###############################################################
## ÀÛ¾÷ #1 ÇÁ·ÎÁ§Æ® Áغñ
## WEB-INF/lib
commons-logging.jar
org.springframework.aop-3.0.1.RELEASE.jar
org.springframework.asm-3.0.1.RELEASE.jar
org.springframework.beans-3.0.1.RELEASE.jar
org.springframework.context-3.0.1.RELEASE.jar
org.springframework.core-3.0.1.RELEASE.jar
org.springframework.expression-3.0.1.RELEASE.jar
org.springframework.transaction-3.0.1.RELEASE.jar
org.springframework.web-3.0.1.RELEASE.jar
spring-security-config-3.0.2.RELEASE.jar
spring-security-core-3.0.2.RELEASE.jar
spring-security-web-3.0.2.RELEASE.jar
###############################################################
## ÀÛ¾÷ #2 ÃÊ°£´Ü HTTP º¸¾È
## web.xml
contextConfigLocation
WEB-INF/applicationContext*.xml
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
org.springframework.web.context.ContextLoaderListener
## applicationContext-security.xml
## /index.jsp
¸ÞÀÎ ÆäÀÌÁö
°ü¸®ÀÚ ÆäÀÌÁö
## /admin/index.jsp
Admin Main Page
Administrator only!!!
¸ÞÀÎ ÆäÀÌÁö
###############################################################
## ÀÀ¿ë #1 Á÷Á¢ ¸¸µç ·Î±×ÀÎ Æû
## applicationContext-security.xml
## login.jsp
·Î±×ÀÎ ÆäÀÌÁö
###############################################################
## ÀÀ¿ë #2 ·Î±×¾Æ¿ô
## /index.jsp
·Î±×¾Æ¿ô
###############################################################
## ÀÀ¿ë #3 »ç¿ëÀÚ ·Î±×ÀÎ È®ÀÎ
## index.jsp
<%@page import="org.springframework.security.core.*"%>
<%@page import="org.springframework.security.core.context.*"%>
<%@page import="org.springframework.security.core.userdetails.*"%>
<%
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
String username = null;
boolean isAnonymous = true;
if (principal instanceof UserDetails) {
username = ((UserDetails) principal).getUsername();
isAnonymous = false;
} else {
username = principal.toString();
isAnonymous = true;
}
%>
...
<%
if(isAnonymous) {
%>
·Î±×ÀÎ
<%
} else {
%>
<%=username %>´Ô ¹Ý°©½À´Ï´Ù!
·Î±×¾Æ¿ô
<%
}
%>
###############################################################
## ÀÀ¿ë #4 Ä£ÀýÇÑ ¾È³»
## applicationContext-security.xml
## noAuthorized.jsp
Á¢±Ù ±ÇÇÑ ¾øÀ½!!
¸ÞÀÎ ÆäÀÌÁö
###############################################################
## ÀÀ¿ë #5 ·Î±×ÀÎ ½ÇÆÐ ¸Þ½ÃÁö
## applicationContext-security.xml
## login.jsp
<%@page import="org.springframework.security.core.*"%>
<%@page import="org.springframework.security.web.authentication.*"%>
<%
boolean loginError = request.getParameter("login_error") != null;
String errorMsg = "none";
if (loginError) {
AuthenticationException ex = (AuthenticationException) session.getAttribute(AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY);
errorMsg = ex != null ? ex.getMessage() : "none";
}
%>
...
<%
if(loginError) {
if("Bad credentials".equals(errorMsg)) {
%>
¾ÆÀ̵𳪠ºñ¹Ð¹øÈ£ ÀÔ·ÂÀÌ Æ²·È½À´Ï´Ù.
<%
} else {
%>
·Î±×ÀÎ ¿¡·¯ : <%=errorMsg %>
<%
}
}
%>
###############################################################
## ÀÀ¿ë #6 ·Î±×ÀÎ ¼º°ø ÆäÀÌÁö
## applicationContext-security.xml
###############################################################
## ÀÀ¿ë #7 ƯÁ¤ URL Åë°ú½ÃÅ°±â
## applicationContext-security.xml
###############################################################
## ÀÀ¿ë #8-1 µ¿½Ã¿¡ 1¸í¸¸ Á¢¼Ó(±âÁ¸ ¼¼¼Ç ¸¸·á)
## applicationContext-security.xml
###############################################################
## ÀÀ¿ë #8-2 µ¿½Ã¿¡ 1¸í¸¸ Á¢¼Ó(·Î±×ÀÎ ¿¡·¯)
## applicationContext-security.xml
###############################################################
## ÀÀ¿ë #9 »ç¿ëÀÚ Á¤º¸ DB¿¡¼ °¡Á®¿À±â
## postgresql-8.4-701.jdbc4.jar
## org.springframework.jdbc-3.0.1.RELEASE-A.jar
## db
create table users(
username varchar(50) not null primary key,
password varchar(50) not null,
enabled boolean not null);
create table authorities (
username varchar(50) not null,
authority varchar(50) not null,
constraint fk_authorities_users foreign key(username) references users(username));
create unique index ix_auth_username on authorities (username,authority);
INSERT INTO users(username, "password", enabled) VALUES ('bob', 'bobs', true);
INSERT INTO users(username, "password", enabled) VALUES ('jimi', 'jimis', true);
INSERT INTO authorities(username, authority) VALUES ('bob', 'ROLE_USER');
INSERT INTO authorities(username, authority) VALUES ('jimi', 'ROLE_USER');
INSERT INTO authorities(username, authority) VALUES ('jimi', 'ROLE_ADMIN');
## applicationContext-security.xml
..
