0

ZK and Spring Security 2

asked 2008-06-03 14:19:51 +0800

admin gravatar image admin
18691 1 10 129
ZK Team


Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5004970

By: fredrikoe

Hi!

I'm trying to configure Spring Security 2.0.1 (former Acegi) with ZK 3.0.5.
Since a lot of things changed when Acegi became Spring Security the Small Talks about this subject are not of much use.

However, by following the example bundled with Spring Security I have managed to configure it with ZK using this interceptor:
<intercept-url pattern="/zkau/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
which is similar to this one in Acegi:
/zkau/*=ROLE_ANONYMOUS,admin,user

Things seems to work as it shold escept for one thing. When I logout and then immediately try to login again I get the following exception:

java.lang.IllegalStateException: getAttribute: Session already invalidated
org.apache.catalina.session.StandardSession.getAttribute(StandardSession.java:1
032)
org.apache.catalina.session.StandardSessionFacade.getAttribute(StandardSessionF
acade.java:110)
org.zkoss.zk.ui.http.SimpleSession.getAttribute(SimpleSession.java:205)
org.zkoss.zk.ui.sys.SessionsCtrl.requestEnter(SessionsCtrl.java:59)
org.zkoss.zk.ui.http.DHtmlLayoutServlet.doGet(DHtmlLayoutServlet.java:158)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:359)
org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(Fil
terSecurityInterceptor.java:109)
org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(F
ilterSecurityInterceptor.java:83)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(Excepti
onTranslationFilter.java:101)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.providers.anonymous.AnonymousProcessingFilter.doFi
lterHttp(AnonymousProcessingFilter.java:105)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.rememberme.RememberMeProcessingFilter.doFilterH
ttp(RememberMeProcessingFilter.java:116)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter.do
FilterHttp(SecurityContextHolderAwareRequestFilter.java:91)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.basicauth.BasicProcessingFilter.doFilterHttp(Ba
sicProcessingFilter.java:172)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractP
rocessingFilter.java:268)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.j
ava:87)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.SessionFixationProtectionFilter.doFilterHttp(Se
ssionFixationProtectionFilter.java:61)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilt
erHttp(HttpSessionContextIntegrationFilter.java:235)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.concurrent.ConcurrentSessionFilter.doFilterHttp(Co
ncurrentSessionFilter.java:97)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.ja
va:174)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingF
ilterProxy.java:236)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterP
roxy.java:167)

Does anyone have a hint on what could cause this?

Thanks.

/ Fredrik



delete flag offensive retag edit

8 Replies

Sort by ยป oldest newest

answered 2008-06-11 02:48:15 +0800

admin gravatar image admin
18691 1 10 129
ZK Team


Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5022261

By: ricardovisk

I think ZK is not compatible with Spring Security yet.
Only for Acegi Security.

link publish delete flag offensive edit

answered 2008-06-20 13:25:42 +0800

admin gravatar image admin
18691 1 10 129
ZK Team


Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5044129

By: vinny223

I am just finishing a couple of classes to make ZK work with Spring Security.
How do I go about posting them to get integrated into ZK?

Thanks,

Vinny

link publish delete flag offensive edit

answered 2008-06-22 06:50:02 +0800

admin gravatar image admin
18691 1 10 129
ZK Team


Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5046683

By: henrichen

Hi Vinny,

You can send codes to me (henrichen AT zkoss DOT org). Would you like to write an article (ZK smalltalks) regarding how to integrate ZK with Spring Security?
We can publish it on the ZK website. It will be very useful to the community.

/henri


link publish delete flag offensive edit

answered 2008-06-22 16:11:50 +0800

admin gravatar image admin
18691 1 10 129
ZK Team


Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5047562

By: vinny223

I posted the code in the tracker:
http://sourceforge.net/tracker/index.php?func=detail&aid=1998941&group_id=152762
&atid=828172

You can make it work follow:
http://www.zkoss.org/smalltalks/zkacegi2/zkacegi2.dsp

and using zk.xml as:

<zk>
<listener>
<description>Acegi SecurityContext Handler</description>
<listener-class>
org.zkoss.zkplus.springsecurity.SpringSecurityContextListener
</listener-class>
</listener>
</zk>

And replace in his source code all occurences of acegisecurity for spring.security

I like the idea of writing an article about it. What do I need to do?

