포스코DX X 비트교육센터 6기 - Spring

board review

인터셉터

image

image

권한과 인증

  • 인증 : 직원임을 인증
  • 권한 : 직원이긴 한데 할 수 있는 역할이 다름 (읽을 수만 있거나 읽기쓰기가 가능하거나…)

실습

image

image

image

image

  • MyInterceptor.java
package com.poscodx.hellospring.interceptor;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

public class MyInterceptor implements HandlerInterceptor {

	@Override
	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
			throws Exception {
		System.out.println("MyInterceptor.preHandle(..) called");
		return true;
	}

	@Override
	public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
			ModelAndView modelAndView) throws Exception {
		System.out.println("MyInterceptor.postHandle(..) called");
	}

	@Override
	public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
			throws Exception {
		System.out.println("MyInterceptor.afterCompletion(..) called");
	}

}
  • spring-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:aop="http://www.springframework.org/schema/aop" 
	xmlns="http://www.springframework.org/schema/beans"
	xmlns:p="http://www.springframework.org/schema/p" 
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:mvc="http://www.springframework.org/schema/mvc"
	xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
	http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
	http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
	http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
  
  <!-- Interceptors -->
    <mvc:interceptors>
        <mvc:interceptor>
           <mvc:mapping path="/board/**" /> 
       <bean class="com.poscodx.hellospring.MyInterceptor" />
        </mvc:interceptor>
    </mvc:interceptors>
    
	<context:annotation-config />
	<context:component-scan base-package="com.poscodx.hellospring.controller" />

</beans>

image

image

로그인 처리 실습

image

image

image

package com.poscodx.mysite.security;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.servlet.HandlerInterceptor;

import com.poscodx.mysite.service.UserService;
import com.poscodx.mysite.vo.UserVo;

public class LoginInterceptor implements HandlerInterceptor {

	@Autowired
	private UserService userService;

	@Override
	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
			throws Exception {
		String email = request.getParameter("email");
		String password = request.getParameter("password");

		// new로 객체생성하는 것은 위험!! autowired로 이용하기!! UserService userService = new
		// UserService();
		UserVo authUser = userService.getUser(email, password);

		if (authUser == null) {
			request.setAttribute("email", email);
			request.getRequestDispatcher("/WEB-INF/views/user/login.jsp").forward(request, response);

			return false;
		}

		HttpSession session = request.getSession(true);
		session.setAttribute("authUser", authUser);
		response.sendRedirect(request.getContextPath());
		
		return false;
	}

}
  • spring-servlet.xml
	<!-- Intercpepors -->
	<mvc:interceptors>
		<mvc:interceptor>
			<mvc:mapping path="/user/auth"/>
			<bean class="com.poscodx.mysite.security.LoginInterceptor" />
		</mvc:interceptor>
	</mvc:interceptors>
  • usercontrolloer에 다음 내용 삭제!!
	@RequestMapping(value="/auth", method=RequestMethod.POST)
	public String auth(
		HttpSession session,
		@RequestParam(value="email", required=true, defaultValue="") String email,
		@RequestParam(value="password", required=true, defaultValue="") String password,
		Model model) {
		
		UserVo authUser = userService.getUser(email, password);
		if(authUser == null) {
			model.addAttribute("email", email);
			return "user/login";
		}
		
		/*인증 처리*/
		session.setAttribute("authUser", authUser);
		
		return "redirect:/";
	}

!! 이제 로그아웃

  • 파일 추가
package com.poscodx.mysite.security;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.springframework.web.servlet.HandlerInterceptor;


public class LogoutInterceptor implements HandlerInterceptor {
	@Override
	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
			throws Exception {
		

