WebSecurityConfig.java 3.3 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788
  1. package com.its.pis.webapp.config;
  2. import com.its.pis.webapp.security.SessionListener;
  3. import com.its.pis.webapp.service.UserService;
  4. import org.springframework.context.annotation.Bean;
  5. import org.springframework.context.annotation.Configuration;
  6. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  7. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  8. import org.springframework.security.config.annotation.web.builders.WebSecurity;
  9. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  10. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  11. import org.springframework.security.config.http.SessionCreationPolicy;
  12. import org.springframework.security.core.session.SessionRegistry;
  13. import org.springframework.security.core.session.SessionRegistryImpl;
  14. import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
  15. import javax.servlet.http.HttpSessionListener;
  16. @EnableWebSecurity
  17. @Configuration
  18. public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  19. private final UserService userService;
  20. public WebSecurityConfig(UserService userService) {
  21. this.userService = userService;
  22. }
  23. public void configure(WebSecurity web) throws Exception {
  24. web.ignoring().antMatchers(new String[]{"/css/**", "/js/**", "/img/**", "/lib/**"});
  25. }
  26. protected void configure(HttpSecurity http) throws Exception {
  27. http.csrf().disable();
  28. http
  29. .authorizeRequests()
  30. // SWAGGER 권한 설정
  31. .antMatchers("/swagger-ui.html", "/swagger/**", "/swagger-resources/**", "/webjars/**", "/v2/api-docs").permitAll()
  32. // 웹소켓 권한 설정하지
  33. .antMatchers("/ws/**").permitAll()
  34. .antMatchers(new String[]{"/index"})
  35. .hasRole("ADMIN")
  36. .antMatchers(new String[]{"/**"})
  37. .hasRole("ADMIN")
  38. .and()
  39. .formLogin()
  40. .loginPage("/login")
  41. .defaultSuccessUrl("/index")
  42. .failureUrl("/denied")
  43. .permitAll()
  44. .and()
  45. .logout()
  46. .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
  47. .logoutSuccessUrl("/login").invalidateHttpSession(true)
  48. .deleteCookies()
  49. .and()
  50. .exceptionHandling()
  51. .accessDeniedPage("/denied");
  52. http
  53. .sessionManagement()
  54. .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
  55. .invalidSessionUrl("/login")
  56. .sessionFixation()
  57. .migrateSession()
  58. .maximumSessions(5)
  59. .maxSessionsPreventsLogin(true)
  60. .expiredUrl("/login")
  61. .sessionRegistry(this.sessionRegistry());
  62. }
  63. protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  64. auth.userDetailsService(this.userService);
  65. }
  66. @Bean
  67. public SessionRegistry sessionRegistry() {
  68. return new SessionRegistryImpl();
  69. }
  70. @Bean
  71. public HttpSessionListener httpSessionListener() {
  72. return new SessionListener();
  73. }
  74. }