Spring Security 이해와 활용
1.개요 - Spring security
- 엔터프라이즈 어플리케이션을 위한 인증(Authentication)권한 처리(Authorization) 서비스를 제공하는 강력하고 유연한 보안 솔루션
- Servlet Filter 와 Java AOP 를 통한 Interception를 사용하여 보안을 강제하며 Spring의 IoC와 lifecycle 서비스 기반으로 동작
- Authentication, Web URL authorizationo, Method 호출 authorization, 채널 보안(https 강제) 등의 주요기능 제공
- Service Layer 보안 제공으로 Layering issue 해결 및 웹 클라이언트 외의 다양한 rich 클라이언트/웹 서비스에 대한 보안 제어 지원
- 재사용성, 이식성, 코드 품질 및 다양한 타 프레임워크 지원
2.기본설정 - maven 설정
Dependency 추가
- snippet.xml
<!-- Spring Security --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${spring.maven.artifact.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.maven.artifact.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.maven.artifact.version}</version> </dependency>
- spring-security-core
- spring-security-web
- spring-security-config
3개를 추가한다.
taglib 사용시 추가
- snippet.xml
<!-- Spring Security tag library --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>${spring.maven.artifact.version}</version> </dependency>
egovframework Dependency 추가
- snippet.xml
<!-- Security --> <dependency> <groupId>egovframework.rte</groupId> <artifactId>egovframework.rte.fdl.security</artifactId> <version>2.6.0</version> </dependency>
web.xml
- snippet.xml
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
filterchain을 사용한다.
2. 기본설정 - DelegatingFilterProxy
- Spring security가 모든 request를 감싸게 해서 강제적으로 보안이 적용되도록 하는 servlet filter
- 실제로는
<filter-name/>에 지정된 이름을 갖는 Spring bean(filter interface 구현)을 호출하는 역할을 담당- springSecurityFilterChain : 이후 설정될 Spring security 에 의해 자동으로 등록되는 filter bean
2. 기본설정 - security 설정
context-security.xml
- snippet.xml
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <http auto-config="true"> <intercept-url pattern="/sample/add*" access="ROLE_ADMIN" /> <intercept-url pattern="/sample/update*" access="ROLE_ADMIN" /> <intercept-url pattern="/sample/delete*" access="ROLE_ADMIN" /> <intercept-url pattern="/**" access="ROLE_USER" /> </http> <!-- `In-Memory authentication` --> <authentication-provider> <user-service> <user name="user" password="user" authorities="ROLE_USER" /> <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" /> </user-service> </authentication-provider> </beans:beans>
authentication-manager 사용. In-Memory authentication
- snippet.xml
<authentication-manager> <authentication-provider> <user-service> <user name="user" password="user" authorities="ROLE_USER" /> <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" /> </user-service> </authentication-provider> </authentication-manager>
3. Form & Basic 로그인 - auto-config
auto-config-="true"
- snippet.html
<http> <form-login /> <logout /> </http>
<http /> 설정 변경
- snippet.xml
<http access-denied-page="/common/accessDenied.jsp" lowercase-comparisons="false"> <intercept-url pattern="/common/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/css/**" filters="none" /> <intercept-url pattern="/images/**" filters="none" /> <intercept-url pattern="/sample/add*" access="ROLE_ADMIN" /> <intercept-url pattern="/sample/update*" access="ROLE_ADMIN" /> <intercept-url pattern="/sample/delete*" access="ROLE_ADMIN" /> <intercept-url pattern="/**" access="ROLE_USER" /> <form-login login-page="/common/login.jsp" authentication-failure-url="/common/login.jsp?fail=true" /> <logout logout-success-url="/common/logout.jsp" /> <anonymous /> </http>
설정변경
- snippet.xml
<http pattern="/css/**" security="none"/> <http pattern="/images/**" security="none"/>
4. Database 확장 - 인증 확장 설정
EgovJdbcUserDetailsManager 적용
- snippet.xml
<beans:bean id="jdbcUserService" class="egovframework.rte.fdl.security.userdetails.jdbc.EgovJdbcUserDetailsManager"> <beans:property name="usersByUsernameQuery" value="SELECT USER_ID,PASSWORD,ENABLED,USER_NAME FROM USERS WHERE USER_ID = ? "/> <beans:property name="authoritiesByUsernameQuery" value="SELECT USER_ID,AUTHORITY FROM AUTHORITIES WHERE USER_ID = ? "/> <beans:property name="roleHierarchy" ref="roleHierarchy" /> <beans:property name="dataSource" ref="dataSource" /> <beans:property name="mapClass" value="egovframework.rte.cmmn.security.EgovUserDetailsMapping" /> </beans:bean>
- 기존 <jdbc-user-service />와의 차이점
- Role Hierarchy 지원(기존의 경우 별도 UserDetailsServiceWrapper 또는 RoleHierarchyVoter 필요)
- Mapping class(MappingSqlQuery) 지원 (기존의 경우 상속 필요)