From 01e6b34cdd3eeb60ce6bf7fbe2bb282bd4b2a5ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=ED=98=84=EC=84=B1=ED=95=84?= Date: Thu, 25 Apr 2024 10:48:33 +0900 Subject: [PATCH] =?UTF-8?q?Spring=20Security=20=EB=B3=80=EA=B2=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../controller/MockRouteMgmtController.java | 8 +++ .../controller/ApiClientPageController.java | 4 +- .../config/PortalConfigSecurity.java | 65 ++++++++++++------- .../testmaster/config/WebMvcConfig.java | 55 ++-------------- .../controller/ServerMgmtController.java | 7 ++ .../controller/ServerRestController.java | 4 +- .../user/controller/UserMgmtController.java | 7 ++ .../eactive/testmaster/user/entity/User.java | 19 ++++-- 8 files changed, 92 insertions(+), 77 deletions(-) diff --git a/src/main/java/com/eactive/testmaster/api/controller/MockRouteMgmtController.java b/src/main/java/com/eactive/testmaster/api/controller/MockRouteMgmtController.java index 1bae602..b2db690 100644 --- a/src/main/java/com/eactive/testmaster/api/controller/MockRouteMgmtController.java +++ b/src/main/java/com/eactive/testmaster/api/controller/MockRouteMgmtController.java @@ -10,6 +10,7 @@ import com.eactive.testmaster.api.service.MockRouteService; import org.apache.commons.lang3.StringUtils; import org.springframework.data.domain.Page; import org.springframework.data.domain.Pageable; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.validation.BindingResult; @@ -50,6 +51,7 @@ public class MockRouteMgmtController { public static final String MOCK_ROUTE_LIST_VIEW = "redirect:/mgmt/routes/list_view.do"; @GetMapping("/list_view.do") + @Secured("ROLE_MANAGE_ROUTE") public ModelAndView listView(@ModelAttribute("mockRouteSearch") MockRouteSearch mockRouteSearch, Pageable pageable) { ModelAndView mav = new ModelAndView("page/routes/mockRouteList"); Page page = mockRouteService.findAll(mockRouteSearch.buildSpecification(), pageable); @@ -61,6 +63,7 @@ public class MockRouteMgmtController { } @GetMapping("/create_view.do") + @Secured("ROLE_MANAGE_ROUTE") public ModelAndView createView() { ModelAndView mav = new ModelAndView(MOCK_ROUTE_EDIT); MockRouteRegisterDTO defaultRoute = new MockRouteRegisterDTO(); @@ -72,6 +75,7 @@ public class MockRouteMgmtController { } @GetMapping("/update_view.do") + @Secured("ROLE_MANAGE_ROUTE") public ModelAndView updateView(@RequestParam("id") Long id) { ModelAndView mav = new ModelAndView(MOCK_ROUTE_EDIT); @@ -82,6 +86,7 @@ public class MockRouteMgmtController { } @PostMapping("/clone_view.do") + @Secured("ROLE_MANAGE_ROUTE") public ModelAndView cloneView(@RequestParam("id") Long id) { ModelAndView mav = new ModelAndView(MOCK_ROUTE_EDIT); @@ -94,6 +99,7 @@ public class MockRouteMgmtController { } @PostMapping("/register.do") + @Secured("ROLE_MANAGE_ROUTE") public String register(@ModelAttribute("mockRoute") MockRouteRegisterDTO dto, BindingResult bindingResult, ModelMap model) { if (dto == null) { @@ -116,6 +122,7 @@ public class MockRouteMgmtController { @PostMapping("/update.do") + @Secured("ROLE_MANAGE_ROUTE") public String update(@RequestParam("id") String id, @ModelAttribute("mockRoute") MockRouteUpdateDTO dto, BindingResult bindingResult, ModelMap model) { @@ -144,6 +151,7 @@ public class MockRouteMgmtController { @PostMapping("/delete.do") + @Secured("ROLE_MANAGE_ROUTE") public String delete(@RequestParam("checkedIdForDel") List ids) { for (String id : ids) { MockRoute mockRoute = mockRouteService.findById(Long.parseLong(id)); diff --git a/src/main/java/com/eactive/testmaster/client/controller/ApiClientPageController.java b/src/main/java/com/eactive/testmaster/client/controller/ApiClientPageController.java index 2af8ed6..9bd38b9 100644 --- a/src/main/java/com/eactive/testmaster/client/controller/ApiClientPageController.java +++ b/src/main/java/com/eactive/testmaster/client/controller/ApiClientPageController.java @@ -1,7 +1,8 @@ package com.eactive.testmaster.client.controller; import com.eactive.testmaster.server.entity.Server; -import com.eactive.testmaster.server.entity.ServerRepository; +import com.eactive.testmaster.server.repository.ServerRepository; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.GetMapping; @@ -18,6 +19,7 @@ public class ApiClientPageController { } @GetMapping("/mgmt/api_tester.do") + @Secured("ROLE_API_TESTER") public String testView(ModelMap