Secure ZK Component Events"

From Documentation
Line 7: Line 7:
 
[[File:ZKSpringEssentials_SecurityExampleHome.jpg]]
 
[[File:ZKSpringEssentials_SecurityExampleHome.jpg]]
  
This table lists links to different pages that users can visit. Here First row provides a way to access Account Listings page. On the account listings page there are buttons to credit or debit certain amount from the specific user's account but only those users who are logged in and have either ROLE_TELLER or ROLE_ADMINISTRATOR role are allowed to perform those operations. If users of this application are not logged in Spring Security is configured to request users to logon. On clicking any of the +$5,-$5,+$20 or -$20 buttons on account listings page presents an ajax login popup. but how does one configure for certain button click event and set certain role based access to the operation performed by button click? We will describe it below but before that lets see the account listing page and login popup
+
This table lists links to different pages that users can visit. Here First row provides a way to access Account Listings page. On the account listings page there are buttons to credit or debit certain amount from the specific user's account but only those users who are logged in and have either ROLE_TELLER or ROLE_ADMINISTRATOR role are allowed to perform those operations. If users of this application are not logged in Spring Security is configured to request users to logon. On clicking any of the +$5,-$5,+$20 or -$20 buttons on account listings page presents an Ajax login popup. but how does one configure to secure certain button click event and set certain role based access to the operation performed by button click? We will describe it below but before that lets see the account listing page and login popup.
  
 
Here is the account listings page screen.
 
Here is the account listings page screen.
Line 13: Line 13:
 
[[File:ZKSpringEssentials_SecurityExampleListAccounts2.jpg]]
 
[[File:ZKSpringEssentials_SecurityExampleListAccounts2.jpg]]
  
===Secure component events===
+
[[File:ZKSpringEssentials_SecurityExampleSecureComponentEvents.jpg]]
 +
 
 +
===Configuration===
 +
Now to make Ajax login popup work you need to configure certain ZK Spring Security custom filters in your Spring Configuration as shown below
 +
<source lang="xml">
 +
    <http auto-config="true">
 +
        <!-- Following is list of ZK Spring Security custom filters.
 +
            They needs to be exactly in the same order as shown below in order to work.  -->
 +
        <custom-filter ref="zkDesktopReuseFilter" position="FIRST" />
 +
        <custom-filter ref="zkDisableSessionInvalidateFilter" before="FORM_LOGIN_FILTER"/>
 +
        <custom-filter ref="zkEnableSessionInvalidateFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
 +
        <custom-filter ref="zkLoginOKFilter" after="FILTER_SECURITY_INTERCEPTOR"/>
 +
        <custom-filter ref="zkError403Filter" after="LOGOUT_FILTER"/>
 +
    </http>
 +
</source>
 +
Moving on to configuration required to secure ZK component events, first we need to declare ZK Spring Security namespace at the top of the configuration file as shown below
 +
<source lang="xml">
 +
<beans:beans xmlns="http://www.springframework.org/schema/security"
 +
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 +
    xmlns:context="http://www.springframework.org/schema/context"
 +
    xmlns:zkc="http://www.zkoss.org/2008/zkspring/core"
 +
    xmlns:zksp="http://www.zkoss.org/2008/zkspring/security"
 +
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 +
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
 +
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
 +
        http://www.zkoss.org/2008/zkspring/core http://www.zkoss.org/2008/zkspring/core/zkspring-core.xsd
 +
        http://www.zkoss.org/2008/zkspring/security http://www.zkoss.org/2008/zkspring/security/zkspring-security.xsd">
 +
...
 +
</beans:beans>
 +
</source>
 +
 
 +
Next we use ZK Spring Security configuration namespace element <code><zk-event /></code> and its sub element <code><intercept-event /></code> to define which components and events that needs to be secured. This works the same way as securing pages in standard Spring Security i.e. certain page url patterns are intercepted by Spring Security and checked againest logged in user's assigned authorities. Here too ZK Spring Security will intercept certain components events as identified by combination of "path" and "event" attributes of <code><intercept-event /></code> element.
 +
<source lang="xml">
 +
    <zksp:zk-event login-template-close-delay="5">
 +
        <zksp:intercept-event event="onClick" path="//**/btn_*" access="ROLE_TELLER" />
 +
        <zksp:intercept-event path="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
 +
    </zksp:zk-event>
 +
</source>

Revision as of 04:20, 23 February 2011

Purpose

Secure certain ZK component event such as Button onClick event.

Example

This Example is borrowed from the standard Spring Security tutorial sample and has been modified to work with ZK using ZK Spring Security. You can download the example codes from ZK Spring Essentials Google Code source repository here. You can see this example in action by deploying ZK Spring Essentials web archive and hitting example home page at http://localhost:8080/zkspringessentials/home.zul and you will see following screen. home.zul page is configured to be accessible to anyone.

ZKSpringEssentials SecurityExampleHome.jpg

This table lists links to different pages that users can visit. