Tags
People
Badges
Help-
CORE FRAMEWORK
FEATURED COMPONENTS
-
RESOURCES
-
LEARN ZK
RESOURCES
Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5004970
By: fredrikoe
Hi!
I'm trying to configure Spring Security 2.0.1 (former Acegi) with ZK 3.0.5.
Since a lot of things changed when Acegi became Spring Security the Small Talks about this subject are not of much use.
However, by following the example bundled with Spring Security I have managed to configure it with ZK using this interceptor:
<intercept-url pattern="/zkau/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
which is similar to this one in Acegi:
/zkau/*=ROLE_ANONYMOUS,admin,user
Things seems to work as it shold escept for one thing. When I logout and then immediately try to login again I get the following exception:
java.lang.IllegalStateException: getAttribute: Session already invalidated
org.apache.catalina.session.StandardSession.getAttribute(StandardSession.java:1
032)
org.apache.catalina.session.StandardSessionFacade.getAttribute(StandardSessionF
acade.java:110)
org.zkoss.zk.ui.http.SimpleSession.getAttribute(SimpleSession.java:205)
org.zkoss.zk.ui.sys.SessionsCtrl.requestEnter(SessionsCtrl.java:59)
org.zkoss.zk.ui.http.DHtmlLayoutServlet.doGet(DHtmlLayoutServlet.java:158)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:359)
org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(Fil
terSecurityInterceptor.java:109)
org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(F
ilterSecurityInterceptor.java:83)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(Excepti
onTranslationFilter.java:101)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.providers.anonymous.AnonymousProcessingFilter.doFi
lterHttp(AnonymousProcessingFilter.java:105)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.rememberme.RememberMeProcessingFilter.doFilterH
ttp(RememberMeProcessingFilter.java:116)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter.do
FilterHttp(SecurityContextHolderAwareRequestFilter.java:91)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.basicauth.BasicProcessingFilter.doFilterHttp(Ba
sicProcessingFilter.java:172)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractP
rocessingFilter.java:268)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.j
ava:87)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.SessionFixationProtectionFilter.doFilterHttp(Se
ssionFixationProtectionFilter.java:61)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilt
erHttp(HttpSessionContextIntegrationFilter.java:235)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.concurrent.ConcurrentSessionFilter.doFilterHttp(Co
ncurrentSessionFilter.java:97)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.ja
va:174)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingF
ilterProxy.java:236)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterP
roxy.java:167)
Does anyone have a hint on what could cause this?
Thanks.
/ Fredrik
Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5022261
By: ricardovisk
I think ZK is not compatible with Spring Security yet.
Only for Acegi Security.
Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5044129
By: vinny223
I am just finishing a couple of classes to make ZK work with Spring Security.
How do I go about posting them to get integrated into ZK?
Thanks,
Vinny
Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5046683
By: henrichen
Hi Vinny,
You can send codes to me (henrichen AT zkoss DOT org). Would you like to write an article (ZK smalltalks) regarding how to integrate ZK with Spring Security?
We can publish it on the ZK website. It will be very useful to the community.
/henri
Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5047562
By: vinny223
I posted the code in the tracker:
http://sourceforge.net/tracker/index.php?func=detail&aid=1998941&group_id=152762
&atid=828172
You can make it work follow:
http://www.zkoss.org/smalltalks/zkacegi2/zkacegi2.dsp
and using zk.xml as:
<zk>
<listener>
<description>Acegi SecurityContext Handler</description>
<listener-class>
org.zkoss.zkplus.springsecurity.SpringSecurityContextListener
</listener-class>
</listener>
</zk>
And replace in his source code all occurences of acegisecurity for spring.security
I like the idea of writing an article about it. What do I need to do?
Vinny
Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5048397
By: henrichen
> I like the idea of writing an article about it. What do I need to do?
Write the article and send it to us. Please includes a profile of you so we can put it in "about author" section. We will did some editing and publish it on zkoss.org website. Looking forward to your article.
/henri
Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5055643
By: gekkio
I've managed to get ZK working with SS2 by doing the same thing you did (creating the SpringSecurityContextListener-class).
However, it doesn't remove the session invalidation problem.
The "Session already invalidated"-message is related to session fixation protection in Spring Security.
You can avoid this problem by disabling the protection completely:
<security:http session-fixation-protection="none">
</security:http>
I haven't tried any complex Spring Security stuff yet, but for some simple things I've tried it seems to work fine.
Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5060157
By: vinny223
They way I got it working was following the same recipe used for acegi:
http://www.zkoss.org/smalltalks/zkacegi2/zkacegi2.dsp
And it worked well with all ZK code I have in my application so far. I have a deadline in my project early next week. I will publish all the details after that.
Vinny
Hi all,
As far as I understand, everybody's taking the article Making Acegi work with ZK as basis of their work. As its name implies, that article explains how to make Acegi work with ZK, not Spring Security 2! With Spring Security 2 there's a great new feature: Auto-Config! With auto-config you don't need that huge security.xml containing all those detailed definitions of filters and etc. Besides, in the mentioned article, the authorization is achieved through a form-based approach. I have tried to configure authentication with an HTTP Basic approach and it worked! It's as simple as follows:
Step 1 - Add the filter to your web.xml:
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
<sec:http auto-config="true"> <sec:intercept-url pattern="/**" access="ROLE_USER" /> <sec:http-basic /> </sec:http> <sec:authentication-provider user-service-ref="XXX" />
<sec:authentication-provider> <sec:user-service> <sec:user password="XXX" name="YYY" authorities="ROLE_USER" /> </sec:user-service> </sec:authentication-provider>
Asked: 2008-06-03 14:19:51 +0800
Seen: 607 times
Last updated: Jul 13 '08
