๋ฐ์ํ
์ง๋ ๋ฒ์ spring boot์ csrf๋ฅผ ์ ์ฉํ๋ ํฌ์คํ ์ ์ฌ๋ ธ์๋๋ฐ ๊ทธ๋ฅ spring๊ณผ ์ ์ฉํ๋ ๋ฐฉ๋ฒ์ด ๋ฌ๋ผ ๋ ํฌ์คํ ์ ์ฌ๋ ค๋ณธ๋ค!
- web.xml์ dispactcher servlet์ ๋ฑ๋กํ๋ค.
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
- servlet-context.xml์ csrf hidden์ด form์ ์๋์ผ๋ก ์ถ๊ฐํด์ฃผ๋ class๋ฅผ ๋น(bean)์ผ๋ก ๋ฑ๋กํ๋ค
<beans:bean id="requestDataValueProcessor" class="com.xxxx.framework.processor.CSRFRequestDataValueProcessor"/>
- CSRFRequestDataValueProcessor.java
- csrf hidden ๋ฐ์ดํฐ๋ฅผ ์๋ ์ถ๊ฐํด์ฃผ๋ ํด๋์ค, RequestDataValueProcessor๋ฅผ implementsํด์ผ ํ๋ค.
public class CSRFRequestDataValueProcessor implements RequestDataValueProcessor{
@Override
public Map<String, String> getExtraHiddenFields(HttpServletRequest request) {
Map<String, String> hiddenFields = new HashMap<String, String>();
HttpSession session = request.getSession(false);
if(session == null) {
return hiddenFields;
}
String token = UUID.randomUUID().toString().replaceAll("-", "");
session.setAttribute(FrameworkConstants.CSRF_TOKEN_NAME, token);
hiddenFields.put(FrameworkConstants.CSRF_PARAM_NAME, token);
return hiddenFields;
}
@Override
public String processAction(HttpServletRequest arg0, String arg1) {
return null;
}
@Override
public String processFormFieldValue(HttpServletRequest arg0, String arg1, String arg2, String arg3) {
return null;
}
@Override
public String processUrl(HttpServletRequest arg0, String arg1) {
return null;
}
}
-
servlet-context.xml ์ CSRF ์ฒดํฌ interceptor ๋ฑ๋ก
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**/*.do"/>
<beans:bean class="com.xxx.framework.interceptor.CSRFInterceptor">
<beans:property name="excludeURLs">
<beans:array value-type="java.lang.String">
<beans:value>login.do</beans:value>
<beans:value>logout.do</beans:value>
<beans:value>view.do</beans:value>
</beans:array>
</beans:property>
</beans:bean >
</mvc:interceptor>
</mvc:interceptors>
- login.do, logout.do, view.do๋ csrf๋ฅผ ์ฒดํฌํ์ง ์์!
- csrf๋ฅผ ์ฒดํฌํ์ง ์์ url ํน์ ํจํด์ ๋ฑ๋กํ ์ ์๋ค. ๊ทธ๋ฆฌ๊ณ csrf ์ธํฐ์ ํฐ์์ ํด๋น url์ ์ฒดํฌํ์ง ์๋๋ก ๋ก์ง์ ์ง๋ฉด ๋จ!
- CSRFInterceptor.java
public class CSRFInterceptor extends HandlerInterceptorAdapter{
Logger log = Logger.getLogger(this.getClass().getName());
private String excludeURL ;
private String[] excludeURLs;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
boolean result = true;
if(request.getMethod() == null) {
return result;
}
if(!request.getMethod().equalsIgnoreCase("post")) {
return result;
}else {
if(!isExcludeURL(request.getRequestURI())) {
if(!this.verifyCSRFToken(request)) {
this.log.error("Incorrect CSRF value");
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Bad Request");
result = false;
}
}
}
return result;
}
private boolean verifyCSRFToken(HttpServletRequest request) {
boolean result = true;
if(request.getSession().getAttribute(FrameworkConstants.CSRF_TOKEN_NAME) != null) {
String sessionToken = (String)request.getSession().getAttribute(FrameworkConstants.CSRF_TOKEN_NAME);
String paramToken = request.getParameter(FrameworkConstants.CSRF_PARAM_NAME);
if(paramToken == null || !sessionToken.equals(paramToken)) {
this.log.debug("Incorrect CSRF value");
result = false;
}
}
return result;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
super.postHandle(request, response, handler, modelAndView);
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
throws Exception {
super.afterCompletion(request, response, handler, ex);
}
private boolean isExcludeURL(String url) {
boolean result = false;
if(url == null) {
return true;
}
url = url.toLowerCase();
for (int i = 0; i < this.excludeURLs.length; i++) {
if (url.indexOf( this.excludeURLs[i].toLowerCase() ) < 0) {
continue;
}
result = true;
break;
}
return result;
}
public String getExcludeURL() {
return excludeURL;
}
public void setExcludeURL(String excludeURL) {
this.excludeURL = excludeURL;
}
public String[] getExcludeURLs() {
return excludeURLs.clone();
}
public void setExcludeURLs(String[] excludeURLs) {
if (excludeURLs == null) {
this.excludeURLs = new String[0];
} else {
this.excludeURLs = Arrays.copyOf(excludeURLs, excludeURLs.length);
}
}
}
ํ์คํ spring boot๊ฐ ํจ์ฌ ๊ฐ๋จํ๋ค.. ๋๋ฌด ํธํด!
728x90
๋ฐ์ํ
'๊ฐ๋ฐ > Web' ์นดํ ๊ณ ๋ฆฌ์ ๋ค๋ฅธ ๊ธ
[Web] PRG ํจํด (Post - Redirect - Get) (2) | 2022.01.07 |
---|---|
[JBoss] ๋ก๊น ๋ฌธ์ , ์์ฒด์ ์ผ๋ก ์ฌ์ฉํ๋ ๋ก๊ทธ ๋ผ์ด๋ธ๋ฌ๋ฆฌ ์ ์ธํ๊ธฐ (0) | 2021.12.31 |
ํ๋์ tomcat์ ๊ฐ์ ํ๋ก์ ํธ ๋๊ฐ ์ด์ ๋์ฐ๊ธฐ : 'webapp.root' ์๋ฌ (0) | 2021.12.13 |
[Spring Boot] spring security - CSRF ์ ์ฉ , +) ajax csrf ์ ์ฉ (0) | 2021.12.07 |
[Spring Boot] mybatis ์ ์ฉํ๊ธฐ (0) | 2021.12.06 |
๋๊ธ