Vinny







link publish delete flag offensive edit

answered 2008-06-23 04:16:36 +0800

admin gravatar image admin
18691 1 10 129
ZK Team


Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5048397

By: henrichen

> I like the idea of writing an article about it. What do I need to do?

Write the article and send it to us. Please includes a profile of you so we can put it in "about author" section. We will did some editing and publish it on zkoss.org website. Looking forward to your article.

/henri

link publish delete flag offensive edit

answered 2008-06-26 12:39:02 +0800

admin gravatar image admin
18691 1 10 129
ZK Team


Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5055643

By: gekkio

I've managed to get ZK working with SS2 by doing the same thing you did (creating the SpringSecurityContextListener-class).
However, it doesn't remove the session invalidation problem.
The "Session already invalidated"-message is related to session fixation protection in Spring Security.
You can avoid this problem by disabling the protection completely:

<security:http session-fixation-protection="none">
</security:http>

I haven't tried any complex Spring Security stuff yet, but for some simple things I've tried it seems to work fine.

link publish delete flag offensive edit

answered 2008-06-28 16:12:09 +0800

admin gravatar image admin
18691 1 10 129
ZK Team


Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5060157

By: vinny223

They way I got it working was following the same recipe used for acegi:

http://www.zkoss.org/smalltalks/zkacegi2/zkacegi2.dsp

And it worked well with all ZK code I have in my application so far. I have a deadline in my project early next week. I will publish all the details after that.

Vinny

link publish delete flag offensive edit

answered 2008-07-13 14:44:18 +0800

okgago gravatar image okgago
99

Hi all,

As far as I understand, everybody's taking the article Making Acegi work with ZK as basis of their work. As its name implies, that article explains how to make Acegi work with ZK, not Spring Security 2! With Spring Security 2 there's a great new feature: Auto-Config! With auto-config you don't need that huge security.xml containing all those detailed definitions of filters and etc. Besides, in the mentioned article, the authorization is achieved through a form-based approach. I have tried to configure authentication with an HTTP Basic approach and it worked! It's as simple as follows:

Step 1 - Add the filter to your web.xml:

<filter>
	<filter-name>springSecurityFilterChain</filter-name>
	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
	<filter-name>springSecurityFilterChain</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>


Step 2 - Define your security.xml:
<sec:http auto-config="true">
	<sec:intercept-url pattern="/**" access="ROLE_USER" />
	<sec:http-basic />
</sec:http>

<sec:authentication-provider user-service-ref="XXX" />


I have developed my own user service in the above example. You can simply go for an In Memory User Service as follows:
<sec:authentication-provider>
	<sec:user-service>
		<sec:user password="XXX" name="YYY" authorities="ROLE_USER" />
	</sec:user-service>
</sec:authentication-provider>


But of course, many people including me would like have a form-based authentication (same as the Acegi article), where they will have their own login page. I also could not manage to make it work yet (I get JavaScript errors saying the zk is not defined and the page does not display properly). I believe we need a SpringSecurityContextListener class to achieve this.

And talking about the filter (web.xml filter mapping URL pattern) and interception points (security.xml intercept pattern), it seems like there's no difference between using all (i.e. /**) and only ZK related pages (i.e. /zkau/**). Is there a difference?

And finally, although I managed to make Spring Security 2 work with ZK through HTTP Basic authentication, I have another error! Check out the related thred: "BorderLayout content is not visible with Spring Security 2.0"!

Good luck

link publish delete flag offensive edit
Your reply
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow

RSS

Stats

Asked: 2008-06-03 14:19:51 +0800

Seen: 605 times

Last updated: Jul 13 '08

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More