스프링 시큐리티 CSRF 토큰, 로그아웃

admin으로 로그인하면 admin 페이지로

member로 로그인하면 member 페이지로

 

 

 

security-context.xml

 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

<bean id="customAccessDenied"
class="com.mystudy.security.CustomAccessDeniedHandler"></bean>

<bean id="customLoginSuccess"
class="com.mystudy.security.CustomLoginSuccessHandler"></bean>



<security:http>

<security:intercept-url pattern="/sample/all"
access="permitAll" />

<security:intercept-url
pattern="/sample/member" access="hasRole('ROLE_MEMBER')" />

<security:intercept-url pattern="/sample/admin"
access="hasRole('ROLE_ADMIN')" />

<security:access-denied-handler
ref="customAccessDenied" />

<security:form-login login-page="/customLogin"
authentication-success-handler-ref="customLoginSuccess" />

<security:logout logout-url="/customLogout"
invalidate-session="true" />


</security:http>

<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="member" password="{noop}member"
authorities="ROLE_MEMBER"/>
<security:user name="admin" password="{noop}admin"
authorities="ROLE_MEMBER, ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>

</beans>

 

 

 

 

CustomLoginSuccessHandler.java

 

package com.mystudy.security;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

import lombok.extern.log4j.Log4j;

@Log4j
public class CustomLoginSuccessHandler implements AuthenticationSuccessHandler {

@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {

log.warn("Login Success");

List<String> roleNames = new ArrayList<>();

authentication.getAuthorities().forEach(authority -> {

roleNames.add(authority.getAuthority());

});

log.warn("ROLE NAMES: " + roleNames);

if (roleNames.contains("ROLE_ADMIN")) {

response.sendRedirect("/sample/admin");
return;
}

if (roleNames.contains("ROLE_MEMBER")) {

response.sendRedirect("/sample/member");
return;
}

response.sendRedirect("/");

}

}

 

 

---

로그아웃

 

CommonController.java

 

package com.mystudy.spring3;

import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;

import lombok.extern.log4j.Log4j;

@Controller
@Log4j
public class CommonController {

@GetMapping("/accessError")
public void accessDenied(Authentication auth, Model model) {
log.info("access Denied : " + auth);

model.addAttribute("msg", "Access Denied");
}


  
  @GetMapping("/customLogin") public void loginInput(String error, String
  logout, Model model) {
  
  log.info("error : " + error); log.info("logout : " + logout);
  
  if(error != null) { model.addAttribute("error",
  "Login Error Check Your Account"); }
  
  if(logout != null) { model.addAttribute("logout", "Logout!!"); }
  
  }

  
  @GetMapping("/customLogout")
  public void logoutGet() {
  
  log.info("custom logout");
  }
  
}

 

 

customLogout.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
  
<h1> Logout Page</h1>

<form action="/customLogout" method='post'>
<input type="hidden"name="${_csrf.parameterName}"value="${_csrf.token}"/>
<button>로그아웃</button>
</form>

</body>
</html>

 

 

 

 

https://boracoding.tistory.com/165