spring security LoginUrlAuthenticationEntryPoint - slahsk/study GitHub Wiki

session λŠκΈ΄ν›„ ajax λ₯Ό ν˜ΈμΆœν•˜λ©΄ μƒνƒœκ°’μ΄ 200 λ–¨μ–΄μ§€λ©΄μ„œ μ •μƒμ²˜λ¦¬ λœλ‹€.

이λ₯Ό 처리 ν•˜κΈ° μœ„ν•΄μ„œ LoginUrlAuthenticationEntryPoint μ—μ„œ commence λ©”μ†Œλ“œλ₯Ό μ˜€λ²„λΌλ”© ν•΄ν•œλ‹€.

AuthenticationException or AccessDeniedException

λ°œμƒμ‹œ ExceptionTranslationFilter μ—μ„œ 처리 ν•˜λŠ”λ“― ν•˜λ‹€.

AccessDeniedException λ°œμƒμ‹œ url 검사λ₯Ό ν•˜μ—¬ ajax 포함 ν•˜κ³  있으면 response header μƒνƒœκ°’μ„ 403 으둜 λ³€ν™”μ‹œν‚¨λ‹€

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
    
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
   
public class AjaxAwareAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint{
  public AjaxAwareAuthenticationEntryPoint(String loginUrl) {
    super(loginUrl);
  }
    
  @Override
  public void commence(
    HttpServletRequest request, 
    HttpServletResponse response, 
    AuthenticationException authException) 
    throws IOException, ServletException {

    boolean isAjax = request.getRequestURI().contains("ajax");

    if (isAjax) {
      response.sendError(403, "Forbidden");
    } else {
      super.commence(request, response, authException);
    }
  }
}

ExceptionTranslationFilter 에 λ“±λ‘ν•΄μ„œ μ‚¬μš© ν•˜μ§€λ§Œ κ°„λ‹¨ν•˜κ²Œ μ‚¬μš©μ‹œ

    <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
     <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
     <property name="accessDeniedHandler" ref="accessDeniedHandler"/>
    </bean>
    
    <bean id="authenticationEntryPoint"
         class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
     <property name="loginFormUrl" value="/login.jsp"/>
    </bean>
    
    <bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
      <property name="errorPage" value="/accessDenied.htm"/>
    </bean>
<http auto-config="true" entry-point-ref="ajaxAwareAuthenticationEntryPoint">
....
</http>
⚠️ **GitHub.com Fallback** ⚠️