정보를 처리해서 반환
-->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<!-- There is no PasswordEncoder mapped for the id "null" -->
<!-- noop : PasswordEncoder 없이 사용 -->
<security:user name="member" password="{noop}1234" authorities="ROLE_MEMBER"/>
<security:user name="admin" password="{noop}1234" authorities="ROLE_ADMIN, ROLE_MEMBER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
728x90
'KDT > WEB' 카테고리의 다른 글
| 240325 WEB - 보안 4 (0) | 2024.03.25 |
|---|---|
| 240322 WEB - 보안 3 (0) | 2024.03.22 |
| 240318 WEB - 보안 1 (0) | 2024.03.18 |
| 240314 WEB - 정규표현식 (0) | 2024.03.14 |
| 240312 WEB - jQuery AJAX (0) | 2024.03.12 |