Securing webapp

asked 2016-01-31 12:45:45 +0800

DMH gravatar image DMH
35 6

Is it okay to use only the Session object to keep a web app secure?

As in there is a init class that always verifies if the current user has enough permissions for what its doing? Or am I required to implement something like Spring Security?


delete flag offensive retag edit

2 Answers

Sort by ยป oldest newest most voted

answered 2016-02-20 15:04:34 +0800

terrytornado gravatar image terrytornado flag of Germany
9393 3 7 16

You can do it with your own implementation but with spring security it's more easy.

Attached a sample where you can see how to secure a zul file with a PageInitializer. In my case i use spring in the logic but you can modify such things to your own session handling.


. . .
<!-- ##### Oxitec spring secured page initializer. Redirect to 'accessDenied.zul' page. ##### -->
<?init class="de.oxitec.zkboost.web.utils.security.authentication.OXSpringSecurityHandlePageInit" right="ox_mod_appsettings.can_view" ?>

<zk xmlns="http://www.zkoss.org/2005/zul" xmlns:h="http://www.w3.org/1999/xhtml"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:w="http://www.zkoss.org/2005/zk/client"
    xsi:schemaLocation="http://www.zkoss.org/2005/zul http://www.zkoss.org/2005/zul/zul.xsd">

. . .

JAVA: PageInitializer (see ZK Initiator interface)

import org.zkoss.zk.ui.util.InitiatorExt;

import de.oxitec.zkboost.web.utils.properties.OXSystemProperties;

 * Page initializer secured by spring security. <br>
 * -------------------------------------------------------<br>
 * If the  page initializer doesn't found the right it redirects to the
 * 'accessDeniedPage' page which is defined in the <br>
 * src/main/resources/ox-system.properties from the main web application.<br>
 * If NO right attribute is set, than the page will be rendered without checking the right.<br>
 * <PRE>
 * '<'?init class="de.oxitec.zkboost.web.utils.security.authentication.OXSpringSecurityHandlePageInit" right="ox_mod_appsettings.can_view" ?>
 *'<'zk xmlns="http://www.zkoss.org/2005/zul" xmlns:h="http://www.w3.org/1999/xhtml" ...
 * </PRE>
 * Or with a custom target for failed authentication.
 * <PRE>
 '<'?init class="de.oxitec.zkboost.web.utils.security.authentication.OXSpringSecurityHandlePageInit" right="ox_mod_appsettings.can_view" failedTarget="/myPage.zul"?>
 *'<'zk xmlns="http://www.zkoss.org/2005/zul" xmlns:h="http://www.w3.org/1999/xhtml" ...
 * </PRE>

 * @author Stephan Gerth
public class OXSpringSecurityHandlePageInit implements Initiator, InitiatorExt, Serializable {

    private static final Logger log = LoggerFactory.getLogger(OXSpringSecurityHandlePageInit.class);

     * Serial Version UID.
    private static final long serialVersionUID = 1L;

    public void doInit(Page page, Map<String, Object> args) throws Exception {

        // init
        String _rightName, _target, _redirectPage = "";

        if (args.containsKey("right")) {
            _rightName = (String) args.get("right");

            if (!OXAuthUtils.isAllowed(_rightName)) {

                _redirectPage = OXSystemProperties.getInstance().getSystemProperty("accessDeniedPage", "/");
                log.debug("redirectPage from ox-system.properties for access denied: " + _redirectPage);

                if (args.containsKey("failedTarget")) {
                    _target = (String) args.get("failedTarget");
                    if (_target != null && !_target.isEmpty()) {
                        _redirectPage = _target;

                 * Redirect to page.

            } else {
                log.debug("The users right for initializing the page is not sufficient! ");
        } else {
            log.debug("A right for securing the page is not set!");

    public void doAfterCompose(Page page, Component[] comps) throws Exception {

    public boolean doCatch(Throwable ex) throws Exception {
        return false;

    public void doFinally() throws Exception {


best Stephan

link publish delete flag offensive edit

answered 2016-01-31 15:52:03 +0800

Darksu gravatar image Darksu
1991 1 4

Hello DMH,

It depends on the security policy that you wish to enforce, but in my opinion you should also use Spring Security.

Best Regards,


link publish delete flag offensive edit


Can you provide an example implementation of Spring Security in ZKoss? The example I found leads to an older source code repository which is no longer active.

DMH ( 2016-01-31 21:12:29 +0800 )edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

1 follower



Asked: 2016-01-31 12:45:45 +0800

Seen: 41 times

Last updated: Feb 20 '16

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More