-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Is it okay to use only the Session object to keep a web app secure?
As in there is a init class that always verifies if the current user has enough permissions for what its doing? Or am I required to implement something like Spring Security?
Thanks.
You can do it with your own implementation but with spring security it's more easy.
Attached a sample where you can see how to secure a zul file with a PageInitializer. In my case i use spring in the logic but you can modify such things to your own session handling.
zul:
. . .
<!-- ##### Oxitec spring secured page initializer. Redirect to 'accessDenied.zul' page. ##### -->
<?init class="de.oxitec.zkboost.web.utils.security.authentication.OXSpringSecurityHandlePageInit" right="ox_mod_appsettings.can_view" ?>
<zk xmlns="http://www.zkoss.org/2005/zul" xmlns:h="http://www.w3.org/1999/xhtml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:w="http://www.zkoss.org/2005/zk/client"
xmlns:n="http://www.zkoss.org/2005/zk/native"
xsi:schemaLocation="http://www.zkoss.org/2005/zul http://www.zkoss.org/2005/zul/zul.xsd">
<window>
. . .
JAVA: PageInitializer (see ZK Initiator interface)
import org.zkoss.zk.ui.util.InitiatorExt;
import de.oxitec.zkboost.web.utils.properties.OXSystemProperties;
/**
* Page initializer secured by spring security. <br>
* -------------------------------------------------------<br>
* If the page initializer doesn't found the right it redirects to the
* 'accessDeniedPage' page which is defined in the <br>
* src/main/resources/ox-system.properties from the main web application.<br>
* If NO right attribute is set, than the page will be rendered without checking the right.<br>
* <PRE>
* '<'?init class="de.oxitec.zkboost.web.utils.security.authentication.OXSpringSecurityHandlePageInit" right="ox_mod_appsettings.can_view" ?>
*'<'zk xmlns="http://www.zkoss.org/2005/zul" xmlns:h="http://www.w3.org/1999/xhtml" ...
* </PRE>
*
* Or with a custom target for failed authentication.
* <PRE>
'<'?init class="de.oxitec.zkboost.web.utils.security.authentication.OXSpringSecurityHandlePageInit" right="ox_mod_appsettings.can_view" failedTarget="/myPage.zul"?>
*'<'zk xmlns="http://www.zkoss.org/2005/zul" xmlns:h="http://www.w3.org/1999/xhtml" ...
* </PRE>
* @author Stephan Gerth
*/
public class OXSpringSecurityHandlePageInit implements Initiator, InitiatorExt, Serializable {
private static final Logger log = LoggerFactory.getLogger(OXSpringSecurityHandlePageInit.class);
/**
* Serial Version UID.
*/
private static final long serialVersionUID = 1L;
@Override
public void doInit(Page page, Map<String, Object> args) throws Exception {
// init
String _rightName, _target, _redirectPage = "";
if (args.containsKey("right")) {
_rightName = (String) args.get("right");
if (!OXAuthUtils.isAllowed(_rightName)) {
_redirectPage = OXSystemProperties.getInstance().getSystemProperty("accessDeniedPage", "/");
log.debug("redirectPage from ox-system.properties for access denied: " + _redirectPage);
if (args.containsKey("failedTarget")) {
_target = (String) args.get("failedTarget");
if (_target != null && !_target.isEmpty()) {
_redirectPage = _target;
}
}
/**
* Redirect to page.
*/
Executions.getCurrent().sendRedirect(_redirectPage);
} else {
log.debug("The users right for initializing the page is not sufficient! ");
}
} else {
log.debug("A right for securing the page is not set!");
}
}
@Override
public void doAfterCompose(Page page, Component[] comps) throws Exception {
}
@Override
public boolean doCatch(Throwable ex) throws Exception {
return false;
}
@Override
public void doFinally() throws Exception {
}
}
best Stephan
Hello DMH,
It depends on the security policy that you wish to enforce, but in my opinion you should also use Spring Security.
Best Regards,
Darksu
Asked: 2016-01-31 12:45:45 +0800
Seen: 41 times
Last updated: Feb 20 '16