[실습] 권한별로 접근 페이지 제어하기

보안/Spring Security

[실습] 권한별로 접근 페이지 제어하기 - 스프링EL로 변경하기

무적강사 2019. 9. 10. 10:13

앞에서 작업했던 내용을 스프링 EL을 적용하여 변경하세요. security-config_ver4.xml로 SaveAs 하고 작업하세요.

[조건]

1. 로그아웃(/emp/logout.do)

인증한 사용자만 접근할 수 있어야 합니다. - ROLE_ADMIN, ROLE_USER

2. 게시글목록보기 (/board/list.do, /board/ajax_boardlist.do)

인증을 받거나 받지 않거나 모두 볼 수 있도록 설정

- ROLE_ADMIN, ROLE_USER, ROLE_ANONYMOUS

3. /emp/로 시작하는 모든 요청

관리자 권한을 갖고 있는 사용자만 접근할 수 있도록 설정하기 - ROLE_ADMIN

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
	xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.2.xsd
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
	<security:http pattern="/**/*.js" security="none" />
	<security:http pattern="/**/*.css" security="none" />
	<security:http pattern="/images/**" security="none" />
	<security:http auto-config="true" use-expressions="true">
		<!-- <security:intercept-url pattern="/images/**" access="ROLE_ANONYMOUS"/> -->
		<security:intercept-url pattern="/admin/**"	access="hasRole('ROLE_ADMIN')" />
		<security:intercept-url pattern="/emp/login" access="permitAll" />
		<security:intercept-url pattern="/emp/logout.do" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
		<security:intercept-url pattern="/index.do" access="permitAll" />
		<security:intercept-url pattern="/**/user/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
		<security:intercept-url pattern="/board/*"	access="permitAll" />
		<security:intercept-url pattern="/emp/*" access="hasRole('ROLE_ADMIN')" />
		<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
		<security:form-login username-parameter="id"
			password-parameter="pass" login-page="/emp/login" default-target-url="/index.do"
			authentication-failure-url="/emp/login.do?fail=true" />
		<security:logout delete-cookies="true"
			logout-success-url="/emp/login" logout-url="/emp/logout.do"
			invalidate-session="true" />
	</security:http>
	<security:authentication-manager>
		<security:authentication-provider 	user-service-ref="loginService">
		</security:authentication-provider>
	</security:authentication-manager>
	<bean id="loginService" class="ktds.erp.emp.authentication.SecurityLoginService" />
	<import resource="spring-config.xml" /> 
</beans>