반응형
로그인 시도 횟수 제한
사용자가 로그인을 계속해서 시도할 경우 아래 두 가지 중 하나를 해야 한다.
- 사용자가 비밀번호를 잊어버릴 수 있으므로 비밀번호를 찾도록 가이드 한다.
- Bot에 의한 자동화된 해킹 시도일 수 있으므로 자동적인 로그인을 차단한다.
로그인 시도는 Log 혹은 DB에 기록되어야만 한다.
1. DB 에 Login Count 컬럼 추가
2. MemberController에 추가
|
1
2
3
4
5
6
7
8
9
10
11 |
@RequestMapping(value=("/member/login"), method=RequestMethod.POST )
public void login(LoginVO loginVO, HttpSession session, HttpServletResponse response) {
boolean isLoginSuccess = memberService.login(session, loginVO);
// 로그인 횟수 제한 방어코드 부재.
if(!isLoginSuccess){
memberService.plusFailCount(loginVO.getId());
}
SendMessage.send(response, isLoginSuccess ? "OK" : "NO");
} |
cs |
3. MemberService, MemberServiceImpl, MemberDAO, MemberDAOImpl에 추가
MemberService
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 |
package kr.co.hucloud.security.code.example.member.service;
import java.util.List;
import javax.servlet.http.HttpSession;
import kr.co.hucloud.security.code.example.member.vo.LoginVO;
import kr.co.hucloud.security.code.example.member.vo.MemberRegistryVO;
import kr.co.hucloud.security.code.example.member.vo.MemberVO;
public interface MemberService {
public void addMember(MemberRegistryVO memberVO);
public boolean login(HttpSession session, LoginVO loginVO);
public List<MemberVO> getUserInfo(String parameter);
public void plusFailCount(String id);
} |
cs |
MemberServiceImpl
|
1
2
3
4 |
@Override
public void plusFailCount(String id) {
memberDAO.plusFailCount(id);
} |
cs |
MemberDAO
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26 |
package kr.co.hucloud.security.code.example.member.dao;
import java.util.List;
import kr.co.hucloud.security.code.example.member.vo.LoginVO;
import kr.co.hucloud.security.code.example.member.vo.MemberRegistryVO;
import kr.co.hucloud.security.code.example.member.vo.MemberVO;
public interface MemberDAO {
public void addMember(MemberRegistryVO memberVO);
public MemberVO login(LoginVO loginVO);
public List<MemberVO> getUserInfo(String parameter);
public List<MemberVO> getAllMemberInfo();
public void updateMemberPassword(MemberVO member);
public String getSaltById(String id);
public void plusFailCount(String id);
}
|
cs |
MemberDAOImpl
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245 |
package kr.co.hucloud.security.code.example.member.dao.impl;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import javax.sql.DataSource;
import kr.co.hucloud.security.code.example.common.util.DBCloseUtil;
import kr.co.hucloud.security.code.example.member.dao.MemberDAO;
import kr.co.hucloud.security.code.example.member.vo.LoginVO;
import kr.co.hucloud.security.code.example.member.vo.MemberRegistryVO;
import kr.co.hucloud.security.code.example.member.vo.MemberVO;
public class MemberDAOImpl implements MemberDAO {
private DataSource dataSource;
public void setDataSource(DataSource dataSource) {
this.dataSource = dataSource;
}
@Override
public void addMember(MemberRegistryVO memberVO) {
Connection conn = null;
PreparedStatement pstmt = null;
String query = "INSERT INTO USERS ( "
+ " USER_ID, USER_NAME, USER_PASSWORD, "
+ " IS_ADMIN_YN, CRT_DT, MDFY_DT, SALT) "
+ "VALUES ( ?, ?, ?, ?, SYSDATE, SYSDATE,?) ";
try {
conn = dataSource.getConnection();
pstmt = conn.prepareStatement(query);
pstmt.setString(1, memberVO.getUserId());
pstmt.setString(2, memberVO.getUserName());
pstmt.setString(3, memberVO.getUserPassword());
pstmt.setString(4, "Y");
pstmt.setString(5, memberVO.getSalt());
pstmt.execute();
} catch (SQLException sqle) {
throw new RuntimeException(sqle.getMessage(), sqle);
} finally {
DBCloseUtil.close(conn, pstmt, null);
}
}
@Override
public MemberVO login(LoginVO loginVO) {
Connection conn = null;
// Statement stmt = null;
PreparedStatement stmt = null;
ResultSet rs = null;
// String query = " SELECT USER_ID, USER_NAME, USER_PASSWORD FROM USER
// WHERE USER_ID=
// +"'loginVO.getId()'"+ AND USER_PASSWORD =
// +"'loginVO.getPassword()'"";
String query = " SELECT USER_ID, USER_NAME, USER_PASSWORD FROM USERS WHERE USER_ID = ? AND USER_PASSWORD = ? AND LGN_CNT <= 3 ";