		HttpSession session = request.getSession();
		session.removeAttribute("authUser");
		
		session.invalidate();
		
		response.sendRedirect(request.getContextPath());
		
		return false;
	}

}
  • spring-servlet.xml 추가
	<!-- Intercpepors -->
	<mvc:interceptors>
		<mvc:interceptor>
			<mvc:mapping path="/user/auth"/>
			<bean class="com.poscodx.mysite.security.LoginInterceptor" />
		</mvc:interceptor>
		<mvc:interceptor>
			<mvc:mapping path="/user/logout"/>
			<bean class="com.poscodx.mysite.security.LogoutInterceptor" />
		</mvc:interceptor>
	</mvc:interceptors>
  • userController에 내용 제거하기
		session.removeAttribute("authUser");
		session.invalidate();

annotation 실습

image

  • 이제 annotation으로 사용이 가능하다.

image

image

@Auth(value = "Test", test = false)

image

@Auth()

image

@Auth(Role="ADMIN")

AuthInterceptor 실습

  • 파일 생성
package com.poscodx.mysite.security;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

import com.poscodx.mysite.vo.UserVo;

public class AuthInterceptor implements HandlerInterceptor{

	
	@Override
	public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
			throws Exception {
		
		//1. handler 종류 확인
		if(!(handler instanceof HandlerMethod)) {
			// DefaultServletHandler가 처리하는 경우(정적 자원, /assets/**)
			return true;
		}
		
		//2. casting
		HandlerMethod handlerMethod = (HandlerMethod)handler;
		
		//3. Handler Method의 @Auth 가져오기
		Auth auth = handlerMethod.getMethodAnnotation(Auth.class);
		
		//4. @Auth가 없는 경우
		if(auth == null) {
			return true;
		}
		
		//5. @Auth가 붙어 있는 경우, 인증(Authenfication) 여부 확인
		HttpSession session = request.getSession();
		UserVo authUser = (UserVo)session.getAttribute("authUser");
		
		if(authUser == null) {
			response.sendRedirect(request.getContentType() + "/user/login");
			return false;
		}
		
		//6. 인증 확인!!!
		return true;
		
	}
	
	@Override
	public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
			ModelAndView modelAndView) throws Exception {
		// TODO Auto-generated method stub
		HandlerInterceptor.super.postHandle(request, response, handler, modelAndView);
	}
	@Override
	public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
			throws Exception {
		// TODO Auto-generated method stub
		HandlerInterceptor.super.afterCompletion(request, response, handler, ex);
	}


}
  • spring-servlet
<!-- Intercpepors -->
	<mvc:interceptors>
		<mvc:interceptor>
			<mvc:mapping path="/user/auth"/>
			<bean class="com.poscodx.mysite.security.LoginInterceptor" />
		</mvc:interceptor>
		<mvc:interceptor>
			<mvc:mapping path="/user/logout"/>
			<bean class="com.poscodx.mysite.security.LogoutInterceptor" />
		</mvc:interceptor>
		<mvc:interceptor>
			<mvc:mapping path="/**"/>
			<mvc:exclude-mapping path="/assets/**" />
			<mvc:exclude-mapping path="/user/auth" />
			<mvc:exclude-mapping path="/user/logout" />
			<bean class="com.poscodx.mysite.security.AuthInterceptor" />
		</mvc:interceptor>
	</mvc:interceptors>
  • 인터셉터 끝

argument reserver

  • 접근 제어를 위한 과정들이다.
  • 접근 제어란, 로그인이 되어있지 않은 상태에서 모든 기능을 막는 것이다. (CUD; 생성 수정 삭제)
	@RequestMapping(value="/update", method=RequestMethod.GET)
	public String update(@AuthUser UserVo authUser, Model model) {  //여기서 @AuthUser을 가능케 하는 것 
		
		
		UserVo userVo = userService.getUser(authUser.getNo());
		model.addAttribute("userVo", userVo);
		
		return "user/update";
	}

image

  • spring-servlet.xml : resolver 추가

	<!-- Validator Default Servlet Handler Message Converter Argument Resolver -->
	<mvc:annotation-driven>

		<!-- Argument Resolver -->
		<mvc:argument-resolvers>
			<bean
				class="com.poscodx.mysite.security.AuthUserHandlerMethodArgumentResolver" />
		</mvc:argument-resolvers>

	</mvc:annotation-driven>