Java/Spring
SPRING SECURITY 보안프레임워크
amungstudy
2023. 8. 25. 10:50
MAVEN 라이브러리 추가
pom.xml
<properties>
<java-version>11</java-version>
<org.springframework-version>5.3.29</org.springframework-version>
<security-version>5.8.6</security-version>
<org.aspectj-version>1.9.19</org.aspectj-version>
<org.slf4j-version>2.0.7</org.slf4j-version>
</properties><!-- SECURITY -->
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-core -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${security-version}</version>
</dependency>core,web,config 다 있어야 함.
web.xml
<!-- security filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>security:http (springSecurityFilterChain 설정)
security 설정파일 생성(spring bean configuration file)
security-context.xml
여기서도 패턴 생성 가능함 (/*)
<!-- auto-config="true" 로그인페이지 / HTTP 기본인증 / 로그아웃 기능 제공 -->
<security:http auto-config="true">
<!-- /test/master 요청이 들어온 사용자는 ROLE_ADMIN 권한을 가진 사용자만 접근 가능 -->
<security:intercept-url pattern="/test/master" access="hasRole('ROLE_ADMIN')"/>
<!-- hasAnyRole : 나열된 권한 중 하나 가지고 있으면 접근 가능 -->
<security:intercept-url pattern="/test/member" access="hasAnyRole('ROLE_MEMBER','ROLE_ADMIN')"/>
<security:intercept-url pattern="/test/all" access="permitAll"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<!-- test 위해 임의로 사용자 정보 등록해줌, {noop} : 암호화를 사용하지 않겠다는 뜻(테스트용) -->
<security:user name="master" password="{noop}master" authorities="ROLE_ADMIN"/>
<security:user name="member" password="{noop}member" authorities="ROLE_MEMBER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>web.xml에 설정파일 등록
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/root-context.xml
/WEB-INF/spring/security-context.xml
</param-value>
</context-param>security 적용된 프로젝트에서 모든 POST 방식 요청시 CSRF토큰 필요
테스트과정에서는
<!-- csrf_token 검증 안하겠음 -->
<security:csrf disabled="true"/>로그인 페이지 연결해보기(auto-config 해제)
<security:http> <!-- auto-config="true" -->
.............
<!-- 로그인 - 인증 정보 추가 -->
<security:form-login login-page="/login"
login-processing-url="/login"
username-parameter="u_id"
password-parameter="u_pw" />
<!-- 자동로그인 쿠키설정, remember-me-cookie:등록되는 쿠키이름값 -->
<security:remember-me remember-me-cookie="userCookie"
remember-me-parameter="rememberMe" token-validity-seconds="2419200"/>CSRF토큰 자동처리
<form>
..........................
<!-- 토큰 발급 시큐리티가 처리 -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
로그아웃도 form으로 처리해준다.(CSRF토큰 필요)