0

Security lack with include component?

asked 2013-10-31 13:42:09 +0800

sensdb gravatar image sensdb
21 2

updated 2013-10-31 13:44:10 +0800

Hi there,

i am using zk 6 in my web app. as soon as i add some includes in my index.zul my security policy starts going weird.

Detail:

I use a jboss7 and ejb3 as business architecture. From a session bean i let inject the session context, which i am using to print out the user. This works fine like the console prints

14:33:53,028 INFO [stdout] (http--0.0.0.0-8080-1) sa

when i am logged in as the user "sa" and changes when i log in with another user.

But as soon as i have a include tag in my zul i get the output

14:33:57,035 INFO [stdout] (Thread-70) sa

so...it's from a different thread. when i am logging out now and log in as another user ("oe" in this case) i get

14:37:18,643 INFO [stdout] (http--0.0.0.0-8080-5) oe

but as soon as i am using any musiness method i get the first user again...

14:37:18,807 INFO [stdout] (Thread-76) sa

this happens only with includes in it. what the hell is going on? is there any attribute which can be set to avoid this?

delete flag offensive retag edit

1 Answer

Sort by » oldest newest most voted
0

answered 2013-11-04 07:54:31 +0800

sensdb gravatar image sensdb
21 2

updated 2013-11-04 07:56:08 +0800

Hi again,

in the included zul files start with window tags again, so they have their own id space. if i use hbox instead of window, for instance, everything works fine again.

1st question: is it possible to disable the space-owner property of window? 2nd question: why do i get the error in my inital post? My weblayer is secured by configuring web.xml like

    <web-resource-collection>
        <web-resource-name>User Auth</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>webclient</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>User Auth</realm-name>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
</login-config>
<security-role> 
    <role-name>webclient</role-name>
</security-role>

why do i get multiple security subjects in web layer? even worse: i get the subjects from any other user...

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
1 follower

RSS

Stats

Asked: 2013-10-31 13:42:09 +0800

Seen: 6 times

Last updated: Nov 04 '13

Related questions

how to increse the font size of a TAB label

Test

onChanging event not everytime fired in Combobox

zk3.5中Tabbox在Bug

Session.invalidate() raises an IllegalStateException under Jetty

Logical Operators

Rendering accuracy

about CSS

about paging

ZK-3.5: back compatibility disaster

About Us | Faq | Help | Privacy Policy | Contact Us
Copyright Potix Corporation 2015.
Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More