Sunday, April 19, 2020

[Spring] To enable Spring Security

What is Spring Security?

 Spring security is a tool that makes it easier to implement technologies such as login features and administrator privileges. Traditionally, the developer had to manually create the logic using sessions and interceptors, but the spring security feature allows several settings to be implemented.

pom.xml

Setting the Spring Security Version
<!-- 스프링 시큐리티 버전 명시 -->
    <properties>
 <java-version>1.8</java-version>
 <org.springframework-version>5.1.4.RELEASE</org.springframework-version>
 <org.aspectj-version>1.9.2</org.aspectj-version>
 <org.slf4j-version>1.7.25</org.slf4j-version>
        <spring.security.version>4.1.3.RELEASE</spring.security.version>
    </properties>
 The version of the spring security uses 4.1.3 and the spring version must be higher than the version of the security.

dependency
<!-- Spring Security 사용을 위한 dependency -->
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-taglibs</artifactId>
            <version>${spring.security.version}</version>
        </dependency>
<!-- Spring Security 사용을 위한 dependency -->

web.xml

 Write the following codes in the web.xml file in turn.
Adding a spring security settings file
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/root-context.xml
        /WEB-INF/spring/security/security-context.xml
    </param-value>
</context-param>
Add a path to security-context.xml, which will be the setup file for spring security.

Listener
<!-- 세션이벤트 처리 관련 리스너 -->
<listener>
 <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

Filter
<! -- 애플리케이션의 모든 요청을 스프링 시큐리티에서 처리 -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>


security-context.xml

 In web.xml, since you have routed the security key settings file to /WEB-INF/spring/security/security-context.xml, create a security folder to create a security-context.xml file and create the code below.
Settings
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">
    
    <!-- 정적 리소스 파일 -->
    <sec:http pattern="/css/**" security="none" />
    <sec:http pattern="/img/**" security="none" />
    <sec:http pattern="/js/**" security="none" />
    
    <!-- 인터셉터, 권한, 로그인 기능 설정 -->
    <sec:http auto-config='true' use-expressions="true">
        <!-- 인터셉터 경로 설정 -->
        <sec:intercept-url pattern="/login" access="permitAll" />
        <sec:intercept-url pattern="/**" access="isAuthenticated()" />
        <!-- 폼 로그인 설정 -->
        <sec:form-login login-page="/login"
                        login-processing-url="/login/check"
                        default-target-url="/success"
                        username-parameter="userId" 
                        password-parameter="password"
                        authentication-failure-url="/login?error" 
                        always-use-default-target='true' />
        <!-- 로그아웃 설정 -->
        <sec:logout invalidate-session="true"
                    logout-url="/logout"   
                    logout-success-url="/login?logout" />
        <!-- 세션 관련 설정 -->
        <sec:session-management>
         <sec:concurrency-control max-sessions="1"
                                  expired-url="/login"
                                  error-if-maximum-exceeded="true"/>
        </sec:session-management>
        
        <!-- 보안 관련 설정 -->
        <sec:csrf/>
    </sec:http>
    
    <!-- 권한 관리 -->
    <sec:authentication-manager>
        <sec:authentication-provider>
            <sec:user-service>
                <sec:user name="user" password="1234" authorities="ROLE_USER"/>
            </sec:user-service>
        </sec:authentication-provider>
    </sec:authentication-manager>
</beans>
 There are a lot of tags, and the fact that you can set up basic settings such as interceptors, administrator rights, and log in with just this xml file is the advantage of spring security.

No comments:

Post a Comment