try {
conn = dataSource.getConnection();
// stmt = conn.createStatement();
stmt = conn.prepareStatement(query);
stmt.setString(1, loginVO.getId());
stmt.setString(2, loginVO.getPassword());
// rs = stmt.executeQuery(query);
rs = stmt.executeQuery();
MemberVO memberVO = null;
if (rs.next()) {
memberVO = new MemberVO();
memberVO.setId(rs.getString(1));
memberVO.setUserName(rs.getString(2));
memberVO.setPassword(rs.getString(3));
}
// memberVO != null 로그인이 되었으면 LGN_CNT를 초기화
if (memberVO != null) {
DBCloseUtil.close(null, stmt, null);
String sql = " UPDATE USERS SET LGN_CNT = 0 WHERE USER_ID=?";
stmt = conn.prepareStatement(sql);
stmt.setString(1, loginVO.getId());
stmt.execute();
}
return memberVO;
} catch (SQLException sqle) {
throw new RuntimeException(sqle.getMessage(), sqle);
} finally {
DBCloseUtil.close(conn, stmt, rs);
}
}
@Override
public List<MemberVO> getUserInfo(String parameter) {
Connection conn = null;
// Statement stmt = null;
PreparedStatement stmt = null;
ResultSet rs = null;
List<MemberVO> memberList = new ArrayList<MemberVO>();
String query = " SELECT USER_ID, USER_NAME, USER_PASSWORD FROM USERS WHERE USER_ID = ?";
try {
conn = dataSource.getConnection();
stmt = conn.prepareStatement(query);
stmt.setString(1, parameter);
rs = stmt.executeQuery();
MemberVO memberVO = null;
while (rs.next()) {
memberVO = new MemberVO();
memberVO.setId(rs.getString(1));
memberVO.setUserName(rs.getString(2));
memberVO.setPassword(rs.getString(3));
memberList.add(memberVO);
}
return memberList;
} catch (SQLException sqle) {
throw new RuntimeException(sqle.getMessage(), sqle);
} finally {
DBCloseUtil.close(conn, stmt, rs);
}
}
@Override
public List<MemberVO> getAllMemberInfo() {
Connection conn = null;
PreparedStatement stmt = null;
ResultSet rs = null;
List<MemberVO> memberList = new ArrayList<MemberVO>();
String query = " SELECT USER_ID, USER_PASSWORD FROM USERS ";
try {
conn = dataSource.getConnection();
stmt = conn.prepareStatement(query);
rs = stmt.executeQuery();
MemberVO memberVO = null;
while (rs.next()) {
memberVO = new MemberVO();
memberVO.setId(rs.getString(1));
memberVO.setPassword(rs.getString(2));
memberList.add(memberVO);
}
return memberList;
} catch (SQLException sqle) {
throw new RuntimeException(sqle.getMessage(), sqle);
} finally {
DBCloseUtil.close(conn, stmt, rs);
}
}
@Override
public void updateMemberPassword(MemberVO memberVO) {
Connection conn = null;
PreparedStatement pstmt = null;
String query = "UPDATE SYSTEM.USERS " + "SET USER_PASSWORD = ? "
+ " , SALT = ? " + " , MDFY_DT = SYSDATE "
+ "WHERE USER_ID = ? ";
try {
conn = dataSource.getConnection();
pstmt = conn.prepareStatement(query);
pstmt.setString(1, memberVO.getPassword());
pstmt.setString(2, memberVO.getSalt());
pstmt.setString(3, memberVO.getId());
pstmt.execute();
} catch (SQLException sqle) {
throw new RuntimeException(sqle.getMessage(), sqle);
} finally {
DBCloseUtil.close(conn, pstmt, null);
}
}
@Override
public String getSaltById(String id) {
Connection conn = null;
PreparedStatement stmt = null;
ResultSet rs = null;
String query = " SELECT SALT FROM USERS WHERE USER_ID = ? ";
try {
conn = dataSource.getConnection();
stmt = conn.prepareStatement(query);
stmt.setString(1, id);
rs = stmt.executeQuery();
String salt = "";
if (rs.next()) {
salt = rs.getString(1);
}
return salt;
} catch (SQLException sqle) {
throw new RuntimeException(sqle.getMessage(), sqle);
} finally {
DBCloseUtil.close(conn, stmt, rs);
}
}
@Override
public void plusFailCount(String id) {
//로그인 실패시 카운터 증가 메소드
Connection conn = null;
PreparedStatement pstmt = null;
try {
conn = dataSource.getConnection();
String sql = " UPDATE USERS SET LGN_CNT = LGN_CNT + 1 WHERE USER_ID=?";
pstmt = conn.prepareStatement(sql);
pstmt.setString(1, id);
pstmt.execute();
} catch (SQLException sqle) {
throw new RuntimeException(sqle.getMessage(), sqle);
} finally {
DBCloseUtil.close(conn, pstmt, null);
}
}
}
|
cs |
로그인 세션 제한
1. 하나의 아이디는 하나의 세션만 가져야 한다.
