-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Hello all,
I've a small doubt. I'm implementing my own way of security based on Stephan's zk_sample project, and this is what I did to protect a button:
def afterCompose = { btnEditText.visible = userDetailsService.isCurrentUserGrantedAccess(ACESSO_EDITAR_TEXTO) } public void onClick_btnEditText(){ // button code, no more verifications
Obs. This is a groovy code and it is working.
Is it enough to assure an unauthorized user won't have access to this functionality? Or should I verify access in the onClick event as well?
Regards,
Felipe Cypriano
Yes, because the Button is not rendered, so no user can click on it :-)
Do it in an extra method, so it's clearer when it must added new components.
public void checkRights() {
...
btnEditText.visible = userDetailsService.isCurrentUserGrantedAccess(ACESSO_EDITAR_TEXTO)
...
}
best
Stephan
It depends on what kind of service you are providing via your web application. If the data is sensitive then
it is better that you still check the security in server.
Though the button is invisible but an hostile user can still make it visible via, e.g., Firebug. Or, if you don't even render the button(No corresponding HTML button element), an hostile user might fake an Ajax request and fire the "event". Of course, he/she must be familiar with all of these tricks.
Oh yes, that's an important aspect.
It's on the todo list. A few weeks ago a first try to secure the zk events in code with the @Secured("") annotation failed.
Hope that other users can explain what needed (configuration ?) that it works with the Annotations.
best
Stephan
Until we have a annotation way to simplify the process I'll do what henrichen suggests, something like this:
public void onClick_btnEditText() { if (!hasAccess) return // actual code goes here }
This is enough to prevent a fake javascript request, isn't it?
Regards,
Felipe Cypriano
Yes, because this is runing on server side.
My preferred way was to go like this:
@secured("customerController.btn_editText_onclick") public void onClick_btnEditText() { // actual code goes here }
But this isn't working, you said on a earlier post.
I'm thinking on implement it using AOP but I don't know much about it to figure out a solution right now. For example we could use the annotation information and add an aspect (correct me if I'm using the wrong term) to verify if the user the access.
Regards,
Felipe Cypriano
|But this isn't working, you said on a earlier post.
I only said that i have not get it to work on a first quick try. I hoped that other users have worked with the
spring-security Annotation and can explain or post configuration settings.
Remember i get the rights out of a db table, not a configuration file.
I have the 'rights' all in there in the spring-sec grantedRights List. The only thing who is missing is to
setup that spring-sec works with his @secured("aRight") Annotation. Seems that it must be a listener who
catch the call. So we must only write a new listener extends on that we are searching. In there we can
implement the UserWorkspace.isAllowed("aRight").
best
Stephan
I never take a look into it but seems it's like we do with UserDetaisService, we "only" need to teach spring security how to handle the rights/access.
In my case I need a implementation that searchs for all Roles that are allowed to use the access @Secured("accessName"), it's a little bit different but the idea is almost the same.
Regards,
Felipe Cypriano
Yes.
Today i became the right hint. If the classes (controllers) are spring managed than spring can look automatically if there a @secured annotation. At time only the backend is spring managed. I will have a look on it next week, even though the sample app goes away from easier understanding.
nice weekend
Stepahn
All my composers and services are managed by spring, I'll test it and let you know.
Regards,
Felipe Cypriano
Asked: 2009-10-07 18:08:32 +0800
Seen: 243 times
Last updated: Oct 12 '09