-
FEATURED COMPONENTS
First time here? Check out the FAQ!
I have ZK web app that is using Spring Security to control access to the main UI functionality. For the log-in process I'm using an 'ExceptionMappingAuthenticationFailureHandler' bean to control where various authentication failures are directed. For a situation where a user's credentials have expired I am redirecting them to a web form found at '\new_password.zul' where they can enter the old and new passwords.
How can I secure access to this '\newpassword.zul' web form? I don't want somebody typing this in as a URL and gaining access directly. I want access to the '\newpassword.zul' form to be restricted solely to situations where it has been redirected from '\index.zul'. Any suggestions?
The Spring Security configuration is shown below:
<beans:bean id="loginExceptionTranslationFilter"
class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/new_password.zul</beans:prop>
<beans:prop key="org.springframework.security.authentication.BadCredentialsException">/login.zul</beans:prop>
<beans:prop
key="org.springframework.security.authentication.LockedException">/locked.zul</beans:prop>
<beans:prop
key="org.springframework.security.authentication.AccountExpiredException">/tenantDisabled.zul</beans:prop>
<beans:prop
key="org.springframework.security.authentication.DisabledException">/userDisabled.zul</beans:prop>
</beans:props>
</beans:property>
</beans:bean>
<http>
<intercept-url pattern="/view/page/user_template_default.zul" access="ROLE_USER" />
<intercept-url pattern="/view/page/tenancy_management.zul" access="ROLE_SYSTEM_ADMIN" />
<intercept-url pattern="/index.zul" access="ROLE_USER" />
<anonymous username="guest" granted-authority="ROLE_GUEST" />
<remember-me key="jourdan" />
<form-login login-page="/login.zul"
authentication-failure-handler-ref="loginExceptionTranslationFilter" />
<logout invalidate-session="true" logout-success-url="/index.zul" />
</http>
I found a way of persisting authentication state in the authentication exception handling class.
Using that approach the 'new password' form can only be accessed if state is in a specific condition, otherwise the code redirects the user back to the login form.
Asked: 2013-10-20 16:15:48 +0800
Seen: 22 times
Last updated: Oct 23 '13
ZK Calendar Wire Spring-managed Beans Failed [closed]
Spring security doesn't return user inside event listener
where to put @Transactional (Hibernate Spring)
Clustered Session Terracotta not working
Can't inject using @Value in ViewModel if not declaring as @Component.. so what do we use?
Not able to bind Spring beans after zk upgrade
retriving Spring authentication provider Name dynamically in multiple authentication providers
You can try put "new_password.zul" under WEB-INF folder.
vincentjian ( 2013-10-21 02:18:32 +0800 )edit