[B -2-55] 스프링 시큐리티 2
2019. 10. 10. 23:44ㆍProject B (SPMS)/Project B 파트7
반응형
CSRF 토큰 설정
스프링 시큐리티 사용 시 POST 방식의 전송은 반드시 CSRF 토큰을 사용하도록 추가해야한다.
<form> 태그 내에 CSRF 토큰 값을 <input type='hidden'> 으로 한다.
views/board
register.jsp
더보기
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt"%>
<%@ taglib uri="http://www.springframework.org/security/tags" prefix="sec"%>
<%@ include file="../includes/header.jsp"%>
<div class="row">
<div class="col-lg-12">
<h1 class="page-header">게시판 등록</h1>
</div>
<!-- /.col-lg-12 -->
</div>
<!-- /.row -->
<div class="row">
<div class="col-lg-12">
<div class="panel panel-default">
<div class="panel-heading">게시글 등록 페이지</div>
<!-- /.panel-heading -->
<div class="panel-body">
<form action="/board/register" role="form" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
<div class="form-group">
<label>작성자</label>
<input class="form-control" name="writer" value='<sec:authentication property="principal.username"/>' readonly="readonly" >
</div>
<div class="form-group">
<label>제목</label>
<input class="form-control" name="title">
</div>
<div class="form-group">
<label>내용</label>
<textarea class="form-control" rows="10" name="content"></textarea>
</div>
<button type="submit" class="btn btn-primary">등록</button>
<a href="/board/list">
<button type="button" class="btn btn-success">목록</button>
</a>
</form>
</div>
<!-- /.panel-body -->
</div>
<!-- /.panel -->
</div>
<!-- /.col-lg-12 -->
</div>
<!-- /.row -->
</div>
<!-- /#page-wrapper -->
<%@ include file="../includes/footer.jsp"%>
스프링 시큐리티 한글 처리
src/main/java
com.spms.config
SecurityConfig.java
configure(HttpSecurity http)
더보기
package com.spms.config;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
import org.springframework.security.web.csrf.CsrfAuthenticationStrategy;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.web.filter.CharacterEncodingFilter;
import com.spms.security.CustomLoginSuccessHandler;
import com.spms.security.CustomUserDetailsService;
import lombok.Setter;
import lombok.extern.log4j.Log4j;
@Configuration
@EnableWebSecurity
@Log4j
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Setter(onMethod_ = { @Autowired })
private DataSource dataSource;
@Bean
public UserDetailsService customUserService() {
return new CustomUserDetailsService();
}
// in custom userdetails
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserService()).passwordEncoder(passwordEncoder());
}
@Bean
public AuthenticationSuccessHandler loginSuccessHandler() {
return new CustomLoginSuccessHandler();
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/sample/all").permitAll()
.antMatchers("/sample/admin").access("hasRole('ROLE_ADMIN')")
.antMatchers("/sample/member").access("hasRole('ROLE_MEMBER')");
http.formLogin()
.loginPage("/customLogin")
.loginProcessingUrl("/login");
http.logout()
.logoutUrl("/customLogout")
.invalidateHttpSession(true)
.deleteCookies("remember-me","JSESSION_ID");
http.rememberMe()
.key("spms")
.tokenRepository(persistentTokenRepository())
.tokenValiditySeconds(604800);
// UTF-8 캐릭터 인코딩 처리
CharacterEncodingFilter filter = new CharacterEncodingFilter();
filter.setEncoding("UTF-8");
filter.setForceEncoding(true);
http.addFilterBefore(filter, CsrfFilter.class);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public PersistentTokenRepository persistentTokenRepository() {
JdbcTokenRepositoryImpl repo = new JdbcTokenRepositoryImpl();
repo.setDataSource(dataSource);
return repo;
}
}
캐릭터 인코딩 필터보다 Csrf필터를 먼저 실행하도록 설정한다.
반응형
'Project B (SPMS) > Project B 파트7' 카테고리의 다른 글
| [B -2-59] 스프링 시큐리티 6 (0) | 2019.10.12 |
|---|---|
| [B -2-58] 스프링 시큐리티 5 (0) | 2019.10.12 |
| [B -2-57] 스프링 시큐리티 4 (0) | 2019.10.11 |
| [B -2-56] 스프링 시큐리티 3 (0) | 2019.10.11 |
| [B -2-54] 스프링 시큐리티 1 (0) | 2019.10.10 |