
๋ชฉ์ฐจ
๐ SecurityContextRepository
SecurityContextRepository ๋ SecurityContext ๋ฅผ ์ ์ฅํ๊ณ ๊ฒ์ํ๊ธฐ ์ํ ์ ์ฅ์์
๋๋ค.
Spring Security ์์๋ ์ธ์ฆ ํ ์์ฑ๋ SecurityContext ๋ฅผ ์ ์ฅํ๊ณ ๊ด๋ฆฌํ๊ธฐ ์ํด SecurityContextRepository ์ธํฐํ์ด์ค๋ฅผ ์ ๊ณตํฉ๋๋ค.
SecurityContextRepository ์ธํฐํ์ด์ค ๊ตฌํ์ ํตํด ์ธ์ฆ ๊ฐ์ฒด(SecurityContext) ๋ฅผ Request ๊ฐ์ฒด๋ Session ์ ์ ์ฅํ๊ฑฐ๋ ์๋๋ฉด Redis ์ ๊ฐ์ ๋ณ๋์ ์ ์ฅ์์ ์ ์ฅํ ์ ์์ต๋๋ค.
SecurityContextRepository.javapublic interface SecurityContextRepository { @Deprecated SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
default DeferredSecurityContext loadDeferredContext(HttpServletRequest request) { Supplier<SecurityContext> supplier = () -> loadContext(new HttpRequestResponseHolder(request, null)); return new SupplierDeferredSecurityContext(SingletonSupplier.of(supplier), SecurityContextHolder.getContextHolderStrategy()); }
void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
boolean containsContext(HttpServletRequest request); }
|
1. Session ์ ์ ์ฅ - HttpSessionSecurityContextRepository
HttpSessionSecurityContextRepository ๋ Session ์ SecurityContext ์ ๋ณด๋ฅผ ์ ์ฅํฉ๋๋ค.
HttpSessionSecurityContextRepository ์ SecurityContext ๋ฅผ HttpSession ์ ์ ์ฅํ๊ธฐ ๋๋ฌธ์ Session ์ด ์ ์ง๋๋ํ ํ์ ์์ฒญ์ด ๋ค์ด์ค๋๋ผ๋ ์ธ์ฆ ์ํ๊ฐ ์ ์ง๋ฉ๋๋ค.
HttpSessionSecurityContextRepository.java@Override public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response) { SaveContextOnUpdateOrErrorResponseWrapper responseWrapper = WebUtils.getNativeResponse(response, SaveContextOnUpdateOrErrorResponseWrapper.class); if (responseWrapper == null) { saveContextInHttpSession(context, request); return; } responseWrapper.saveContext(context); }
private void saveContextInHttpSession(SecurityContext context, HttpServletRequest request) { if (isTransient(context) || isTransient(context.getAuthentication())) { return; } SecurityContext emptyContext = generateNewContext(); if (emptyContext.equals(context)) { HttpSession session = request.getSession(false); removeContextFromSession(context, session); } else { boolean createSession = this.allowSessionCreation; HttpSession session = request.getSession(createSession); setContextInSession(context, session); } }
|
2. Request ๊ฐ์ฒด์ ์ ์ฅ - RequestAttributeSecurityContextRepository
RequestAttributeSecurityContextRepository ๋ Request ๊ฐ์ฒด์ SecurityContext ์ ๋ณด๋ฅผ ์ ์ฅํ๋ ๊ฐ์ฒด์
๋๋ค.
RequestAttributeSecurityContextRepository ๋ ์์ฒญ ์ ๋ณด์ SecurityContext ๋ฅผ ์ ์ฅํ๊ธฐ ๋๋ฌธ์ ์์ฒญ์ด ๋๋๊ฒ ๋๋ฉด SecurityContext ์ ๋ณด๋ ๊ฐ์ด ์ฌ๋ผ์ง๊ฒ ๋ฉ๋๋ค.
RequestAttributeSecurityContextRepository.java@Override public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response) { request.setAttribute(this.requestAttributeName, context); }
|
3. ์ฌ๋ฌ๊ฐ์ Request ๊ฐ์ฒด์ ์ ์ฅ - DelegatingSecurityContextRepository
์ฌ๋ฌ๊ฐ์ SecurityContextRepository ๋ฅผ ์ฌ์ฉํ๊ธฐ ์ํด Spring Security ์์๋ DelegatingSecurityContextRepository ๋ฅผ ์ ๊ณตํฉ๋๋ค. ๋ค์๊ณผ ๊ฐ์ด ์ฌ๋ฌ๊ฐ์ SecurityContextRepository ๊ฐ์ฒด๋ฅผ ์ธ์๋ก ํด DelegatingSecurityContextRepository ๊ฐ์ฒด๋ฅผ ์์ฑํ ์ ์์ต๋๋ค.
DelegatingSecurityContextRepository.java@Bean public SecurityContextRepository securityContextRepository() { return new DelegatingSecurityContextRepository( new RequestAttributeSecurityContextRepository(), new HttpSessionSecurityContextRepository() ); }
|
DelegatingSecurityContextRepository ๋ํ ๊ฐ์ SecurityContextRepository ์ธํฐํ์ด์ค๋ฅผ ํตํด ์์ฑ๋ ๊ตฌํ์ฒด๋ผ ์ฌ์ฉํ๋ ๋ฐฉ์์ ์ฐจ์ด๋ ์์ต๋๋ค. ๋ค๋ง, ๋ด๋ถ์ ์ผ๋ก ์ฌ๋ฌ๊ฐ์ SecurityContextRepository ๋ฅผ ํ๋ฒ์ฉ ์คํ์ํค๋ ๋ฐฉ์์ผ๋ก ๋ก์ง์ ์ํํฉ๋๋ค.
DelegatingSecurityContextRepository.java@Override public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) { SecurityContext result = null; for (SecurityContextRepository delegate : this.delegates) { SecurityContext delegateResult = delegate.loadContext(requestResponseHolder); if (result == null || delegate.containsContext(requestResponseHolder.getRequest())) { result = delegateResult; } } return result; }
|