Spring Security custom expression

간단하지만 생각보다 어려운 설정 문제로 인해서 한참 고생을 했다.

Spring Security에서 기존에 있는 공통 Expression 외에 별도의 Expression을 만드려고 했는데 이게 제대로 문서도 없고 관련 예제가 있는 곳도 없다.

결국 구글링으로 만들긴 만들었다만 이 간단한 커스텀 개발을 위해서 쓴 시간이 아깝긴 하다. 막상 만들고 보니 고민거리가 있어서 실제로 쓸지도 모르겠다.

이 부분을 위해서 삽질하는 분들에게 도움이 되길 바란다.

우선 custom expression에는 2가지 종류가 있다.

메서드단에 설정하는 MethodSecurityExpression과 웹쪽에 설정하는 WebSecurityExpression이 있다. 이것을 몰라서 Method만 갖고 한참 삽질을 했다.

MethodSecurityExpression은 관련 클래스나 용어로 찾다보면 자료가 많이 있다. WebSecurityExpression이 별로 없다.

Version

• 3.1.7을 기준으로 함
• 3.0.7을 사용하다가 DefaultWebSecurityExpressionHandler을 상속받아서 사용할 때 원하는 메서드가 없어서 3.1.7로 올려서 사용하게 되었음
• 3.1.7의 경우 Spring 3.0.7 Version에 대해 의존하고 있어서 다행히 문제되지 않음 ([4] 참조)

MethodSecurityExpression

• 관련 클래스
• DefaultMethodSecurityExpressionHandler
• SecurityExpressionRoot
• MethodSecurityExpressionOperations
• 메소드쪽에 제한 설정
• @PreAuthorize와 함께 사용

WebSecurityExpression

• 관련 클래스
• WebSecurityExpressionRoot
• DefaultWebSecurityExpressionHandler
• 웹쪽(xml or java config)에 설정
• http intercept-url access에 설정

spring-security.xml (3.0.7의 경우)

SpringSecurity 3.0 에서는 XML 태그를 통해 웹 전반에 관한 expressionHandler 설정이 불가능

(SEC-1452 버그 참조. 3.1부터 가능.)

access-decision-manager-ref를 지정함으로써만 가능 (권남 블로그 참조)

<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <http use-expressions="true" access-decision-manager-ref="accessDecisionManager"> <intercept-url pattern="/customer/*" access="isAuthenticated() and hasIpAddresses('127.0.0.1')" /> <intercept-url pattern="/**/*" access="isAuthenticated() and hasRole('OVER18') and isAdmin()" /> ... </http> ... <!-- Custom Expression을 위한 설정 --> <beans:bean id="webSecurityExpressionHandler" class="com.tistory.atin84.common.eval.CustomWebSecurityExpressionHandler" /> <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <beans:property name="decisionVoters"> <beans:list> <beans:ref bean="webExpressionVoter" /> </beans:list> </beans:property> </beans:bean> <beans:bean id="webExpressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter"> <beans:property name="expressionHandler" ref="webSecurityExpressionHandler" /> </beans:bean> </beans:beans>

spring-security.xml (3.1.7의 경우)

<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <http use-expressions="true" access-decision-manager-ref="accessDecisionManager"> <expression-handler ref="webSecurityExpressionHandler" /> <intercept-url pattern="/customer/*" access="isAuthenticated() and hasIpAddresses('127.0.0.1')" /> <intercept-url pattern="/**/*" access="isAuthenticated() and hasRole('OVER18') and isAdmin()" /> ... </http> ... <!-- Custom Expression을 위한 설정 --> <beans:bean id="webSecurityExpressionHandler" class="com.tistory.atin84.common.eval.CustomWebSecurityExpressionHandler" /> </beans:beans>

CustomWebSecurityExpressionHandler.java

package com.tistory.atin84.common.eval; import org.springframework.security.access.expression.SecurityExpressionRoot; import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.core.Authentication; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler; public class CustomWebSecurityExpressionHandler extends DefaultWebSecurityExpressionHandler { private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); @Override protected SecurityExpressionRoot createSecurityExpressionRoot(Authentication authentication, FilterInvocation fi) { CustomSecurityExpressionRoot root = new CustomSecurityExpressionRoot(authentication, fi); root.setPermissionEvaluator(getPermissionEvaluator()); root.setTrustResolver(this.trustResolver); root.setRoleHierarchy(getRoleHierarchy()); return root; } }

