Spring Security 이해와 활용

• 엔터프라이즈 어플리케이션을 위한 인증(Authentication)권한 처리(Authorization) 서비스를 제공하는 강력하고 유연한 보안 솔루션
• Servlet Filter 와 Java AOP 를 통한 Interception를 사용하여 보안을 강제하며 Spring의 IoC와 lifecycle 서비스 기반으로 동작
• Authentication, Web URL authorizationo, Method 호출 authorization, 채널 보안(https 강제) 등의 주요기능 제공
• Service Layer 보안 제공으로 Layering issue 해결 및 웹 클라이언트 외의 다양한 rich 클라이언트/웹 서비스에 대한 보안 제어 지원
• 재사용성, 이식성, 코드 품질 및 다양한 타 프레임워크 지원

snippet.xml

<!-- Spring Security -->
<dependency>            
  <groupId>org.springframework.security</groupId>            
  <artifactId>spring-security-core</artifactId>            
  <version>${spring.maven.artifact.version}</version>        
</dependency>
 
<dependency>            
  <groupId>org.springframework.security</groupId>            
  <artifactId>spring-security-web</artifactId>            
  <version>${spring.maven.artifact.version}</version>        
</dependency>
 
<dependency>            
  <groupId>org.springframework.security</groupId>            
  <artifactId>spring-security-config</artifactId>            
  <version>${spring.maven.artifact.version}</version>        
</dependency>

• spring-security-core
• spring-security-web
• spring-security-config

3개를 추가한다.

snippet.xml

<!-- Spring Security tag library -->        
<dependency>            
  <groupId>org.springframework.security</groupId>            
  <artifactId>spring-security-taglibs</artifactId>            
  <version>${spring.maven.artifact.version}</version>        
</dependency>

snippet.xml

<!-- Security -->        
<dependency>            
  <groupId>egovframework.rte</groupId>
  <artifactId>egovframework.rte.fdl.security</artifactId>            
  <version>2.6.0</version>        
</dependency>

snippet.xml

<filter>		
  <filter-name>springSecurityFilterChain</filter-name>		
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>	
</filter>	
<filter-mapping>		
  <filter-name>springSecurityFilterChain</filter-name>		
  <url-pattern>/*</url-pattern>	
</filter-mapping>

filterchain을 사용한다.

• Spring security가 모든 request를 감싸게 해서 강제적으로 보안이 적용되도록 하는 servlet filter
• 실제로는 <filter-name/>에 지정된 이름을 갖는 Spring bean(filter interface 구현)을 호출하는 역할을 담당
  • springSecurityFilterChain : 이후 설정될 Spring security 에 의해 자동으로 등록되는 filter bean

context-security.xml

snippet.xml

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
  http://www.springframework.org/schema/beans/spring-beans.xsd
  http://www.springframework.org/schema/security
  http://www.springframework.org/schema/security/spring-security.xsd">    
 
  <http auto-config="true">        
    <intercept-url pattern="/sample/add*" access="ROLE_ADMIN" />        
    <intercept-url pattern="/sample/update*" access="ROLE_ADMIN" />        
    <intercept-url pattern="/sample/delete*" access="ROLE_ADMIN" />        
    <intercept-url pattern="/**" access="ROLE_USER" />    
  </http>    	
 
<!-- `In-Memory authentication` -->
  <authentication-provider>		
    <user-service>			
      <user name="user" password="user" authorities="ROLE_USER" />			
      <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
    </user-service>	
  </authentication-provider>	
</beans:beans> 

authentication-manager 사용. In-Memory authentication

snippet.xml

<authentication-manager>		
  <authentication-provider>			
    <user-service>				
      <user name="user" password="user" authorities="ROLE_USER" />				
      <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
    </user-service>		
  </authentication-provider>	
</authentication-manager>	

auto-config-="true"

snippet.html

<http>     
  <form-login />     
  <logout /> 
</http>

snippet.xml

<http access-denied-page="/common/accessDenied.jsp" lowercase-comparisons="false">
  <intercept-url pattern="/common/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
  <intercept-url pattern="/css/**" filters="none" /> 
  <intercept-url pattern="/images/**" filters="none" /> 
  <intercept-url pattern="/sample/add*" access="ROLE_ADMIN" /> 
  <intercept-url pattern="/sample/update*" access="ROLE_ADMIN" /> 
  <intercept-url pattern="/sample/delete*" access="ROLE_ADMIN" /> 
  <intercept-url pattern="/**" access="ROLE_USER" />        
  <form-login login-page="/common/login.jsp" authentication-failure-url="/common/login.jsp?fail=true" /> 
  <logout logout-success-url="/common/logout.jsp" /> 
  <anonymous /> 
</http>

설정변경

snippet.xml

<http pattern="/css/**" security="none"/>    
<http pattern="/images/**" security="none"/>

snippet.xml

<beans:bean id="jdbcUserService" class="egovframework.rte.fdl.security.userdetails.jdbc.EgovJdbcUserDetailsManager">
  <beans:property name="usersByUsernameQuery"    
    value="SELECT USER_ID,PASSWORD,ENABLED,USER_NAME FROM USERS WHERE USER_ID = ? "/>  
  <beans:property name="authoritiesByUsernameQuery"    
    value="SELECT USER_ID,AUTHORITY FROM AUTHORITIES WHERE USER_ID = ? "/>      
  <beans:property name="roleHierarchy" ref="roleHierarchy" />  
  <beans:property name="dataSource" ref="dataSource" />  
  <beans:property name="mapClass"          
    value="egovframework.rte.cmmn.security.EgovUserDetailsMapping" /> 
</beans:bean>

• 기존 <jdbc-user-service />와의 차이점
  • Role Hierarchy 지원(기존의 경우 별도 UserDetailsServiceWrapper 또는 RoleHierarchyVoter 필요)
  • Mapping class(MappingSqlQuery) 지원 (기존의 경우 상속 필요)