SessionStore
싱글톤 생성 - 누가 들어왔는지 확인하기 위해.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65 |
package kr.co.hucloud.security.code.example.member.util;
import java.io.Serializable;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpSession;
public class SessionStore implements Serializable{
// 내가 유일한 uid : 직렬화를 시키기 위한 키워드
private static final long serialVersionUID = -5505976177316125727L;
// String : id, HttpSession : user의 session
private Map<String, HttpSession> sessions;
// 자기 자신을 member변수로 가지게 함
private static SessionStore sessionStore;
// private을 해줘야 싱글톤 객체
private SessionStore(){
sessions = new HashMap<String, HttpSession>();
}
/*
싱글톤 객체는 항상 getInstance 메소드로 받아 와야한다.
getInstance를 호출하면 한번만 최초로 SessionStore을 만들어 줌
싱글톤에 있는 모든 메소드에는 대기(synchronized) 키워드가 들어가야한다.
synchronized : 동시에 작업이 필요한데 서로 꼬이지 않도록 늦게 호출한 컨트롤러를 대기 시키기 위한 키워드(동시 처리를 막아주기 위해)
*/
public static synchronized SessionStore getInstance(){
if(sessionStore == null){
sessionStore = new SessionStore();
}
return sessionStore;
}
// session 넣어 주는 method
public synchronized void putSession(String userId, HttpSession session){
sessions.put(userId, session);
}
// session 가지고 오는 method
public synchronized HttpSession getSession(String userId){
return sessions.get(userId);
}
// 내 session이 있는지 없는지 찾는 method
public synchronized boolean isExists(String userId){
return sessions.containsKey(userId);
}
// session 없애는 method
public synchronized void removeSession(String userId){
sessions.remove(userId);
}
// 몇명이나 접속했는지
public synchronized int getSize(){
return sessions.size();
}
}
|
cs |
싱글톤을 사용하면 안되는 경우
서버가 여러 대 일때(분산환경) - 이 경우에는 Cache를 사용해 해결할 수 있다.
MemberServiceImpl
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99 |
package kr.co.hucloud.security.code.example.member.service.impl;
import java.util.List;
import java.util.UUID;
import javax.servlet.http.HttpSession;
import org.mindrot.jbcrypt.BCrypt;
import kr.co.hucloud.security.code.example.common.Session;
import kr.co.hucloud.security.code.example.encrypto.password.dao.EncryptoPasswordDAO;
import kr.co.hucloud.security.code.example.member.dao.MemberDAO;
import kr.co.hucloud.security.code.example.member.service.MemberService;
import kr.co.hucloud.security.code.example.member.util.SessionStore;
import kr.co.hucloud.security.code.example.member.vo.LoginVO;
import kr.co.hucloud.security.code.example.member.vo.MemberRegistryVO;
import kr.co.hucloud.security.code.example.member.vo.MemberVO;
public class MemberServiceImpl implements MemberService {
private MemberDAO memberDAO;
private EncryptoPasswordDAO encryptoPasswordDAO;
public void setMemberDAO(MemberDAO memberDAO) {
this.memberDAO = memberDAO;
}
public void setEncryptoPasswordDAO(EncryptoPasswordDAO encryptoPasswordDAO) {
this.encryptoPasswordDAO = encryptoPasswordDAO;
}
@Override
public void addMember(MemberRegistryVO memberVO) {
if(encryptoPasswordDAO.isExistsSaltColumn()) {
//String salt = memberDAO.getSaltById(loginVO.getId());
String salt = BCrypt.gensalt();
String hashedPassword = BCrypt.hashpw(memberVO.getUserPassword(), salt);
memberVO.setUserPassword(hashedPassword);
memberVO.setSalt(salt);
}
memberDAO.addMember(memberVO);
}
@Override
public boolean login(HttpSession session, LoginVO loginVO) {
MemberVO memberVO = null;
// 암호화 된 비밀번호가 있는지 비교
if(encryptoPasswordDAO.isExistsSaltColumn()) {
String salt = memberDAO.getSaltById(loginVO.getId());
String hashedPassword = BCrypt.hashpw(loginVO.getPassword(), salt);
loginVO.setPassword(hashedPassword);
}
memberVO = memberDAO.login(loginVO);
if(memberVO != null) {
