Login issue on Secure a ZK Application with Spring Security

asked 2022-05-11 16:43:39 +0800

manchen gravatar image manchen
151 2

updated 2022-05-31 16:13:13 +0800

I follow this page


but my login page is not work

this my java

package org.zkoss.zkspringboot.edc.config;

import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.zkoss.zkspringboot.edc.service.WebServiceAuthenticationProvider;

/* * This is an example of minimal configuration for ZK + Spring Security, we open as less access as possible to run a ZK-based application. * Please understand the configuration and modify it upon your requirement. */ @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private static final String ZUL_FILES = "/zkau/web//.zul"; private static final String ZKRESOURCES = "/zkres/"; // allow desktop cleanup after logout or when reloading login page private static final String REMOVEDESKTOPREGEX = "/zkau\?dtid=.*&cmd0=rmDesktop&.*";

private WebServiceAuthenticationProvider authProvider;
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
protected void configure(HttpSecurity http) throws Exception {
    // ZK already sends a AJAX request with a built-in CSRF token,
    // please refer to https://www.zkoss.org/wiki/ZK%20Developer's%20Reference/Security%20Tips/Cross-site%20Request%20Forgery
        //.antMatchers(ZUL_FILES).denyAll() // block direct access to zul files
        .antMatchers(HttpMethod.GET, ZK_RESOURCES).permitAll() // allow zk resources
        .regexMatchers(HttpMethod.GET, REMOVE_DESKTOP_REGEX).permitAll() // allow desktop cleanup
        .requestMatchers(req -> "rmDesktop".equals(req.getParameter("cmd_0"))).permitAll() // allow desktop cleanup from ZATS

 * Creates an {@link InMemoryUserDetailsManager} for demo/testing purposes only. DON'T use this in production, see: {@link User#withUserDetails}!
 * @return userDetailsService
public UserDetailsService userDetailsService() {
    UserDetails user =

    return new InMemoryUserDetailsManager(user);


browser console print error mesaage

image description

but I flush page is can work (F5)

This is my login.zul

<zk xmlns:n="http://www.w3.org/1999/xhtml" xmlns:z="zul">
<!-- External CSS libraries -->
<?link rel="stylesheet" type="text/css" href="~./assets/css/bootstrap.min.css?" ?>
<?link rel="stylesheet" type="text/css" href="~./assets/fonts/font-awesome/css/font-awesome.min.css" ?>
<?link rel="stylesheet" type="text/css" href="~./assets/fonts/flaticon/font/flaticon.css" ?>
<!-- Favicon icon -->
<?link rel="shortcut icon" href="~./assets/img/favicon.ico" type="image/x-icon" ?>

<!-- Google fonts -->
<?link href="https://fonts.googleapis.com/css2?family=Jost:[email protected];400;500;600;700;800;900&display=swap" rel="stylesheet"?>

<!-- Custom Stylesheet -->
<?link type="text/css" rel="stylesheet" href="~./assets/css/style.css" ?>

<!-- External JS libraries -->
<script src="~./assets/js/jquery-3.6.0.min.js"></script>
<script src="~./assets/js/bootstrap.bundle.min.js"></script>
<script src="~./assets/js/jquery.validate.min.js"></script>
<script src="~./assets/js/app.js"></script>
<!-- Custom JS Script -->
<div class="login-6">
    <div class="container-fluid">
        <div class="row">
            <div class="col-xl-8 col-lg-7 col-md-12 bg-img">
                <div class="info">
                    <div class="waviy">
                        <n:span style="color: #353535;--i:1">W</n:span>
                        <n:span style="color: #353535;--i:2">e</n:span>
                        <n:span style="color: #353535;--i:3">l</n:span>
                        <n:span style="color: #353535;--i:4">c</n:span>
                        <n:span style="color: #353535;--i:5">o</n:span>
                        <n:span style="color: #353535;--i:6">m</n:span>
                        <n:span style="color: #353535;--i:7">e</n:span>
                        <n:span style="color: #fea900;--i:8">t</n:span>
                        <n:span style="color: #fea900;--i:9">o</n:span>
                        <n:span style="color: #353535;--i:10">E</n:span>
                        <n:span style="color: #353535;--i:11">D</n:span>
                        <n:span style="color: #353535;--i:12">C</n:span>
                <div class="bg-photo">
                    <img src="~./zul/assets/img/img-6.png" alt="bg" class="img-fluid">
            <div class="col-xl-4 col-lg-5 col-md-12 bg-color-6">
                <div class="form-section">
                    <div class="logo">
                            <img src="~./zul/assets/img/logos/logo.png" alt="logo">
                            <z:image src="~./assets/img/logos/logo-wt.png"  height="110px"/>
                    <n:h3>Welcome EDC System</n:h3>
                    <div class="login-inner-form">
                        <n:form action="/login" method="POST">
                            <div class="form-group clearfix">
                                <n:label for="username" class="form-label">User Name</n:label>
                                <div class="form-box">
                                    <n:input name="username"  class="form-control" id="username" placeholder="user name" aria-label="Email Address" value="user"></n:input>
                                    <n:i class="flaticon-mail-2"></n:i>
                            <div class="form-group clearfix">
                                <n:label for="password" class="form-label">Password</n:label>
                                <div class="form-box">
                                    <n:input name="password" type="password" class="form-control" autocomplete="off" id="password" placeholder="Password" aria-label="Password" value="password"/>
                                    <n:i class="flaticon-password"></n:i>
                            <div class="form-group clearfix mb-0">
                                <button type="submit" class="btn btn-primary btn-lg btn-theme">Login</button>



delete flag offensive retag edit

1 Answer

Sort by » oldest newest most voted

answered 2022-05-31 15:47:37 +0800

hawk gravatar image hawk
3048 1 5
http://hawkphoenix.blogsp... ZK Team

According to the code .anyRequest().authenticated(), the error WebSocket connection to 'ws://localhost:8080/zkwm?dtid=...' failed: is expected. Since any request should be authenticated so ZK cannot establish a websocket connection successfully before you login. Hence, if you check our zkspringboot security demo, it doesn't use any zk button to trigger zk au in login.zul

The reason is:

ensure spring security can secure all zk au requests (websocket)

If you allow a WebSocket connection on the login page, you allow the unauthenticated connection, which equals to unprotected connection.

You can choose to open websocket connection by http.antMatchers("/zkwm/**").permitAll() without authentication. But it also means spring security doesn't protect the connection.

Hence, you can

use AJAX

but don't send au request on login.zul. Keep login page in zk style.

use WebSocket

build login page without zul, using JSP/HTML.

link publish delete flag offensive edit


I provided my login zul, I use ZK style, it is not send au request

manchen ( 2022-05-31 16:13:54 +0800 )edit

but if you enable websocket in zk.xml, then zk will establish a websocket connection when you visit a zul without interaction. https://www.zkoss.org/wiki/ZKConfigurationReference/zk.xml/ZKAUEngine

hawk ( 2022-05-31 16:32:49 +0800 )edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools




Asked: 2022-05-11 16:43:39 +0800

Seen: 11 times

Last updated: May 31

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More