Add Page Based Security Using Authorized Roles"

From Documentation
Line 37: Line 37:
  
 
Here <code>org.springframework.web.context.ContextLoaderListener</code> is responsible for loading the Spring Security configurations and <code>org.springframework.web.filter.DelegatingFilterProxy</code> is the main entry point of Spring Security framework.
 
Here <code>org.springframework.web.context.ContextLoaderListener</code> is responsible for loading the Spring Security configurations and <code>org.springframework.web.filter.DelegatingFilterProxy</code> is the main entry point of Spring Security framework.
 +
====Secure pages====
 +
Now lets take a look at our example specific configuration that enables role based security to certain pages as described above. it is defined in applicationContext-security.xml file as shown below.
 +
<source lang=xml">
 +
    <http auto-config="true">
 +
        <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
 +
        <intercept-url pattern="/secure/**" access="ROLE_USER" />
 +
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
 +
        <form-login login-page="/login.zul"
 +
            authentication-failure-url="/login.zul?login_error=1" />
 +
        <logout logout-success-url="/home.zul"/>
 +
        <!-- Following is list of ZK Spring Security custom filters.
 +
            They needs to be exactly in the same order as shown below in order to work.  -->
 +
        <custom-filter ref="zkDesktopReuseFilter" position="FIRST" />
 +
        <custom-filter ref="zkDisableSessionInvalidateFilter" before="FORM_LOGIN_FILTER"/>
 +
        <custom-filter ref="zkEnableSessionInvalidateFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
 +
        <custom-filter ref="zkLoginOKFilter" after="FILTER_SECURITY_INTERCEPTOR"/>
 +
        <custom-filter ref="zkError403Filter" after="LOGOUT_FILTER"/>
 +
    </http>
 +
</source>
  
Now lets take a look at our example specific configuration that enables role based security to certain pages as described above. it is defined in applicationContext-security.xml file as shown below.
+
<code><intercept-url /></code> element in above configuration is used to define what role user needs to have in order to access certain page. Page or a pattern that identifies a group of pages is configured using <code>attribute</code> attribute.
 +
====Custom login page====
 +
If user isn't logged in Spring security presents a default login page to the user to enter his credentials. You can customize this to present a custom login page instead. In this example we are using a custom login page i.e. login.zul ZUML page and it is configured using <code><form-login/></code> element's <code>login-page</code> attribute.
  
 
=Version History=
 
=Version History=

Revision as of 00:49, 23 February 2011

Purpose

Secure ZK ZUML pages with Authorized roles

Example

This Example is borrowed from the standard Spring Security tutorial sample and has been modified to work with ZK using ZK Spring Security. You can download the example codes from ZK Spring Essentials Google Code source repository here. You can see this example in action by deploying ZK Spring Essentials web archive and hitting example home page at http://localhost:8080/zkspringessentials/home.zul and you will see following screen. home.zul page is configured to be accessible to anyone.

ZKSpringEssentials SecurityExampleHome.jpg

This table lists links to different pages that users can visit. Two more pages as listed in the bottom two rows of above table that can be visited by clicking "Go" buttons, secure/index.jsp and secure/extreme/index.jsp are configured to be accessible to only those users that have certain authorized roles. If users click on these "Go" buttons, first Spring security checks if they are logged in or not. If they aren't logged in they will be presented a login page. On successful login Spring Security will also verify if they have the specific roles assigned to them that will authorize access to those pages. If they have been assigned those authorized roles users will be redirected to related pages or else they will be shown access denied page.

Lets dig into the configuration to see how we secure these pages with authorized roles

Configuration

Application specific configuration for Spring security is generally specified within Spring bean configuration file or altogether in a separate xml file. But for Spring Security to discover those configuration we need to add certain configuration into web.xml as shown below

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/applicationContext-security.xml
        </param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>


Here org.springframework.web.context.ContextLoaderListener is responsible for loading the Spring Security configurations and org.springframework.web.filter.DelegatingFilterProxy is the main entry point of Spring Security framework.

Secure pages

Now lets take a look at our example specific configuration that enables role based security to certain pages as described above. it is defined in applicationContext-security.xml file as shown below.

    <http auto-config="true">
        <intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
        <intercept-url pattern="/secure/**" access="ROLE_USER" />
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <form-login login-page="/login.zul"
            authentication-failure-url="/login.zul?login_error=1" />
        <logout logout-success-url="/home.zul"/>
        <!-- Following is list of ZK Spring Security custom filters. 
            They needs to be exactly in the same order as shown below in order to work.  -->
        <custom-filter ref="zkDesktopReuseFilter" position="FIRST" />
        <custom-filter ref="zkDisableSessionInvalidateFilter" before="FORM_LOGIN_FILTER"/>
        <custom-filter ref="zkEnableSessionInvalidateFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
        <custom-filter ref="zkLoginOKFilter" after="FILTER_SECURITY_INTERCEPTOR"/>
        <custom-filter ref="zkError403Filter" after="LOGOUT_FILTER"/>
    </http>

<intercept-url /> element in above configuration is used to define what role user needs to have in order to access certain page. Page or a pattern that identifies a group of pages is configured using attribute attribute.

Custom login page

If user isn't logged in Spring security presents a default login page to the user to enter his credentials. You can customize this to present a custom login page instead. In this example we are using a custom login page i.e. login.zul ZUML page and it is configured using <form-login/> element's login-page attribute.

Version History

Last Update : 2011/02/23


Version Date Content