0

spring security 4 integration

asked 2016-07-27 02:03:11 +0800

dmenz gravatar image dmenz
1

Is there a plan to support spring security 4 in the near future? We are working on a project utilising spring security and would like to use spring security 4, rather than 3

delete flag offensive retag edit

3 Answers

Sort by ยป oldest newest most voted
0

answered 2016-08-10 02:08:21 +0800

Col gravatar image Col
135 1 6

updated 2016-08-10 02:14:09 +0800

Hi dmenz,

We have just moved one of our projects from Spring Security 3 to 4. There were a few hurdles to be jumped and I will try to remember them all here. If I end up leaving anything out feel free to ask further questions.

  • If you are using zkspring-core and/or zkspring-security you don't need to anymore.

  • This has nothing to do with zk but if you are using j_username and j_password in your login.zul you'll need to change the form-login tag in your security context. More details here.

  • To put authorized roles/permissions in the ZK session I created a custom AuthenticationSuccessHandler:

public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {
        HttpSession session = request.getSession();
        session.setAttribute("user", authentication.getName());
        session.setAttribute("authorities", authentication.getAuthorities());
        new DefaultRedirectStrategy().sendRedirect(request, response, "/index.zul");
    }

Obviously you'll need to add the MyAuthenticationSuccessHandler to your sping security context.

In your ZK models you can now retrieve your authorities:

     Session session = (Session) Sessions.getCurrent();
        Collection<grantedauthority> authorities = (Collection<grantedauthority>) session
                .getAttribute("authorities");

Hope that helps. Yell if you need clarification on anything.

link publish delete flag offensive edit
0

answered 2016-08-17 05:21:18 +0800

dmenz gravatar image dmenz
1

Thanks for the information Col, I will attempt this solution. Also, are you putting security within the zul pages? If so, have you created a custom ZK taglib to do so?

link publish delete flag offensive edit
0

answered 2016-08-18 04:20:34 +0800

Col gravatar image Col
135 1 6

updated 2016-08-18 04:24:30 +0800

I have put security in the zul page but not via taglib. I used standard MVVM functionality.

mission.zul


< window apply="org.zkoss.bin.BindComposer" viewModel="@id('vm') @init('com.imf.MissionVM')" >
    < label value="Your mission should you choose to accept it ..." if="${vm.canViewMissionBriefing}" />
< / window >

MissionVM.java


public class MissionVM {

public boolean getCanViewMissionBriefing() {
    return isAuthorised("canViewMissionBriefing");
}

private boolean isAuthorised(String permission) {
    if (permission == null)
    return false;

Session session = (Session) Sessions.getCurrent();
Collection<GrantedAuthority> authorities = (Collection<GrantedAuthority>) session.getAttribute("authorities");
for (Iterator<GrantedAuthority> iterator = authorities.iterator(); iterator.hasNext();) {
    GrantedAuthority authority = iterator.next();
    if (permission.equals(authority.getAuthority())
        return true;

    return false;
}

}

We use the user - roles - permission database configuration as per this article. So if 'Ethan Hunt' is a user, he might have a role of 'IMF Member' and permission of 'canViewMissionBriefing'.

As before, let me know if you want me to clarify anything.

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
2 followers

RSS

Stats

Asked: 2016-07-27 02:03:11 +0800

Seen: 57 times

Last updated: Aug 18 '16

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More