model) { List servers = serverRepository.findAllByEnabledIs(true); diff --git a/src/main/java/com/eactive/testmaster/config/PortalConfigSecurity.java b/src/main/java/com/eactive/testmaster/config/PortalConfigSecurity.java index 1d5bcb0..ac88e74 100644 --- a/src/main/java/com/eactive/testmaster/config/PortalConfigSecurity.java +++ b/src/main/java/com/eactive/testmaster/config/PortalConfigSecurity.java @@ -6,15 +6,19 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.http.SessionCreationPolicy; +import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.csrf.CookieCsrfTokenRepository; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @Configuration @EnableWebSecurity -public class PortalConfigSecurity extends WebSecurityConfigurerAdapter { +@EnableGlobalMethodSecurity(securedEnabled = true) +public class PortalConfigSecurity { private final PortalAuthenticationFailureHandler authenticationFailureHandler; @@ -41,34 +45,49 @@ public class PortalConfigSecurity extends WebSecurityConfigurerAdapter { return registrationBean; } - @Override - protected void configure(HttpSecurity http) throws Exception { - - http.headers().frameOptions().disable();//spring security 와 h2-console 같이 사용. - + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http - .formLogin() + .authenticationManager(portalAuthenticationManager) +// .authorizeRequests(authorizeRequests -> authorizeRequests.antMatchers("/h2-console/", +// "/css/", +// "/html/", +// "/images/", +// "/img/", +// "/js/", +// "/login", +// "/intro.do", +// "/join.do", +// "/actionLogin.do", +// "/search_id.do", +// "/admin_register_view.do", +// "/admin_register.do", +// "/reset_password.do", +// "/forgot_password.do") +// .permitAll() +// .anyRequest() +// .authenticated()) + .formLogin(form -> form .loginPage("/login") .usernameParameter("id") .passwordParameter("password") .loginProcessingUrl("/actionLogin.do") - .successHandler(authenticationSuccessHandler) .failureHandler(authenticationFailureHandler) - .and() - .logout().logoutUrl("/actionLogout.do").logoutSuccessUrl("/") - .and().authorizeRequests() // 권한요청 처리 설정 메서드 - .antMatchers("/h2-console/**").permitAll() // 누구나 h2-console 접속 허용 - .and() - .csrf() - .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/mgmt/**", "POST")) - .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); + .successHandler(authenticationSuccessHandler)) + .logout(logout -> logout + .logoutRequestMatcher(new AntPathRequestMatcher("/actionLogout.do", "GET")) + .logoutSuccessUrl("/")) + .csrf(csrf -> csrf + .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) + .ignoringAntMatchers("/h2-console/**") + ).headers(headers -> headers.frameOptions().sameOrigin()) + .sessionManagement(session -> session + .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) + .sessionFixation() + .changeSessionId() + ); + + return http.build(); } - - @Override - @Bean - public PortalAuthenticationManager authenticationManager() { - return portalAuthenticationManager; - } - } diff --git a/src/main/java/com/eactive/testmaster/config/WebMvcConfig.java b/src/main/java/com/eactive/testmaster/config/WebMvcConfig.java index f633940..e6272dc 100644 --- a/src/main/java/com/eactive/testmaster/config/WebMvcConfig.java +++ b/src/main/java/com/eactive/testmaster/config/WebMvcConfig.java @@ -1,6 +1,8 @@ package com.eactive.testmaster.config; -import com.eactive.testmaster.common.interceptor.AuthenticInterceptor; +import java.util.ArrayList; +import java.util.List; +import java.util.concurrent.TimeUnit; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.Ordered; @@ -8,13 +10,12 @@ import org.springframework.data.domain.PageRequest; import org.springframework.data.web.PageableHandlerMethodArgumentResolver; import org.springframework.http.CacheControl; import org.springframework.web.method.support.HandlerMethodArgumentResolver; -import org.springframework.web.servlet.config.annotation.