05. spring security sha256 암호화 적용하기

niee
Written by niee on

  • spring security 에서는 기본적으로 아래와 같은 암호화 모듈을 제공하고 있다.
BaseDigestPasswordEncoder
BasePasswordEncoder
LdapShaPasswordEncoder
Md4PasswordEncoder
Md5PasswordEncoder
MessageDigestPasswordEncoder
PlaintextPasswordEncoder
ShaPasswordEncoder

참조 문서 :http://docs.spring.io/autorepo/docs/spring-security/3.1.6.RELEASE/apidocs/org/springframework/security/authentication/encoding/package-summary.html

  • 이중에서 ShaPasswordEncoder​ 를 이용해 비밀번호를 sha256 암호화를 적용해 보도록 하겠다.

  • 이번에는 DB insert를 위해 mybatis를 연동하였다.

  • security.xmlShaPasswordEncoder​ bean등록 ​
<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
  <beans:constructor-arg name="strength" value="256"></beans:constructor-arg>
</beans:bean>
  • ​authentication-provider에 사용자 인증시 비밀번호 암호화빈 등록​
<authentication-manager>
 <authentication-provider user-service-ref="userService">
  <password-encoder ref="passwordEncoder"/>
 </authentication-provider>
</authentication-manager>
  • 회원 가입 jsp생성(귀찮아서 로그인 페이지에 폼을 두개만들어 처리함)
<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://www.springframework.org/security/tags" prefix="sec" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<link rel="stylesheet" type="text/css" href="<c:url value="/resources/css/main.css"/>">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
${errMsg }
<form action='<c:url value="/user/login"/>' method="post">
 <input type="text" name="email" id="email"/>
 <input type="password" name="passwd" id="passwd"/>
 <input type="submit" value="로그인">
</form>
<form action='<c:url value="/user/insertUser"/>' method="post">
 <input type="text" name="email" id="email"/>
 <input type="password" name="passwd" id="passwd"/>
 <select name="authority">
  <option value="ROLE_USER">사용자</option>
  <option value="ROLE_ADMIN">관리자</option>
 </select>
 <input type="submit" value="회원가입">
</form>
</body>
</html>
  • 회원 가입시 비밀번호 암호화를 위한 Service ​class생성
package com.min.study.core.util;

import javax.annotation.Resource;

import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
import org.springframework.stereotype.Service;

@Service("shaEncoder")
public class ShaEncoder {

 @Resource(name="passwordEncoder")
 private ShaPasswordEncoder encoder;

 public String encoding(String str){
  return encoder.encodePassword(str,null);
 }
}
  • pom.xml에 mybatis추가
<!-- MyBatis -->
<dependency>
 <groupId>org.mybatis</groupId>
 <artifactId>mybatis</artifactId>
 <version>3.1.1</version>
</dependency>

<dependency>
 <groupId>org.mybatis</groupId>
 <artifactId>mybatis-spring</artifactId>
 <version>1.1.1</version>
</dependency>
  • resource폴더에 sqlmap폴더 생성 후 mybatis.xml생성
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE configuration PUBLIC "-//mybatis.org//DTD Config 3.0//EN" "HTTP://mybatis.org/dtd/mybatis-3-config.dtd">

<configuration>
 <settings>
   <setting name="cacheEnabled" value="true"/>
   <setting name="lazyLoadingEnabled" value="false"/>
   <setting name="multipleResultSetsEnabled" value="true"/>
   <setting name="useColumnLabel" value="true"/>
   <setting name="useGeneratedKeys" value="false"/>
   <setting name="autoMappingBehavior" value="PARTIAL"/>
   <setting name="defaultExecutorType" value="SIMPLE"/>
   <setting name="defaultStatementTimeout" value="25"/>
   <setting name="safeRowBoundsEnabled" value="false"/>
   <setting name="mapUnderscoreToCamelCase" value="false"/>
   <setting name="localCacheScope" value="SESSION"/>
   <setting name="jdbcTypeForNull" value="OTHER"/>
   <setting name="lazyLoadTriggerMethods" value="equals,clone,hashCode,toString"/>
 </settings>

