728x90
필터와 인터셉터를 이용한 웹 시큐리티 적용
새로운 프로젝트 springSecurity 생성
pom.xml에 Spring Security관련 태그 넣어주기(core, web, config, taglibs)
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.itwillbs</groupId>
<artifactId>sec</artifactId>
<name>springSecurity</name>
<packaging>war</packaging>
<version>1.0.0-BUILD-SNAPSHOT</version>
<properties>
<java-version>11</java-version>
<org.springframework-version>5.0.7.RELEASE</org.springframework-version>
<org.aspectj-version>1.6.10</org.aspectj-version>
<org.slf4j-version>1.6.6</org.slf4j-version>
</properties>
<dependencies>
<!-- Spring -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${org.springframework-version}</version>
<exclusions>
<!-- Exclude Commons Logging in favor of SLF4j -->
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${org.springframework-version}</version>
</dependency>
<!-- security : core, web, config, taglibs -->
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-core -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${org.springframework-version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-web -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${org.springframework-version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-config -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${org.springframework-version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-taglibs -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${org.springframework-version}</version>
</dependency>
<!-- security 끝 -->
<!-- AspectJ -->
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>${org.aspectj-version}</version>
</dependency>
<!-- Logging -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${org.slf4j-version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>${org.slf4j-version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${org.slf4j-version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.15</version>
<exclusions>
<exclusion>
<groupId>javax.mail</groupId>
<artifactId>mail</artifactId>
</exclusion>
<exclusion>
<groupId>javax.jms</groupId>
<artifactId>jms</artifactId>
</exclusion>
<exclusion>
<groupId>com.sun.jdmk</groupId>
<artifactId>jmxtools</artifactId>
</exclusion>
<exclusion>
<groupId>com.sun.jmx</groupId>
<artifactId>jmxri</artifactId>
</exclusion>
</exclusions>
<scope>runtime</scope>
</dependency>
<!-- @Inject -->
<dependency>
<groupId>javax.inject</groupId>
<artifactId>javax.inject</artifactId>
<version>1</version>
</dependency>
<!-- Servlet -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!-- Test -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.7</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<artifactId>maven-eclipse-plugin</artifactId>
<version>2.9</version>
<configuration>
<additionalProjectnatures>
<projectnature>org.springframework.ide.eclipse.core.springnature</projectnature>
</additionalProjectnatures>
<additionalBuildcommands>
<buildcommand>org.springframework.ide.eclipse.core.springbuilder</buildcommand>
</additionalBuildcommands>
<downloadSources>true</downloadSources>
<downloadJavadocs>true</downloadJavadocs>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.5.1</version>
<configuration>
<source>1.6</source>
<target>1.6</target>
<compilerArgument>-Xlint:all</compilerArgument>
<showWarnings>true</showWarnings>
<showDeprecation>true</showDeprecation>
</configuration>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>1.2.1</version>
<configuration>
<mainClass>org.test.int1.Main</mainClass>
</configuration>
</plugin>
</plugins>
</build>
</project>
p.606~610( security-context.xml 만들기)
security-context.xml
5.0 지우고 아래 코드와 같이 함
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
</beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee https://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/root-context.xml
/WEB-INF/spring/security-context.xml</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- post전송 request 한글처리 "utf-8" 설정 -->
<filter>
<filter-name>encoding</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encoding</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- security 설정 -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
security-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 웹 주소 연결 -->
<security:http>
<security:form-login/>
</security:http>
<!-- 인증 관련 내용 -->
<security:authentication-manager>
</security:authentication-manager>
</beans>
SampleController.java
package com.itwillbs.sec;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping("/sample/*")
public class SampleController {
@GetMapping("/all")
public void doAll() {
System.out.println("All");
}
@GetMapping("/member")
public void doMember() {
System.out.println("Member()");
}
@GetMapping("/admin")
public void doAdmin() {
System.out.println("Admin()");
}
}
views-sample 생성 후 all.jsp, member.jsp, admin.jsp 만들기
all.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>sample/all.jsp</title>
</head>
<body>
<h1>sample/all.jsp</h1>
<p>모든 사용자 접근 가능</p>
</body>
</html>
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>sample/member.jsp</title>