*; +import org.springframework.web.servlet.config.annotation.EnableWebMvc; +import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; +import org.springframework.web.servlet.config.annotation.ViewControllerRegistry; +import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.resource.PathResourceResolver; -import java.util.ArrayList; -import java.util.List; -import java.util.concurrent.TimeUnit; - @Configuration @EnableWebMvc public class WebMvcConfig implements WebMvcConfigurer { @@ -26,20 +27,6 @@ public class WebMvcConfig implements WebMvcConfigurer { WebMvcConfigurer.super.addViewControllers(registry); } - private List listAdminAuthPattern() { - List patterns = new ArrayList<>(); - patterns.add("/mgmt/users/*.do"); - patterns.add("/mgmt/servers/*.do"); - return patterns; - } - - @Bean - public AuthenticInterceptor authenticInterceptor() { - AuthenticInterceptor authenticInterceptor = new AuthenticInterceptor(); - authenticInterceptor.setAdminAuthPatternList(listAdminAuthPattern()); - return authenticInterceptor; - } - @Override public void addArgumentResolvers(List resolvers) { resolvers.add(pageableHandlerMethodArgumentResolver()); @@ -53,34 +40,6 @@ public class WebMvcConfig implements WebMvcConfigurer { return pageableHandlerMethodArgumentResolver; } - @Override - public void addInterceptors(InterceptorRegistry registry) { - registry.addInterceptor(authenticInterceptor()) - .addPathPatterns( - "/", - "/mgmt/**/*.do") - .excludePathPatterns( - "/h2-console/**", - "/css/**", - "/html/**", - "/images/**", - "/img/**", - "/js/**", - "/login", - "/intro.do", - "/join.do", - "/user_register.do", - "/actionLogin.do", - "/check_id.do", - "/search_id.do", - "/admin_register_view.do", - "/admin_register.do", - "/request_register_auth.do", - "/reset_password.do", - "/forgot_password.do" - ); - } - @Override public void addResourceHandlers(ResourceHandlerRegistry registry) { diff --git a/src/main/java/com/eactive/testmaster/server/controller/ServerMgmtController.java b/src/main/java/com/eactive/testmaster/server/controller/ServerMgmtController.java index ffa914e..8d7b59e 100644 --- a/src/main/java/com/eactive/testmaster/server/controller/ServerMgmtController.java +++ b/src/main/java/com/eactive/testmaster/server/controller/ServerMgmtController.java @@ -8,6 +8,7 @@ import com.eactive.testmaster.server.service.ServerMgmtService; import org.apache.commons.lang3.StringUtils; import org.springframework.data.domain.Page; import org.springframework.data.domain.Pageable; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.validation.BindingResult; @@ -40,6 +41,7 @@ public class ServerMgmtController { public static final String SERVER_LIST_VIEW = "redirect:/mgmt/servers/list_view.do"; @GetMapping("/list_view.do") + @Secured("ROLE_MANAGE_SERVER") public String listView(@ModelAttribute("serverSearch") ServerSearch serverSearch, ModelMap model, Pageable pageable) { @@ -53,6 +55,7 @@ public class ServerMgmtController { } @GetMapping("/create_view.do") + @Secured("ROLE_MANAGE_SERVER") public String createView(ModelMap model) { ServerDTO defaultServer = new ServerDTO(); model.addAttribute(SERVER, defaultServer); @@ -60,6 +63,7 @@ public class ServerMgmtController { } @GetMapping("/update_view.do") + @Secured("ROLE_MANAGE_SERVER") public String updateView(ModelMap model, @RequestParam("id") Long id) { Server found = serverMgmtService.findById(id); ServerDTO server = serverMapper.map(found); @@ -68,6 +72,7 @@ public class ServerMgmtController { } @PostMapping("/register.do") + @Secured("ROLE_MANAGE_SERVER") public String register(@ModelAttribute(SERVER) ServerDTO dto, BindingResult bindingResult, ModelMap model) { @@ -89,6 +94,7 @@ public class ServerMgmtController { } @PostMapping("/update.do") + @Secured("ROLE_MANAGE_SERVER") public String update(@ModelAttribute(SERVER) ServerDTO dto, BindingResult bindingResult, ModelMap model) { @@ -110,6 +116,7 @@ public class ServerMgmtController { } @PostMapping("/delete.do") + @Secured("ROLE_MANAGE_SERVER") public String delete(@RequestParam("checkedIdForDel") List checkedIdForDel) { for (String id : checkedIdForDel) { serverMgmtService.delete(Long.parseLong(id)); diff --git a/src/main/java/com/eactive/testmaster/server/controller/ServerRestController.java b/src/main/java/com/eactive/testmaster/server/controller/ServerRestController.java index 4de463d..8d0003d 100644 --- a/src/main/java/com/eactive/testmaster/server/controller/ServerRestController.java +++ b/src/main/java/com/eactive/testmaster/server/controller/ServerRestController.java @@ -11,6 +11,7 @@ import org.springframework.data.domain.Pageable; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.security.access.annotation.Secured; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.ModelAttribute; @@ -18,7 +19,7 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; @RestController -@RequestMapping("/mgmt/servers") +@RequestMapping("/servers") public class ServerRestController { private final ServerMgmtService serverMgmtService; @@ -31,6 +32,7 @@ public class ServerRestController { } @GetMapping("/list.do") + @Secured("ROLE_API_TESTER") public ResponseEntity> listView(@ModelAttribute("serverSearch") ServerSearch serverSearch, ModelMap model, Pageable pageable) { Page page = serverMgmtService.findAll(serverSearch.buildSpecification(), pageable); HttpHeaders headers = new HttpHeaders(); diff --git a/src/main/java/com/eactive/testmaster/user/controller/UserMgmtController.java b/src/main/java/com/eactive/testmaster/user/controller/UserMgmtController.java index 7e69d56..2be9b59 100644 --- a/src/main/java/com/eactive/testmaster/user/controller/UserMgmtController.java +++ b/src/main/java/com/eactive/testmaster/user/controller/UserMgmtController.java @@ -10,6 +10,7 @@ import com.eactive.testmaster.user.service.StaffUserService; import org.apache.commons.lang3.StringUtils; import org.springframework.data.domain.Page; import org.springframework.data.domain.Pageable; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.validation.BindingResult; @@ -36,6 +37,7 @@ public class UserMgmtController { } @GetMapping("/list_view.do") + @Secured("ROLE_MANAGE_USER") public String userList(@ModelAttribute("userSearch") UserSearch userSearch, ModelMap model, Pageable pageable) { @@ -49,12 +51,14 @@ public class UserMgmtController { } @GetMapping("/create_view.do") + @Secured("ROLE_MANAGE_USER") public String createView(ModelMap model) { model.addAttribute("user", new StaffUser()); return STAFF_USER_EDIT; } @GetMapping("/update_view.do") + @Secured("ROLE_MANAGE_USER") public String updateView(ModelMap model, @RequestParam("userId") String userId) { @@ -64,6 +68,7 @@ public class UserMgmtController { } @PostMapping("/register.do") + @Secured("ROLE_MANAGE_USER") public String register(@ModelAttribute("user") UserRegisterDTO user, BindingResult bindingResult, ModelMap model) { @@ -86,6 +91,7 @@ public class UserMgmtController { @PostMapping("/update.do") + @Secured("ROLE_MANAGE_USER") public String update(@RequestParam("esntlId") String esntlId, @ModelAttribute("user") UserUpdateDTO user, BindingResult bindingResult, @@ -109,6 +115,7 @@ public class UserMgmtController { @PostMapping("/delete.do") + @Secured("ROLE_MANAGE_USER") public String delete(@ModelAttribute UserSearch modelSearch) { modelSearch.getCheckedIdForDel().forEach(id -> { if (!SecurityUtil.getCurrentUserEsntlId().equals(id)) { // 자기 자신은 삭제 불가 diff --git a/src/main/java/com/eactive/testmaster/user/entity/User.java b/src/main/java/com/eactive/testmaster/user/entity/User.java index bbc76a9..f686482 100644 --- a/src/main/java/com/eactive/testmaster/user/entity/User.java +++ b/src/main/java/com/eactive/testmaster/user/entity/User.java @@ -2,6 +2,9 @@ package com.eactive.testmaster.user.entity; import com.eactive.testmaster.common.entity.Auditable; import com.eactive.testmaster.common.entity.EnabledStatus; +import java.util.ArrayList; +import java.util.List; +import java.util.Objects; import org.hibernate.annotations.Type; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; @@ -15,6 +18,7 @@ import java.util.Collection; @MappedSuperclass public abstract class User extends Auditable implements Serializable, UserDetails { + private static final long serialVersionUID = 1L; /** @@ -123,11 +127,18 @@ public abstract class User extends Auditable implements Serializable, UserDetail @Override @Transient public Collection getAuthorities() { - if (userSecurity != null) { - return Arrays.asList(new SimpleGrantedAuthority(this.userSecurity)); - } else { - return Arrays.asList(new SimpleGrantedAuthority("ROLE_USER")); + List authorities = new ArrayList<>(); + authorities.add(new SimpleGrantedAuthority(Objects.requireNonNullElse(userSecurity, "ROLE_USER"))); + + if (this.userSecurity.equals("ROLE_ADMIN")) { + authorities.add(new SimpleGrantedAuthority("ROLE_MANAGE_ROUTE")); + authorities.add(new SimpleGrantedAuthority("ROLE_MANAGE_SERVER")); + authorities.add(new SimpleGrantedAuthority("ROLE_MANAGE_USER")); } + + authorities.add(new SimpleGrantedAuthority("ROLE_API_TESTER")); + + return authorities; } @Override