 <typeAliases>
  <typeAlias type="java.util.Map" alias="map"/>
 </typeAliases>

</configuration>
  • datasource-context.xmlmybatis SqlSessionFactoryBean 등록 및 트랜잭션 선언
 <bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean">
  <property name="dataSource" ref="dataSource" />
  <property name="configLocation" value="classpath:sqlmap/mybatis.xml" />
  <property name="mapperLocations" value="classpath:sqlmap/*/*.xml" />
 </bean>

 <tx:annotation-driven transaction-manager="transactionManager"/>
 <bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
  <property name="dataSource" ref="dataSource"></property>
 </bean>

 <bean id="sqlSession" class="org.mybatis.spring.SqlSessionTemplate">
  <constructor-arg index="0" ref="sqlSessionFactory" />
 </bean>
  • 회원 가입을 위한 DAO service생성 및 impl클레스 구현
package com.min.study.user.dao;

import java.util.Map;

public interface UserDaoService {
 public int insertUser(Map<String, String> paramMap);
}

package com.min.study.user.dao;

import java.util.Map;

import org.mybatis.spring.support.SqlSessionDaoSupport;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Service("userDaoService")
public class UserDaoServiceImpl extends SqlSessionDaoSupport implements UserDaoService {

 @Override
 @Transactional
 public int insertUser(Map<String, String> paramMap) {
  // TODO Auto-generated method stub
  return getSqlSession().insert("user.insertUser",paramMap);
 }

}
  • sql query.xml생성(예제는 sqlmap/mysql/user.xml)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="user">
 <insert id="insertUser">
  INSERT INTO USER
  VALUES(#{email},#{passwd},1,#{authority})
 </insert>
</mapper>
  • usercontroller암호화 서비스 & daoservice 주입 및 가입시 비밀번호 암호화 설정
ex)

package com.min.study.user.web;

import java.util.HashMap;
import java.util.Map;

import javax.annotation.Resource;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;

import com.min.study.core.util.ShaEncoder;
import com.min.study.user.dao.UserDaoServiceImpl;

@Controller
public class UserController {

 private static final Logger logger = LoggerFactory.getLogger(UserController.class);

 @Resource(name="shaEncoder")
 private ShaEncoder encoder;

 @Resource(name="userDaoService")
 private UserDaoServiceImpl dao;

 @RequestMapping("/user/loginPage")
 public String loginPage(){
  return "/user/loginPage";
 }

 @RequestMapping(value = "/user/insertUser",method=RequestMethod.POST)
 public String insertUser(@RequestParam("email")String email, @RequestParam("passwd")String passwd, @RequestParam("authority")String authority){
  String dbpw = encoder.encoding(passwd);
  Map<String, String> paramMap = new HashMap<String, String>();
  paramMap.put("email", email);
  paramMap.put("passwd", dbpw);
  paramMap.put("authority", authority);
  int result = dao.insertUser(paramMap);
  logger.info("result ===> {}", result);
  return "/user/loginPage";
 }

}
  • 회원가입 & 인증 확인.
ex)패스워드가 test인 경우 sha256 암호화를 하면 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 이다.

소스확인 : https://github.com/ParkMinKyu/security

Comments

comments powered by Disqus

Explore more like this

spring-security security 암호화 sha256 암호화 spring-security

11. spring security 비밀번호 salt 암호화 하기

앞에 포스팅에서 sha256을 이용한 비밀번호 암호화에 대해 알아 봤다. 다른 암호화도 대부분 마찬가지지만, 비밀 번호를 암호화 했다고 해도 DB에 저장 됐을때 같은 암호면 암호화된 형태(hash값이)가 같다.

niee niee 25 Jan 2017

10. spring security 권한 없는 사용자 접근시 처리 방법

지금 까지는 권한이 없는 사용자가 접근을 하게 되면 따로 설정을 하지않아 아래와 같은페이지로 이동을 했다.

niee niee 25 Jan 2017

09. spring security @Secured 어노테이션을 사용하여 접근 권한 부여

접근 권한을 부여 할 때 security-context.xml에 직접선언을 할 수 있지만, @Secured어노테이션을 사용하면 좀 더 편하고 직관적인 권한 부여가 가능하다.

niee niee 25 Jan 2017