SessionStore sessionStore = SessionStore.getInstance();
// 최초의 로그인이라면
if(!sessionStore.isExists(memberVO.getId())){
session.setAttribute(Session.MEMBER, memberVO);
// Token 설정
session.setAttribute("_TOKEN_", UUID.randomUUID().toString());
sessionStore.putSession(memberVO.getId(), session);
// 몇명이 로그인 되었는지 출력
System.out.println(sessionStore.getSize());
}
else{
System.out.println("이미 로그인 되어있음!");
/*
* 세션이 이미 존재할 때 브라우져로 세션의 존재 여부를 알린다.
*/
}
}
return memberVO != null;
}
@Override
public List<MemberVO> getUserInfo(String parameter) {
return memberDAO.getUserInfo(parameter);
}
@Override
public void plusFailCount(String id) {
memberDAO.plusFailCount(id);
}
}
|
cs |
2. 중복된 로그인은 허용하지 않아야 한다.
- 중복 로그인을 시도할 때, 기존의 Session을 제거할 것인지 사용자에게 선택받게 해야한다.
LoginResult class 생성
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 |
package kr.co.hucloud.security.code.example.member.vo;
public class LoginResult {
private boolean isSuccess;
private String because;
public boolean getIsSuccess(){
return isSuccess;
}
public void setIsSuccess(boolean isSuccess) {
this.isSuccess = isSuccess;
}
public String getBecause() {
return because;
}
public void setBecause(String because) {
this.because = because;
}
}
|
cs |
MemberServiceImpl.java -> login 메소드 수정
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69 |
@Override
public Map<String,Object> login(HttpSession session, LoginVO loginVO) {
MemberVO memberVO = null;
// 암호화 된 비밀번호가 있는지 비교
if(encryptoPasswordDAO.isExistsSaltColumn()) {
String salt = memberDAO.getSaltById(loginVO.getId());
String hashedPassword = BCrypt.hashpw(loginVO.getPassword(), salt);
loginVO.setPassword(hashedPassword);
}
memberVO = memberDAO.login(loginVO);
Map<String, Object> result = new HashMap<String, Object>();
result.put("result", memberVO != null);
if(memberVO != null) {
SessionStore sessionStore = SessionStore.getInstance();
// 최초의 로그인이라면
if(!sessionStore.isExists(memberVO.getId())){
session.setAttribute(Session.MEMBER, memberVO);
// Token 설정
session.setAttribute("_TOKEN_", UUID.randomUUID().toString());
sessionStore.putSession(memberVO.getId(), session);
// 몇명이 로그인 되었는지 출력
System.out.println(sessionStore.getSize());
}
else{
System.out.println("이미 로그인 되어있음!");
/*
* 세션이 이미 존재할 때 브라우져로 세션의 존재 여부를 알린다.
*/
if(loginVO.getForceLogin().length() == 0){
result.put("result", false);
result.put("because", "1");
}
else{
// invalidate : 로그 아웃
sessionStore.getSession(loginVO.getId()).invalidate();
// 세션 날리기
sessionStore.removeSession(loginVO.getId());
session.setAttribute(Session.MEMBER, memberVO);
session.setAttribute("_TOKEN_", UUID.randomUUID().toString());
sessionStore.putSession(memberVO.getId(), session);
System.out.println(sessionStore.getSize());
}
}
}
else{
result.put("because", "2");
}
return result;
} |
cs |
MemberController -> login,logout 메소드 수정
- login 메소드 리턴타입 LoginResult으로 변경
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43 |
// @ResponseBody : json으로 바꿔 줌
@ResponseBody
@RequestMapping(value=("/member/login"), method=RequestMethod.POST )
public LoginResult login(LoginVO loginVO, HttpSession session, HttpServletResponse response) {
Map<String,Object> isLoginSuccess = memberService.login(session, loginVO);
LoginResult loginResult = new LoginResult();
loginResult.setIsSuccess(Boolean.parseBoolean(
isLoginSuccess.get("result").toString()));
if(!loginResult.getIsSuccess()){
loginResult.setBecause(isLoginSuccess.get("because").toString());
if(loginResult.getBecause().equals("2")){
memberService.plusFailCount(loginVO.getId());
}
}
// 로그인 횟수 제한 방어코드 부재.
