시큐리티
- 허가된 사용자만이 특정 웹페이지에 접근할 수 있도록 제한하는 보안 기능
- 사용자가 권한이 없는 데이터에 접근하는 것을 막거나 웹 공격자가 전송데이터를
중간에 가로채는 것을 방지흐는 등 중요한 역할
시큐리티 처리 방법
선언적 시큐리티 처리
FORM기반 인증
선언적 시큐리티 예제
특정유저만이 권한이 부여하기위해서 하는 방식이다.
tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--><tomcat-users version="1.0" xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd">
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary. It is
strongly recommended that you do NOT use one of the users in the commented out
section below since they are intended for use with the examples web
application.
-->
<!--
NOTE: The sample user and role entries below are intended for use with the
examples web application. They are wrapped in a comment and thus are ignored
when reading this file. If you wish to configure these users for use with the
examples web application, do not forget to remove the <!.. ..> that surrounds
them. You will also need to set the passwords to something appropriate.
-->
<!-- 톰켓서버에 각각 role 2개를 명시한 것임, 3명의 user가 역할 맡음. -->
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat0217" roles="tomcat"/>
<user username="both" password="both0217" roles="tomcat,role1"/>
<user username="role1" password="role0217" roles="role1"/>
</tomcat-users>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>Chap16_Security</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-role> <!-- 웹어플리케이션에 사용하는 역할을 나열하는 요소 -->
<role-name>role1</role-name> <!-- role1 : tomcat-users.xml에 역할이름으로 반드시 등록되어 있어야 한다. -->
</security-role>
<security-constraint> <!-- 제약사항 걸기 -->
<!-- 웹자원(프로젝트명) 넣어줌 -->
<web-resource-collection>
<web-resource-name>Chap16_Security</web-resource-name>
<url-pattern>/security01.jsp</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- <security-constraint>태그 안에 설정된 접근 제한 자원에 사용자가 접근하는 경우에만
<login-config>태그는 활성화 됨 -->
<login-config>
<auth-method>BASIC</auth-method> <!-- 기본 인증으로 설정함. -->
</login-config>
</web-app>
security01.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>인증 처리페이지(Security)</title>
</head>
<body>
<h1>인증 성공하셨습니다!</h1>
</body>
</html>
FORM 기반 인증 예제
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>Chap16_Security</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-role> <!-- 웹어플리케이션에 사용하는 역할을 나열하는 요소 -->
<role-name>role1</role-name> <!-- role1 : tomcat-users.xml에 역할이름으로 반드시 등록되어 있어야 한다. -->
</security-role>
<security-constraint> <!-- 제약사항 걸기 -->
<!-- 웹자원(프로젝트명) 넣어줌 -->
<web-resource-collection>
<web-resource-name>Chap16_Security</web-resource-name>
<url-pattern>/security01.jsp</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- <security-constraint>태그 안에 설정된 접근 제한 자원에 사용자가 접근하는 경우에만
<login-config>태그는 활성화 됨 -->
<login-config>
<!-- <auth-method>BASIC</auth-method> 기본 인증으로 설정함. -->
<auth-method>FORM</auth-method> <!-- FORM인증 처리기법 설정함. -->
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_failed.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
login.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>로그인 폼인증</title>
</head>
<body>
<!-- 로그인 인증처리를 위해서 폼 태그 작성
폼의 action을 j_security_check, 사용자명과 비밀번호의 name속성값은
각각 j_username, j_password로 설정-->
<form action="j_security_check" name="loginForm" method="post">
<p><b>사용자명 : </b><input type="text" name="j_username">
<p><b>비밀번호 : </b><input type="password" name="j_password">
<p><input type="submit" value="전송">
</form>
</body>
</html>login_failed.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>로그인 폼 인증 실패</title>
</head>
<body>
<h1>폼 인증 실패했습니다.</h1>
</body>
</html>security01.jsp 실행
프로그래밍적 시큐리티 처리 - 내용이해만 하면된다.
프로그래밍적 시큐리티 처리 예제
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>Chap16_Security</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-role> <!-- 웹어플리케이션에 사용하는 역할을 나열하는 요소 -->
<role-name>role1</role-name> <!-- role1 : tomcat-users.xml에 역할이름으로 반드시 등록되어 있어야 한다. -->
</security-role>
<security-constraint> <!-- 제약사항 걸기 -->
<!-- 웹자원(프로젝트명) 넣어줌 -->
<web-resource-collection>
<web-resource-name>Chap16_Security</web-resource-name>
<!-- <url-pattern>/security01.jsp</url-pattern> -->
<url-pattern>/security02.jsp</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- <security-constraint>태그 안에 설정된 접근 제한 자원에 사용자가 접근하는 경우에만
<login-config>태그는 활성화 됨 -->
<login-config>
<!-- <auth-method>BASIC</auth-method> 기본 인증으로 설정함. -->
<auth-method>FORM</auth-method> <!-- FORM인증 처리기법 설정함. -->
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login_failed.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
security02.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>인증 처리페이지(Security)</title>
</head>
<body>
<p><b>사용자명 : </b> <%=request.getRemoteUser() %> <!-- 인증된 사용자명을 가져옴 -->
<p><b>인증방식 : </b> <%=request.getAuthType() %> <!-- 인증방법이 어떤것인지 가져옴 -->
<p><b>인증한 사용자명이 역할명 "tomcat"에 속하는 사용자인가? <%=request.isUserInRole("tomcat") %></b>
<p><b>인증한 사용자명이 역할명 "role1"에 속하는 사용자인가? <%=request.isUserInRole("role1") %></b>
<p><b>프로토콜이 무엇인가? <%=request.getProtocol() %></b>
<p><b>https 요청으로 요청이 들어왔나요? <%=request.isSecure() %></b>
</body>
</html>security02.jsp 실행
