-
FEATURED COMPONENTS
First time here? Check out the FAQ!
Is there a plan to support spring security 4 in the near future? We are working on a project utilising spring security and would like to use spring security 4, rather than 3
Hi dmenz,
We have just moved one of our projects from Spring Security 3 to 4. There were a few hurdles to be jumped and I will try to remember them all here. If I end up leaving anything out feel free to ask further questions.
If you are using zkspring-core and/or zkspring-security you don't need to anymore.
This has nothing to do with zk but if you are using j_username and j_password in your login.zul you'll need to change the form-login tag in your security context. More details here.
To put authorized roles/permissions in the ZK session I created a custom AuthenticationSuccessHandler:
public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
HttpSession session = request.getSession();
session.setAttribute("user", authentication.getName());
session.setAttribute("authorities", authentication.getAuthorities());
new DefaultRedirectStrategy().sendRedirect(request, response, "/index.zul");
}
Obviously you'll need to add the MyAuthenticationSuccessHandler to your sping security context.
In your ZK models you can now retrieve your authorities:
Session session = (Session) Sessions.getCurrent();
Collection<grantedauthority> authorities = (Collection<grantedauthority>) session
.getAttribute("authorities");
Hope that helps. Yell if you need clarification on anything.
I have put security in the zul page but not via taglib. I used standard MVVM functionality.
mission.zul
< window apply="org.zkoss.bin.BindComposer" viewModel="@id('vm') @init('com.imf.MissionVM')" >
< label value="Your mission should you choose to accept it ..." if="${vm.canViewMissionBriefing}" />
< / window >
MissionVM.java
public class MissionVM {
public boolean getCanViewMissionBriefing() { return isAuthorised("canViewMissionBriefing"); } private boolean isAuthorised(String permission) { if (permission == null) return false; Session session = (Session) Sessions.getCurrent(); Collection<GrantedAuthority> authorities = (Collection<GrantedAuthority>) session.getAttribute("authorities"); for (Iterator<GrantedAuthority> iterator = authorities.iterator(); iterator.hasNext();) { GrantedAuthority authority = iterator.next(); if (permission.equals(authority.getAuthority()) return true; return false; }
}
We use the user - roles - permission database configuration as per this article. So if 'Ethan Hunt' is a user, he might have a role of 'IMF Member' and permission of 'canViewMissionBriefing'.
As before, let me know if you want me to clarify anything.
Asked: 2016-07-27 02:03:11 +0800
Seen: 67 times
Last updated: Aug 18 '16
Zk + Spring Security redirect to strange page after login
ZK Spring webflow and flowScope
Spring security doesn't return user inside event listener
ZK Spring 3.1.1 MVVM Use @Scope/@Component or No?
Upgrading from Spring3.1 to 3.1.1 Maven.. pulls in 3.0.x jars... issues
When would I want to use ThreadLocalListener?
ZKoss with springsecurity using database