5. Spring Security에서 세션 관리하기
p90
SecurityConfig7.java
//세션관리, 동시 세션 관리
package io.securitylecture.springsecuritylecture.config;
import jakarta.servlet.http.HttpSession;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@EnableWebSecurity
@Configuration
public class SecurityConfig7 {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/login").permitAll().anyRequest().authenticated())
.formLogin(Customizer.withDefaults())
.sessionManagement(session -> session
.maximumSessions(1)
.maxSessionsPreventsLogin(false)
);
return http.build();
}
@Bean
public UserDetailsService userDetailsService(){
UserDetails user = User.withUsername("user")
.password("{noop}111")
.roles("USER").build();
return new InMemoryUserDetailsManager(user);
}
}p95
SecurityConfig8.java
//세션관리, 동시 세션 관리 2
package io.securitylecture.springsecuritylecture.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@EnableWebSecurity
@Configuration
public class SecurityConfig8 {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/invalidSessionUrl","expiredUrl").permitAll().anyRequest().authenticated())
.formLogin(Customizer.withDefaults())
.sessionManagement(session -> session
.invalidSessionUrl("/invalidSessionUrl")
.maximumSessions(1)
.maxSessionsPreventsLogin(false)
.expiredUrl("/expiredUrl")
);
return http.build();
}
@Bean
public UserDetailsService userDetailsService(){
UserDetails user = User.withUsername("user")
.password("{noop}111")
.roles("USER").build();
return new InMemoryUserDetailsManager(user);
}
}controller/IndexController
package io.securitylecture.springsecuritylecture.controller;
import org.springframework.security.core.Authentication;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.annotation.CurrentSecurityContext;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class IndexController {
@GetMapping("/")
public String index() {
return "index";
}
@GetMapping("home")
public String home() {
return "home";
}
@GetMapping("loginPage")
public String loginPage() {
return "loginPage";
}
@GetMapping("anonymous")
public String anonymous() {
return "anonymous";
}
@GetMapping("authentication")
public String authentication(Authentication authentication) {
if (authentication instanceof AnonymousAuthenticationToken) {
return "anonymous";
} else {
return "not anonymous";
}
}
@GetMapping("/anonymousContext")
public String anonymousContext(@CurrentSecurityContext SecurityContext context){
return context.getAuthentication().getName();
}
@GetMapping("logoutSuccess")
public String logoutSuccess() {
return "logoutSuccess";
}
@GetMapping("invalidSessionUrl")
public String invalidSessionUrl() {
return "invalidSessionUrl";
}
@GetMapping("expiredUrl")
public String expiredUrl() {
return "expiredUrl";
}
@GetMapping("hello")
public String sayHello() {
return "Hello, CORS and CSRF Test!";
}
// CSRF 토큰을 확인하는 엔드포인트
@GetMapping("/csrf-token")
public String getCsrfToken(CsrfToken csrfToken) {
return "CSRF Token: " + csrfToken.getToken();
}
// CSRF 보호가 적용된 POST 요청 엔드포인트
@PostMapping("/submit-csrf")
public String submitWithCsrf() {
return "Form submitted successfully with CSRF protection!";
}
}p101
SecurityConfig9.java
//세션관리, 세션 고정 공격 방지
package io.securitylecture.springsecuritylecture.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@EnableWebSecurity
@Configuration
public class SecurityConfig9 {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.anyRequest().authenticated())
.formLogin(Customizer.withDefaults());
// .sessionManagement(session -> session
// .sessionFixation(sessionFixation -> sessionFixation.changeSessionId())
// ); //changeSessionId가 기본값이기 때문에 주석처리해도 자동으로 설정됨
return http.build();
}
@Bean
public UserDetailsService userDetailsService(){
UserDetails user = User.withUsername("user")
.password("{noop}111")
.roles("USER").build();
return new InMemoryUserDetailsManager(user);
}
}p115 - p116
SecurityConfig10.java
//세션관리, 세션 생성 정책
package io.securitylecture.springsecuritylecture.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@EnableWebSecurity
@Configuration
public class SecurityConfig10 {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf((auth) -> auth.disable()) //SessionID 생성되지 않도록 하기 위함
.authorizeHttpRequests(auth -> auth
.anyRequest().authenticated())
.formLogin(Customizer.withDefaults())
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
);
return http.build();
}
@Bean
public UserDetailsService userDetailsService(){
UserDetails user = User.withUsername("user")
.password("{noop}111")
.roles("USER").build();
return new InMemoryUserDetailsManager(user);
}
}Last updated