IT/Secure Coding

잘못된 접근 제한(사용자의 행동 기록)

바바옄 2015. 4. 24. 13:53
반응형

사용자의 행동 기록

1. 사용자가 메뉴를 사용할 때 모든 행위는 기록되어야 한다.

  • 아이디
  • 시간
  • 접근한 IP
  • 접근한 Menu
  • 실행한 Action(CRUD)

2. 권한이 없는 사용자는 그 메뉴자체를 보여주지 않아야 한다.
삭제에 대한 권한이 없는 사용자에게 삭제 버튼을 보여주어서는 안된다.
URL을 통한 접근을 시도할 때, 현재 요청자가 그 기능에 대한 권한이 있는지 체크하고 없다면 서비스를 거부해야한다.

 

1. 사용자의 행동을 Console창에 log로 보여주기(실무에서는 DB에 저장 함).

ActionHistoryInterceptor class 생성

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
package kr.co.hucloud.security.code.example.common.interceptor;
 
import java.util.Date;
 
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
 
import kr.co.hucloud.security.code.example.common.Session;
import kr.co.hucloud.security.code.example.member.vo.MemberVO;
 
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
public class ActionHistoryInterceptor extends HandlerInterceptorAdapter {
 
    // 컨트롤러 실행 전
    @Override
    public boolean preHandle(HttpServletRequest request,
            HttpServletResponse response, Object handler) throws Exception {
    /*
        아이디 - 로그인 하지 않았다면 공백
        시간 - Date 객체 사용
        접근한 IP 
        접근한 Menu - URL로 대체
        실행한 Action(CRUD) - Method로 대체
    */
        String userId = gerUserId(request);
        String dateTime = new Date().toString();
        String userIp = request.getRemoteAddr();
        // uri - 앞에 host가 빠져있음 (http://localhost:8080)
        String accessUrl = request.getRequestURI();
        String action = getAction(handler);
        
        String logMessage = String.format("%s, %s, %s, %s, %s",userId, dateTime, userIp, accessUrl, action);
        
        System.out.println(logMessage);
        
        return super.preHandle(request, response, handler);
    }
 
    private String gerUserId(HttpServletRequest request) {
        
        HttpSession session = request.getSession();
        
        MemberVO memberVO = (MemberVO)session.getAttribute(Session.MEMBER);
        
        if(memberVO == null){
            return "";
        }
        
        return memberVO.getId();
        
    }
 
    private String getAction(Object handler) {
        
        String classMethod = handler.toString();
        String[] splitMethod = classMethod.split("\\.");
        int size = splitMethod.length;
        
        return splitMethod[size-1];
    }
}
 
 cs

dispatcherServlet.xml 에 historyInterceptor bean 추가

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd">
 
    <mvc:annotation-driven />
 
    <bean id="viewResolver"
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="/WEB-INF/view/" />
        <property name="suffix" value=".jsp" />
    </bean>
    
    <mvc:resources mapping="/resources/**" location="/WEB-INF/resources/" />
    
    <mvc:interceptors>
        <mvc:interceptor>
            <mvc:mapping path="/**" />
            <mvc:exclude-mapping path="/"/>
            <mvc:exclude-mapping path="/common/top"/>
            <mvc:exclude-mapping path="/common/bottom"/>
            <mvc:exclude-mapping path="/common/menu"/>
            <mvc:exclude-mapping path="/resources/**"/>
            <mvc:exclude-mapping path="/member/login"/>
            <mvc:exclude-mapping path="/member/registry"/>
            <bean id="loginInterceptor" class="kr.co.hucloud.security.code.example.common.interceptor.LoginInterceptor" />
        </mvc:interceptor>
        
            <!-- 잘못된 접근 제한   -->
            <bean id="historyInterceptor" class="kr.co.hucloud.security.code.example.common.interceptor.ActionHistoryInterceptor"/>
 
    </mvc:interceptors>    
    <!--<mvc:interceptors>
        <mvc:interceptor>
            <mvc:mapping path="/**" />
            <mvc:exclude-mapping path="/member/login"/>
            <mvc:exclude-mapping path="/member/registry"/>
            <mvc:exclude-mapping path="/member/logout"/>
            <bean id="csrfInterceptor" class="kr.co.hucloud.security.code.example.common.interceptor.CSRFInterceptor" />
        </mvc:interceptor>
    </mvc:interceptors> -->
    
    <bean id="multipartResolver"
          class="org.springframework.web.multipart.commons.CommonsMultipartResolver" >
        <property name="maxUploadSize" value="104857600" /> <!-- 100MB -->
        <property name="defaultEncoding" value="UTF-8" />
    </bean>
    
    <!-- Controllers -->
    <bean id="commonController" class="kr.co.hucloud.security.code.example.common.web.CommonController" />
    
    <bean id="indexController"  class="kr.co.hucloud.security.code.example.index.web.IndexController">
           <property name="tableValidService" ref="tableValidService" />
    </bean>
    <bean id="tableController"  class="kr.co.hucloud.security.code.example.valid.table.web.TableController">
           <property name="tableValidService" ref="tableValidService" />
    </bean>
    <bean id="memberController"  class="kr.co.hucloud.security.code.example.member.web.MemberController">
        <property name="memberService" ref="memberService" />
    </bean>
    <bean id="boardController"     class="kr.co.hucloud.security.code.example.board.web.BoardController">
        <property name="boardService" ref="boardService" />
        <property name="replyService" ref="replyService" />
    </bean>
    <bean id="replyController"     class="kr.co.hucloud.security.code.example.reply.web.ReplyController">
        <property name="replyService" ref="replyService" />
    </bean>
    
    <bean id="sqlInjectionController"  class="kr.co.hucloud.security.code.example.attack.sql.injection.web.SQLInjectionController">
        <property name="memberService" ref="memberService" />
    </bean>
    <bean id="passwordController"  class="kr.co.hucloud.security.code.example.attack.check.password.web.PasswordController" />
    <bean id="xssController"  class="kr.co.hucloud.security.code.example.attack.xss.web.XSSController">
        <property name="boardService" ref="boardService" />
    </bean>
    <bean id="encryptoPasswordController" class="kr.co.hucloud.security.code.example.encrypto.password.web.EncryptoPasswordController">
        <property name="encryptoPasswordService" ref="encryptoPasswordService" />
    </bean>
    <bean id="openRedirectController" class="kr.co.hucloud.security.code.example.attack.openredirect.OpenRedirectController" />
    
</beans>
 
 cs
반응형

'IT > Secure Coding' 카테고리의 다른 글

주기적인 비밀번호 변경  (1) 2015.04.24
잘못된 캡슐화  (0) 2015.04.24
로그인 제한  (0) 2015.04.24
Open Redirect  (0) 2015.04.23
Encrypt Password  (0) 2015.04.23

'IT/Secure Coding'의 다른글

  • 현재글잘못된 접근 제한(사용자의 행동 기록)

관련글

댓글

티스토리툴바