spring security 4 integration

answered 2016-08-10 02:08:21 +0800

Col
135 ● 1 ● 6

updated 2016-08-10 02:14:09 +0800

Hi dmenz,

We have just moved one of our projects from Spring Security 3 to 4. There were a few hurdles to be jumped and I will try to remember them all here. If I end up leaving anything out feel free to ask further questions.

• If you are using zkspring-core and/or zkspring-security you don't need to anymore.

• This has nothing to do with zk but if you are using j_username and j_password in your login.zul you'll need to change the form-login tag in your security context. More details here.

• To put authorized roles/permissions in the ZK session I created a custom AuthenticationSuccessHandler:

public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {
        HttpSession session = request.getSession();
        session.setAttribute("user", authentication.getName());
        session.setAttribute("authorities", authentication.getAuthorities());
        new DefaultRedirectStrategy().sendRedirect(request, response, "/index.zul");
    }

Obviously you'll need to add the MyAuthenticationSuccessHandler to your sping security context.

In your ZK models you can now retrieve your authorities:

     Session session = (Session) Sessions.getCurrent();
        Collection<grantedauthority> authorities = (Collection<grantedauthority>) session
                .getAttribute("authorities");

Hope that helps. Yell if you need clarification on anything.

answered 2016-08-18 04:20:34 +0800

Col
135 ● 1 ● 6

updated 2016-08-18 04:24:30 +0800

I have put security in the zul page but not via taglib. I used standard MVVM functionality.

mission.zul

< window apply="org.zkoss.bin.BindComposer" viewModel="@id('vm') @init('com.imf.MissionVM')" >
    < label value="Your mission should you choose to accept it ..." if="${vm.canViewMissionBriefing}" />
< / window >

MissionVM.java

public class MissionVM {
 
public boolean getCanViewMissionBriefing() {
    return isAuthorised("canViewMissionBriefing");
}

private boolean isAuthorised(String permission) {
    if (permission == null)
    return false;

Session session = (Session) Sessions.getCurrent();
Collection<GrantedAuthority> authorities = (Collection<GrantedAuthority>) session.getAttribute("authorities");
for (Iterator<GrantedAuthority> iterator = authorities.iterator(); iterator.hasNext();) {
    GrantedAuthority authority = iterator.next();
    if (permission.equals(authority.getAuthority())
        return true;

    return false;
}
 
}

We use the user - roles - permission database configuration as per this article. So if 'Ethan Hunt' is a user, he might have a role of 'IMF Member' and permission of 'canViewMissionBriefing'.

As before, let me know if you want me to clarify anything.