🌟 Sudal's gram

Security

Java EE 기반의 Enterprise Software Application 을 μœ„ν•œ 포괄적인 λ³΄μ•ˆ μ„œλΉ„μŠ€μ΄λ‹€.

λ§Œμ•½ μŠ€ν”„λ§ μ‹œνλ¦¬ν‹° (Spring Security) λ₯Ό μ‚¬μš©ν•˜μ§€ μ•ŠλŠ”λ‹€λ©΄ 자체적으둜 μ„Έμ…˜ 체크λ₯Ό ν•˜κ³  redirect 등을 ν•΄μ•Όν•  것이닀.

Spring Security λŠ” λ³΄μ•ˆμ„ κ΅¬μ„±ν•˜λŠ” λ‹€μŒ 두가지 μ˜μ—­μ΄ μžˆλ‹€.

  • Principal (μ ‘κ·Ό 주체)
    • 보호된 λŒ€μƒμ— μ ‘κ·Όν•˜λŠ” μ‚¬μš©μž
  • Authentication (인증)
    • μ‚¬μš©μžκ°€ μ• ν”Œλ¦¬μΌ€μ΄μ…˜ μž‘μ—…μ„ μˆ˜ν–‰ν•  수 μžˆλŠ” Authorization (κΆŒν•œ) 을 μ–»λŠ” κ³Όμ •
  • Authorization (κΆŒν•œ)
    • μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ˜ μž‘μ—…μ„ μˆ˜ν–‰ν•  수 μžˆλ„λ‘ ν—ˆλ½λ˜μ–΄ μžˆλŠ” κ²°μ •

일반적으둜 둜그인 κ³Ό 같은 과정듀은 HTTP 기본인증을 ν†΅ν•˜μ—¬ μ§„ν–‰λ˜λ©° μ΄λŠ” Form 기반 둜그인 이 λœλ‹€.

인증 (Authentication)

Spring Security 의 μΈμ¦κ΅¬μ‘°λŠ” μ„Έμ…˜-μΏ ν‚€ λ°©μ‹μœΌλ‘œ μ§„ν–‰λœλ‹€.

Spring Security Authentication Architecture

  1. μ‚¬μš©μžκ°€ λ‘œκ·ΈμΈμ„ μ‹œλ„ (Http Request)
  2. 인증 ν•„ν„° (Authentication Filter) μ—μ„œ User DB λ₯Ό 확인함
  3. User DB 에 μžˆλŠ” μ‚¬μš©μžλΌλ©΄ ν•΄λ‹Ή μ‚¬μš©μž 정보λ₯Ό μ‘°νšŒν•˜μ—¬ μ‚¬μš©μžμ˜ μ„Έμ…˜μ„ 생성
  4. Spring Security 의 인메λͺ¨λ¦¬ μ„Έμ…˜μ €μž₯μ†ŒμΈ Security Context Holder 에 μ €μž₯
  5. μ‚¬μš©μžμ—κ²Œ Session ID 와 ν•¨κ»˜ 응닡을 λ‚΄λ €μ€Œ
  6. 이후 μš”μ²­μ—μ„œλŠ” Request Cookie μ—μ„œ JSESSIONID λ₯Ό μΆ”μΆœν•˜μ—¬ 검증이 μœ νš¨ν•˜λ©΄ Authentication λ₯Ό μ œκ³΅ν•¨

참고자료

https://sjh836.tistory.com/165

μ„€μ •

1. μ˜μ‘΄μ„± μΆ”κ°€

<!-- Properties -->
<security.version>4.2.7.RELEASE</security.version>

<!-- Security -->
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-core</artifactId>
  <version>${security.version}</version>
</dependency>
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-web</artifactId>
  <version>${security.version}</version>
</dependency>
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-config</artifactId>
  <version>${security.version}</version>
</dependency>
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-taglibs</artifactId>
  <version>${security.version}</version>
</dependency>
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-test</artifactId>
  <version>${security.version}</version>
</dependency>

2. web.xml μ„€μ •

<context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value> classpath:applicationContext.xml classpath:applicationContext-security.xml </param-value>
</context-param>

<!-- Spring Security -->
<listener>
  <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
  <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
  • HttpSessionEventPublisher
    • ν•œλͺ…μ˜ μ‚¬μš©μžκ°€ λ‹€λ₯Έ λΈŒλΌμš°μ €λ‘œ λ™μ‹œμ— 둜그인 ν•˜λŠ”κ²ƒμ„ λ§‰μŒ
  • DelegatingFilterProxy
    • λͺ¨λ“  μš”μ²­μ€ ν•΄λ‹Ή ν”„λ‘μ‹œ ν•„ν„°λ₯Ό κ±°μΉœλ‹€.
    • Spring Security λŠ” 이λ₯Ό 톡해 인증 및 인가λ₯Ό μˆ˜ν–‰ν•œλ‹€.

3. security μ„€μ •

<security:http auto-config="true" use-expressions="true">
  <security:csrf disabled="true"/>
  <security:intercept-url pattern="/**" access="permitAll" />
  <security:form-login login-page="/login" authentication-success-handler-ref="loginSuccessHandler" authentication-failure-handler-ref="loginFailureHandler" login-processing-url="/auth" username-parameter="id" password-parameter="pw" />
  <security:logout logout-url="/logout" invalidate-session="true" logout-success-url="/login?status=logout" />
  <security:session-management invalid-session-url="/login">
    <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
  </security:session-management>
</security:http>

<!-- secured method -->
<security:global-method-security secured-annotations="enabled" />

<!-- provider -->
<security:authentication-manager>
  <security:authentication-provider ref="userAuthHelper" />
</security:authentication-manager>

<bean id="loginSuccessHandler" class="com.devljh.domain.user.helper.LoginSuccessHandler">
  <property name="defaultTargetUrl" value="/main" />
  <property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>

<bean id="loginFailureHandler" class="com.devljh.domain.user.helper.LoginFailureHandler">
  <property name="defaultFailureUrl" value="/login?status=fail" />
</bean>
<bean id="userAuthService" class="com.devljh.domain.user.UserAuthService" />
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<bean id="userAuthProvider" class="com.devljh.domain.user.helper.UserAuthProvider">
  <property name="userDetailsService" ref="userAuthService" />
  <property name="passwordEncoder" ref="passwordEncoder" />
</bean>