[Spring Security] 권한 체크

// 권한 체크

---

- add.do, addok.do, edit.do, editok.do, del.do, delok.do > 인증 사용자만 접근

1. servlet-context,xml > namespaces 설정(security) & security:global-method-security 추가

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
		http://www.springframework.org/schema/mvc https://www.springframework.org/schema/mvc/spring-mvc.xsd
		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
		http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context.xsd">

   <!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
   
   <!-- Enables the Spring MVC @Controller programming model -->
   <annotation-driven />

   <!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
   <resources mapping="/resources/**" location="/resources/" />

   <!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
   <beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
      <beans:property name="prefix" value="/WEB-INF/views/" />
      <beans:property name="suffix" value=".jsp" />
   </beans:bean>
   
   <context:component-scan base-package="com.test.board" />
   <context:component-scan base-package="com.test.controller" />
   <context:component-scan base-package="com.test.service" />
   
   <security:global-method-security pre-post-annotations="enabled"/>
   
   
</beans:beans>

2. com.test.controller > BoardController > 원하는 메소드에 @PreAuthorize 달기

package com.test.controller;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

import com.test.domain.BoardDTO;
import com.test.service.BoardService;

@Controller
public class BoardController {

	@Autowired
	private BoardService service;

	@GetMapping("/board/list.do")
	public String list(Model model) {

		model.addAttribute("list", service.list());

		return "board/list";

	}

	@PreAuthorize("isAuthenticated()")
	@GetMapping("/board/add.do")
	public String add() {

		return "board/add";
	}

	@PreAuthorize("isAuthenticated()")
	@PostMapping("/board/addok.do")
	public String addok(BoardDTO dto) {
		
		int result = service.add(dto);

		return "redirect:/board/list.do";
	}

	@GetMapping("/board/view.do")
	public String view(Model model, String seq) {
		
		BoardDTO dto = service.get(seq);
		
		model.addAttribute("dto", dto);

		return "board/view";
	}

	@PreAuthorize("isAuthenticated() and principal.username == #id")
	@GetMapping("/board/edit.do")
	public String edit(Model model, String seq) {
		
		BoardDTO dto = service.get(seq);
		
		model.addAttribute("dto", dto);

		return "board/edit";
	}

	@PreAuthorize("isAuthenticated()")
	@PostMapping("/board/editok.do")
	public String editok(BoardDTO dto) {
		
		int result = service.edit(dto);

		return "redirect:/board/view.do?seq=" + dto.getSeq();
	}

	@PreAuthorize("isAuthenticated() and principal.username == #id")
	@GetMapping("/board/del.do")
	public String del(Model model, String seq, String id) {
		
		model.addAttribute("seq", seq);

		return "board/del";
	}

	@PreAuthorize("isAuthenticated()")
	@PostMapping("/board/delok.do")
	public String delok(String seq) {
		
		int result = service.del(seq);

		return "redirect:/board/list.do";
	}

}

3. views > board > list.jsp > 글쓰기 버튼 <sec:authorize>로 감싸기

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ taglib prefix = "c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix = "sec" uri="http://www.springframework.org/security/tags" %>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>list.jsp</title>
<link rel="stylesheet" href="https://me2.do/5BvBFJ57">
<style>

</style>
</head>
<body>

	<%@ include file="/WEB-INF/views/inc/header.jsp" %>
	
	<h2>Board <small>list</small></h2>	
	
	<table>
		<tr>
			<th>번호</th>
			<th>제목</th>
			<th>날짜</th>
			<th>아이디</th>
		</tr>
		<c:forEach items="${list}" var="dto">
		<tr>
			<td>${dto.seq}</td>
			<td><a href="/board/view.do?seq=${dto.seq}">${dto.subject}</a></td>
			<td>${dto.regdate}</td>
			<td>${dto.id}</td>
		</tr>
		</c:forEach>
	</table>
	
	<div>
		<sec:authorize access="isAuthenticated()">
		<button type="button" class="add" onclick="location.href='/board/add.do'">글쓰기</button>
		</sec:authorize>		
	</div>

<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.4/jquery.min.js"></script>
<script>

</script>
</body>
</html>

3. views > board > view.jsp > 수정, 삭제 버튼 <sec:authorize>로 감싸기

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ taglib prefix = "c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix = "sec" uri="http://www.springframework.org/security/tags" %>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>view.jsp</title>
<link rel="stylesheet" href="https://me2.do/5BvBFJ57">
<style>

</style>
</head>
<body>

	<%@ include file="/WEB-INF/views/inc/header.jsp" %>
	
	<h2>Board <small>add</small></h2>
	
	<table class="vertical">
		<tr>
			<th>번호</th>
			<td>${dto.seq}</td>
		</tr>
		<tr>
			<th>아이디</th>
			<td>${dto.id}</td>
		</tr>
		<tr>
			<th>제목</th>
			<td>${dto.subject}</td>
		</tr>
		<tr>
			<th>내용</th>
			<td>${dto.content}</td>
		</tr>
		<tr>
			<th>날짜</th>
			<td>${dto.regdate}</td>
		</tr>
	</table>
	<div>
		<button type="button" class="back" onclick="location.href='/board/list.do';">돌아가기</button>
		
		<sec:authorize access="hasRole('ROLE_ADMIN') or (isAuthenticated() and principal.username == #dto.id)">
	         <button type="button" class="edit"
	            onclick="location.href='/board/edit.do?seq=${dto.seq}&id=${dto.id}';">수정하기</button>
	         <button type="button" class="del"
	            onclick="location.href='/board/del.do?seq=${dto.seq}&id=${dto.id}';">삭제하기</button>
      	</sec:authorize>
		
	</div>	

<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.4/jquery.min.js"></script>
<script>

</script>
</body>
</html>