CustomSecurityExpressionRoot.java

package com.tistory.atin84.common.eval; import javax.servlet.http.HttpServletRequest; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.security.core.Authentication; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.expression.WebSecurityExpressionRoot; public class CustomSecurityExpressionRoot extends WebSecurityExpressionRoot { private Logger logger = LoggerFactory.getLogger(CustomSecurityExpressionRoot.class); public HttpServletRequest request; public CustomSecurityExpressionRoot(Authentication authentication, FilterInvocation filterInvocation) { super(authentication, filterInvocation); this.request = filterInvocation.getRequest(); } public boolean isAdmin() { logger.debug("isAdmin"); return true; } public boolean hasIpAddresses(String ipAddress) { //String requestIP = request.getRemoteAddr(); return (new IpAddressMatcher(ipAddress).matches(request)); } }

기타 참고 소스 1 - CustomMethodSecurityExpression

CustomMethodSecurityExpressionHandler.java

import org.aopalliance.intercept.MethodInvocation; import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; import org.springframework.security.access.expression.method.MethodSecurityExpressionOperations; import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.core.Authentication; public class CustomMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler { private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); @Override public void setReturnObject(Object returnObject, EvaluationContext ctx) { ((MethodSecurityExpressionOperations) ctx.getRootObject().getValue()).setReturnObject(returnObject); } @Override protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) { final CustomMethodSecurityExpressionRoot root = new CustomMethodSecurityExpressionRoot(authentication); root.setThis(invocation.getThis()); root.setPermissionEvaluator(getPermissionEvaluator()); root.setTrustResolver(this.trustResolver); root.setRoleHierarchy(getRoleHierarchy()); return root; } }

CustomMethodSecurityExpressionRoot.java

import org.springframework.security.access.expression.SecurityExpressionRoot; import org.springframework.security.access.expression.method.MethodSecurityExpressionOperations; import org.springframework.security.core.Authentication; public class CustomMethodSecurityExpressionRoot extends SecurityExpressionRoot implements MethodSecurityExpressionOperations { private Object filterObject; private Object returnObject; private Object target; public CustomMethodSecurityExpressionRoot(Authentication authentication) { super(authentication); } // copy everything from the original Spring Security MethodSecurityExpressionRoot // add your custom methods public boolean isAdmin() { return denyAll; // do whatever you need to do, e.g. delegate to other components // hint: you can here directly access Authentication object // via inherited authentication field } public boolean isOwner(Long id) { return denyAll; // do whatever you need to do, e.g. delegate to other components } @Override public void setFilterObject(Object filterObject) { this.filterObject = filterObject; } @Override public Object getFilterObject() { return filterObject; } @Override public void setReturnObject(Object returnObject) { this.returnObject = returnObject; } @Override public Object getReturnObject() { return returnObject; } @Override public Object getThis() { return target; } void setThis(Object target) { this.target = target; } }

기타 참고 소스 2 - CustomAuthenticationToken

CustomAuthenticationToken.java

import java.util.Collection; import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.core.GrantedAuthority; public class CustomAuthenticationToken extends AbstractAuthenticationToken { private static final long serialVersionUID = 4354326432543118052L; private final Object principal; private Object credentials; public CustomAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) { super(authorities); this.principal = principal; this.credentials = credentials; super.setAuthenticated(true); } @Override public Object getCredentials() { return this.credentials; } @Override public Object getPrincipal() { return this.principal; } }

SampleCode - JaasGrandtedAuthority(3.1.7 사용 가능), SimpleGrantedAuthority(상위 버전)를 사용하거나 GrantedAuthority를 직접 구현해서 사용

GrantedAuthority authAge19 = new JaasGrantedAuthority("AGE19", null); Authentication authentication = new CookieAuthenticationToken(hangameUser, null, Arrays.asList(authAge19));

Reference

[1]  16. Expression-Based Access Control (http://docs.spring.io/autorepo/docs/spring-security/3.1.x/reference/el-access.html)
[2] 권남 Spring Security (http://kwonnam.pe.kr/wiki/springframework/security)

[3] Github 참고 소스 (https://gist.github.com/bmchild/1642655)

[4] Maven Repository - spring security 3.1.7 (http://mvnrepository.com/artifact/org.springframework.security/spring-security-core/3.1.7.RELEASE)