</head>
<body>
<h1>sample/member.jsp</h1>
<p>로그인한 사용자만 접근 가능</p>
</body>
</html>
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>sample/admin.jsp</title>
</head>
<body>
<h1>sample/admin.jsp</h1>
<p>관리자만 접근 가능</p>
</body>
</html>
인증 관리
security-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 웹 주소 연결 -->
<security:http>
<!-- 특정한 URL에 접근할 때 인터셉터를 이용해서 접근을 제한하는 설정. pattern과 access 속성을 지정 -->
<security:intercept-url pattern="/sample/all" access="permitAll"/>
<security:intercept-url pattern="/sample/member" access="hasRole('ROLE_MEMBER')"/>
<!-- 로그인 페이지 -->
<security:form-login/>
</security:http>
<!--
인증 관련 내용
security:authentication-manager 인증 매니저
<- provider manager
<- 이용해서 authentication-provider : 인증 작업
<- UserdetailService : 인증된 정보 권한에 대한 정보를 같이 전달, 사용자의 정보와 사용자가 가진 권한의 정보를 처리해서 반환
-->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="member" password="1234" authorities="ROLE_MEMBER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
로그인 -> 500 오류(DelegatingPasswordEncoder)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 웹 주소 연결 -->
<security:http>
<!-- 특정한 URL에 접근할 때 인터셉터를 이용해서 접근을 제한하는 설정. pattern과 access 속성을 지정 -->
<security:intercept-url pattern="/sample/all" access="permitAll"/>
<security:intercept-url pattern="/sample/member" access="hasRole('ROLE_MEMBER')"/>
<!-- 로그인 페이지 -->
<security:form-login/>
</security:http>
<!--
인증 관련 내용
security:authentication-manager 인증 매니저
<- provider manager
<- 이용해서 authentication-provider : 인증 작업
<- UserdetailService : 인증된 정보 권한에 대한 정보를 같이 전달, 사용자의 정보와 사용자가 가진 권한의 정보를 처리해서 반환
-->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<!-- There is no PasswordEncoder mapped for the id "null" -->
<!-- noop : PasswordEncoder 없이 사용 -->
<security:user name="member" password="{noop}1234" authorities="ROLE_MEMBER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
관리자 권한
security-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 웹 주소 연결 -->
<security:http>
<!-- 특정한 URL에 접근할 때 인터셉터를 이용해서 접근을 제한하는 설정. pattern과 access 속성을 지정 -->
<security:intercept-url pattern="/sample/all" access="permitAll"/>
<security:intercept-url pattern="/sample/member" access="hasRole('ROLE_MEMBER')"/>
<security:intercept-url pattern="/sample/admin" access="hasRole('ROLE_ADMIN')"/>
<!-- 로그인 페이지 -->
<security:form-login/>
</security:http>
<!--
인증 관련 내용
security:authentication-manager 인증 매니저
<- provider manager
<- 이용해서 authentication-provider : 인증 작업
<- UserdetailService : 인증된 정보 권한에 대한 정보를 같이 전달, 사용자의 정보와 사용자가 가진 권한의 정보를 처리해서 반환
-->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<!-- There is no PasswordEncoder mapped for the id "null" -->
<!-- noop : PasswordEncoder 없이 사용 -->
<security:user name="member" password="{noop}1234" authorities="ROLE_MEMBER"/>
<security:user name="admin" password="{noop}1234" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
security-context.xml
403 금지됨
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- 웹 주소 연결 -->
<security:http>
<!-- 특정한 URL에 접근할 때 인터셉터를 이용해서 접근을 제한하는 설정. pattern과 access 속성을 지정 -->
<security:intercept-url pattern="/sample/all" access="permitAll"/>
<security:intercept-url pattern="/sample/member" access="hasRole('ROLE_MEMBER')"/>
<security:intercept-url pattern="/sample/admin" access="hasRole('ROLE_ADMIN')"/>
<!-- 로그인 페이지 -->
<security:form-login/>
<!-- HTTP 상태 403 - 금지됨 => 페이지 연결 -->
<!-- <security:access-denied-handler error-page="가상주소"/> -->
<security:access-denied-handler error-page="/sample/accessError"/>
</security:http>
<!--
인증 관련 내용
security:authentication-manager 인증 매니저
<- provider manager
<- 이용해서 authentication-provider : 인증 작업
<- UserdetailService : 인증된 정보 권한에 대한 정보를 같이 전달, 사용자의 정보와 사용자가 가진 권한의 정보를 처리해서 반환
-->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<!-- There is no PasswordEncoder mapped for the id "null" -->
<!-- noop : PasswordEncoder 없이 사용 -->
<security:user name="member" password="{noop}1234" authorities="ROLE_MEMBER"/>
<security:user name="admin" password="{noop}1234" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
SampleController
package com.itwillbs.sec;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping("/sample/*")
public class SampleController {
@GetMapping("/all")
public void doAll() {
System.out.println("doAll()");
}
@GetMapping("/member")
public void doMember() {
System.out.println("doMember()");
}
@GetMapping("/admin")
public void doAdmin() {
System.out.println("doAdmin()");
}
@GetMapping("/accessError")
public void doAccessError(Model model, Authentication auth) {
System.out.println("doAccessError()");
System.out.println(auth);
model.addAttribute("msg","Access Denied");
}
}
sample/accessError.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>sample/accessError.jsp</title>
</head>
<body>
<h1>sample/accessError.jsp</h1>
<p>Access Denied. 접근할 권한이 없습니다.</p>
<p>${msg}</p>
</body>
</html>
728x90
'KDT > WEB' 카테고리의 다른 글
| 240322 WEB - 보안 3 (0) | 2024.03.22 |
|---|---|
| 240319 WEB - 보안 2 (0) | 2024.03.19 |
| 240314 WEB - 정규표현식 (0) | 2024.03.14 |
| 240312 WEB - jQuery AJAX (0) | 2024.03.12 |
| 240311 WEB - 로그인 제어 (0) | 2024.03.11 |