/** ½ÉÈ **/
###############################################################
## ½ÉÈ #1 ¸Þ¼µå ±ÇÇÑÁ¦¾î
## com.springsource.org.aopalliance-1.0.0.jar
## com.springsource.org.aspectj.tools-1.6.6.RELEASE.jar
## com.springsource.net.sf.cglib-2.1.3.jar
## org.springframework.web.servlet-3.0.1.RELEASE-A.jar
## web.xml
security
org.springframework.web.servlet.DispatcherServlet
1
security
*.do
## security-servlet.xml
## my.controller.MyController.java
@Controller
public class MyController {
@RequestMapping("/mvcHello")
public void mvcHello() {
}
}
## WEB-INF/view/mvcHello.jsp
MVC Hello
## applicationContext-security.xml
----
## applicationContext-security.xml
...
## my.service.MyService.java
@Service
public class MyService {
@Secured("ROLE_ADMIN")
public String getSecurity() {
return "success";
}
}
## my.controller.MyController.java
@Autowired MyService myService;
@RequestMapping("/hasSomeSecurity")
public void hasSomeSecurity(Model model) {
String result = myService.getSecurity();
model.addAttribute("result", result);
}
## index.jsp
º¸¾È ÆäÀÌÁö
## WEB-INF/view/hasSomeSecurity.jsp
¹«¾ð°¡ º¸¾È¿ä¼Ò¸¦ °¡Áö°í ÀÖ´Â ÆäÀÌÁö
º¸¾È°á°ú : ${result }
###############################################################
## ½ÉÈ #2 MyUserDeatilsService
## applicationContext-security.xml
## my.domain.MyUserDetails
public class MyUserDetails implements UserDetails {
private String username;
private String password;
private boolean isEnabled = true;
private boolean isAccountNonExpired = true;
private boolean isAccountNonLocked = true;
private boolean isCredentialsNonExpired = true;
private Collection authorities = new ArrayList();
public MyUserDetails(String username, String password) {
this.username = username;
this.password = password;
}
@Override
public Collection getAuthorities() {
return authorities;
}
@Override
public String getPassword() {
return password;
}
@Override
public String getUsername() {
return username;
}
@Override
public boolean isAccountNonExpired() {
return isAccountNonExpired;
}
@Override
public boolean isAccountNonLocked() {
return isAccountNonLocked;
}
@Override
public boolean isCredentialsNonExpired() {
return isCredentialsNonExpired;
}
@Override
public boolean isEnabled() {
return isEnabled;
}
}
## my.service.MyUserDetailsService
public class MyUserDetailsService implements UserDetailsService {
private MyDao myDao;
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
UserDetails userDetails = myDao.getUserDetails(username);
Collection authorities = myDao.getAuthorities(username);
userDetails.getAuthorities().addAll(authorities);
return userDetails;
}
public void setMyDao(MyDao myDao) {
this.myDao = myDao;
}
}
## my.dao.MyDao.java
public class MyDao extends JdbcDaoSupport {
public static final String DEF_USERS_BY_USERNAME_QUERY =
"select username,password " +
"from users " +
"where username = ?";
public static final String DEF_AUTHORITIES_BY_USERNAME_QUERY =
"select username,authority " +
"from authorities " +
"where username = ?";
public UserDetails getUserDetails(String username) {
List userDetailsList = getJdbcTemplate().query(DEF_USERS_BY_USERNAME_QUERY, new String[] {username}, new RowMapper() {
public UserDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
String username = rs.getString(1);
String password = rs.getString(2);
return new MyUserDetails(username, password);
}
});
if(userDetailsList.size() == 1)
return userDetailsList.get(0);
else
return null;
}
public Collection getAuthorities(String username) {
return getJdbcTemplate().query(DEF_AUTHORITIES_BY_USERNAME_QUERY, new String[] {username}, new RowMapper() {
public GrantedAuthority mapRow(ResultSet rs, int rowNum) throws SQLException {
String roleName = rs.getString(2);
return new GrantedAuthorityImpl(roleName);
}
});
}
}
###############################################################
## ½ÉÈ #3 XML-Based Configuration
## applicationContext-security.xml