/*if(!Boolean.parseBoolean(isLoginSuccess.get("result").toString())){
if(isLoginSuccess.get("because").toString().equals("2")){
memberService.plusFailCount(loginVO.getId());
}
}*/
return loginResult;
//SendMessage.send(response, isLoginSuccess ? "OK" : "NO");
}
@RequestMapping(value=("/member/logout"), method=RequestMethod.POST )
public void logout(HttpSession session, HttpServletResponse response) {
MemberVO member = (MemberVO)session.getAttribute(Session.MEMBER);
SessionStore sessionStore = SessionStore.getInstance();
sessionStore.removeSession(member.getId());
session.invalidate();
SendMessage.send(response, "OK");
} |
cs |
SQLInjectionController
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36 |
@RequestMapping("/attack/injection/attack1")
public ModelAndView attack1(HttpServletRequest request) {
LoginVO loginVO = new LoginVO();
loginVO.setId(request.getParameter("id"));
loginVO.setPassword(request.getParameter("password"));
// memberService.login 리턴 타입을 변경해 임시로 false 값 넣어놈
// boolean isLoginSuccess = memberService.login(request.getSession(), loginVO);
boolean isLoginSuccess = false;
memberService.login(request.getSession(), loginVO);
ModelAndView view = new ModelAndView("attack/sqlInjection/sqlInjection");
view.addObject("result", isLoginSuccess ? "인증성공" : "인증실패");
view.addObject("loginVO1", loginVO);
return view;
}
@RequestMapping("/attack/injection/attack3")
public ModelAndView attack3(HttpServletRequest request) {
LoginVO loginVO = new LoginVO();
loginVO.setId(request.getParameter("id"));
loginVO.setPassword("");
// memberService.login 리턴 타입을 변경해 임시로 false 값 넣어놈
// boolean isLoginSuccess = memberService.login(request.getSession(), loginVO);
boolean isLoginSuccess = false;
memberService.login(request.getSession(), loginVO);
ModelAndView view = new ModelAndView("attack/sqlInjection/sqlInjection");
view.addObject("result", isLoginSuccess ? "인증성공" : "인증실패");
view.addObject("loginVO3", loginVO);
return view;
} |
cs |
top.jsp 수정
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200 |
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<script type="text/javascript">
$(document).ready(function() {
$("div.login").hide();
var isShow = false;
$("span.login").click(function() {
if(isShow) {
$("div.login").slideUp("fast");
isShow = false;
}
else {
$("div.login").slideDown("fast");
$("#id").focus();
isShow = true;
}
});
$(".login .loginButton").click(function() {
if( $("#id").val() == "" ) {
alert("ID를 입력하세요!");
$("#id").focus();
return;
}
if( $("#password").val() == "" ) {
alert("Password를 입력하세요!");
$("#password").focus();
return;
}
// MemberController.java 의 login 메소드에서 @ResponseBody로 넘어온 loginResult의 값을 data에 받는다.
