# ZK and Spring Security 2

18691 1 10 129

Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5004970

By: fredrikoe

Hi!

I'm trying to configure Spring Security 2.0.1 (former Acegi) with ZK 3.0.5.
Since a lot of things changed when Acegi became Spring Security the Small Talks about this subject are not of much use.

However, by following the example bundled with Spring Security I have managed to configure it with ZK using this interceptor:
<intercept-url pattern="/zkau/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
which is similar to this one in Acegi:

Things seems to work as it shold escept for one thing. When I logout and then immediately try to login again I get the following exception:

org.apache.catalina.session.StandardSession.getAttribute(StandardSession.java:1
032)
org.zkoss.zk.ui.http.SimpleSession.getAttribute(SimpleSession.java:205)
org.zkoss.zk.ui.sys.SessionsCtrl.requestEnter(SessionsCtrl.java:59)
org.zkoss.zk.ui.http.DHtmlLayoutServlet.doGet(DHtmlLayoutServlet.java:158)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter( FilterChainProxy.java:359) org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(Fil terSecurityInterceptor.java:109) org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(F ilterSecurityInterceptor.java:83) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(Excepti
onTranslationFilter.java:101)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter( FilterChainProxy.java:371) org.springframework.security.providers.anonymous.AnonymousProcessingFilter.doFi lterHttp(AnonymousProcessingFilter.java:105) org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil ter.java:53) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.rememberme.RememberMeProcessingFilter.doFilterH
ttp(RememberMeProcessingFilter.java:116)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter( FilterChainProxy.java:371) org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter.do FilterHttp(SecurityContextHolderAwareRequestFilter.java:91) org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil ter.java:53) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.basicauth.BasicProcessingFilter.doFilterHttp(Ba
sicProcessingFilter.java:172)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter( FilterChainProxy.java:371) org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractP rocessingFilter.java:268) org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil ter.java:53) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.j
ava:87)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter( FilterChainProxy.java:371) org.springframework.security.ui.SessionFixationProtectionFilter.doFilterHttp(Se ssionFixationProtectionFilter.java:61) org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil ter.java:53) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilt
erHttp(HttpSessionContextIntegrationFilter.java:235)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil
ter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter( FilterChainProxy.java:371) org.springframework.security.concurrent.ConcurrentSessionFilter.doFilterHttp(Co ncurrentSessionFilter.java:97) org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFil ter.java:53) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(
FilterChainProxy.java:371)
org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.ja
va:174)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingF
ilterProxy.java:236)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterP
roxy.java:167)

Does anyone have a hint on what could cause this?

Thanks.

/ Fredrik

delete retag edit

## 8 Replies

18691 1 10 129

Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5022261

By: ricardovisk

I think ZK is not compatible with Spring Security yet.
Only for Acegi Security.

18691 1 10 129

Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5044129

By: vinny223

I am just finishing a couple of classes to make ZK work with Spring Security.
How do I go about posting them to get integrated into ZK?

Thanks,

Vinny

18691 1 10 129

Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5046683

By: henrichen

Hi Vinny,

You can send codes to me (henrichen AT zkoss DOT org). Would you like to write an article (ZK smalltalks) regarding how to integrate ZK with Spring Security?
We can publish it on the ZK website. It will be very useful to the community.

/henri

18691 1 10 129

Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5047562

By: vinny223

I posted the code in the tracker:
http://sourceforge.net/tracker/index.php?func=detail&aid=1998941&group_id=152762
&atid=828172

You can make it work follow:
http://www.zkoss.org/smalltalks/zkacegi2/zkacegi2.dsp

and using zk.xml as:

<zk>
<listener>
<description>Acegi SecurityContext Handler</description>
<listener-class>
org.zkoss.zkplus.springsecurity.SpringSecurityContextListener
</listener-class>
</listener>
</zk>

And replace in his source code all occurences of acegisecurity for spring.security

I like the idea of writing an article about it. What do I need to do?

Vinny

18691 1 10 129

Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5048397

By: henrichen

> I like the idea of writing an article about it. What do I need to do?

Write the article and send it to us. Please includes a profile of you so we can put it in "about author" section. We will did some editing and publish it on zkoss.org website. Looking forward to your article.

/henri

18691 1 10 129

Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5055643

By: gekkio

I've managed to get ZK working with SS2 by doing the same thing you did (creating the SpringSecurityContextListener-class).
However, it doesn't remove the session invalidation problem.
The "Session already invalidated"-message is related to session fixation protection in Spring Security.
You can avoid this problem by disabling the protection completely:

<security:http session-fixation-protection="none">
</security:http>

I haven't tried any complex Spring Security stuff yet, but for some simple things I've tried it seems to work fine.

18691 1 10 129

Orignial message at:
https://sourceforge.net/forum/message.php?msg_id=5060157

By: vinny223

They way I got it working was following the same recipe used for acegi:

http://www.zkoss.org/smalltalks/zkacegi2/zkacegi2.dsp

And it worked well with all ZK code I have in my application so far. I have a deadline in my project early next week. I will publish all the details after that.

Vinny

okgago
99

Hi all,

As far as I understand, everybody's taking the article Making Acegi work with ZK as basis of their work. As its name implies, that article explains how to make Acegi work with ZK, not Spring Security 2! With Spring Security 2 there's a great new feature: Auto-Config! With auto-config you don't need that huge security.xml containing all those detailed definitions of filters and etc. Besides, in the mentioned article, the authorization is achieved through a form-based approach. I have tried to configure authentication with an HTTP Basic approach and it worked! It's as simple as follows:

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


Step 2 - Define your security.xml:
<sec:http auto-config="true">
<sec:intercept-url pattern="/**" access="ROLE_USER" />
<sec:http-basic />
</sec:http>

<sec:authentication-provider user-service-ref="XXX" />


I have developed my own user service in the above example. You can simply go for an In Memory User Service as follows:
<sec:authentication-provider>
<sec:user-service>
</sec:user-service>
</sec:authentication-provider>


But of course, many people including me would like have a form-based authentication (same as the Acegi article), where they will have their own login page. I also could not manage to make it work yet (I get JavaScript errors saying the zk is not defined and the page does not display properly). I believe we need a SpringSecurityContextListener class to achieve this.

And talking about the filter (web.xml filter mapping URL pattern) and interception points (security.xml intercept pattern), it seems like there's no difference between using all (i.e. /**) and only ZK related pages (i.e. /zkau/**). Is there a difference?

And finally, although I managed to make Spring Security 2 work with ZK through HTTP Basic authentication, I have another error! Check out the related thred: "BorderLayout content is not visible with Spring Security 2.0"!

Good luck

[hide preview]