[Spring Security] 스프링 세큐리티 오류 정리

1.

Error

Multiple annotations found at this line: - cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'security:http'. - You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or spring-security-3.1.xsd schema or spring-security-3.2.xsd schema or spring-security-4.0.xsd schema with Spring   Security 5.4. Please update your schema declarations to the 5.4 schema. - schema_reference.4: Failed to read schema document 'http://www.springframework.org/schema/security/spring-security-5.5.xsd', because 1) could not find the document; 2) the   document could not be read; 3) the root element of the document is not <xsd:schema>. - Configuration problem: You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or spring-security-3.1.xsd schema or spring-security-3.2.xsd schema or spring-security-4.0.xsd   schema with Spring Security 5.4. Please update your schema declarations to the 5.4 schema. Offending resource: file [D:/2021_Spring/Web project/JejuIsland/JeJu/src/main/webapp/WEB-INF/  spring/security-context.xml]

solution:

security-context.xml 설정 오류 

shema 버전을 삭제

Before	After
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-5.5.xsd	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd

2.

Error

error: Failed to evaluate expression 'ROLE_USER'

solution:

hasRole을 추가

<security:intercept-url pattern="/**" access="ROLE_USER" />

아래와 같이 수정

<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />

3.

Error

error: There is no PasswordEncoder mapped for the id "null"

solution:
스프링 버전 5이상부터는 password 앞에 식별자를 넣어야 함
암호화를 사용하지 않는다면 {noop}을 추가

<security:user name="guest" password="{noop}guest" authorities="hasRole('ROLE_USER')"/>

Error

error: org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";" at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlocklistedUrls(StrictHttpFirewall.java:456) at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:429) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:196) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1726) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834)

원인:  
Spring security 버전도 업그레이드 되었고 ;기호를 XXS(크로스사이트스크립팅) 유발 문자로 인식
같이 첨부하는 사진과 같이 경로 뒤에 세션ID 값이 붙으며 문제가됨
세션 ID값이 붙는 이유는 톰캣서버에서 jstl <c:url/>을 사용할 때 최초호출시 세션ID를 붙이기 때문.
새 세션이 만들어지면 클라이언트가 쿠키를 지원하는지 여부를 서버가 알 수 없으므로 쿠키와 URL에 모두 jsessionid 가 만들어진다.

solution:
web.xml에 아래와 같은 session-config 값을 추가

<session-config>
    <session-timeout>600</session-timeout>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>