// @RequestBody
$.post("/HuCloud/member/login", $("#loginForm").serialize(), function(data) {
alert(data.isSuccess);
alert(data.because);
if(data.isSuccess){
alert("로그인이 완료되었습니다. 페이지를 새로고침합니다.");
location.href="/HuCloud/member";
}
else{
if(data.because == "1"){
if(confirm("이미 로그인 되어 있는 ID입니다.\n로그아웃 한 뒤 로그인 하시겠습니까?")){
$("#forceLogin").val("force");
$.post("/HuCloud/member/login"
, $("#loginForm").serialize()
, function(data1) {
if(data1.isSuccess){
alert("로그인이 완료되었습니다. 페이지를 새로고침합니다.");
location.href="/HuCloud/member";
}
});
}
}
else if(data.because == "2"){
alert("로그인이 실패했습니다. 아이디 혹은 비밀번호를 확인해 주세요.");
$("#id").focus();
}
}
/*if(data == "OK") {
alert("로그인이 완료되었습니다. 페이지를 새로고침합니다.");
location.href="/HuCloud/member";
}
if(data != "OK") {
alert("로그인이 실패했습니다. 아이디 혹은 비밀번호를 확인해 주세요.");
$("#id").focus();
}*/
});
});
$(".register").hide();
fullBlock().hide();
$(".login .registButton").click(function() {
$("span.login").click();
var left = $(window).width() / 2;
var top = $(window).height() / 2;
var regWidth = 170 / 2;
var regHeight = 170 / 2;
fullBlock().show();
$(".register").css({
"top" : (top - regHeight) + "px",
"left" : (left - regWidth) + "px"
});
$(".register").fadeIn("fast");
$("#userId").focus();
});
$(".register .loginButton").click(function() {
fullBlock().hide();
$(".register").fadeOut("fast");
});
$(".register .registButton").click(function() {
if( $("#userId").val() == "" ) {
alert("ID를 입력하세요!");
$("#userId").focus();
return;
}
if( $("#userPassword").val() == "" ) {
alert("Password를 입력하세요!");
$("#userPassword").focus();
return;
}
if( $("#userPasswordConfirm").val() == "" ) {
alert("Password를 입력하세요!");
$("#userPasswordConfirm").focus();
return;
}
if( $("#userName").val() == "" ) {
alert("Name을 입력하세요!");
$("#userName").focus();
return;
}
if( $("#userPassword").val() != $("#userPasswordConfirm").val() ) {
alert("Password 가 일치하지 않습니다!");
return;
}
$.post("/HuCloud/member/registry", $("#registerForm").serialize(), function(data) {
if(data == "OK") {
alert("회원가입이 완료되었습니다!");
$("span.login").click();
$("#id").val($("#userId").val());
$("#password").focus();
}
});
$(".register .loginButton").click();
});
});
function fullBlock() {
var width = $(window).width();
var height = $(window).height();
$(".blockDiv").css({
"width" : width + "px",
"height": height + "px",
"opacity" : "0.5"
});
return $(".blockDiv");
}
</script>
<div class="blockDiv"></div>
<div class="login">
<div class="wrapper">
<form id="loginForm" name="loginForm">
<input type="hidden" name="forceLogin" id="forceLogin" value=""/>
<input type="text" name="id" id="id" class="tip" data-tip="SQL Injection 가능 : admin' --<br/>로그인 공격 가능" placeholder="ID" />
<input type="password" name="password" id="password" placeholder="Password"/>
<span class="button loginButton">Login</span>
<span class="button registButton">Sign Up</span>
</form>
</div>
</div>
<div class="register">
<form id="registerForm" name="registerForm">
<input type="text" name="userId" id="userId" placeholder="ID"/><br/>
<div class="spacer"></div>
<input type="password" name="userPassword" id="userPassword" placeholder="Password"/><br/>
<div class="spacer"></div>
<input type="password" name="userPasswordConfirm" id="userPasswordConfirm" placeholder="Password Confirm"/><br/>
<div class="spacer"></div>
<input type="text" name="userName" id="userName" placeholder="name"/><br/>
<div class="spacer"></div>
<span class="button registButton">Sign Up</span>
<span class="button loginButton">Cancel</span>
</form>
</div>
<div class="wrapper">
<div style="vertical-align: top;">
<a href="/HuCloud"><img src="/HuCloud/resources/img/hucloud-logo_60.png" style="float:left;" /></a>
<img src="/HuCloud/resources/img/security.PNG" width="130" style="float:left;padding-top:5px;"/>
<span class="login link" style="float:right;padding-top: 5px; padding-right: 5px;">Login</span>
<div style="clear:both;"></div>
</div>
<div class="spacer"></div>
<c:import url="/common/menu" />
</div>
<div class="tooltip"></div> |
cs |
반응형
'IT > Secure Coding' 카테고리의 다른 글
| 잘못된 캡슐화 (0) | 2015.04.24 |
|---|---|
| 잘못된 접근 제한(사용자의 행동 기록) (0) | 2015.04.24 |
| Open Redirect (0) | 2015.04.23 |
| Encrypt Password (0) | 2015.04.23 |
| File Upload, File DownLoad (0) | 2015.04.23 |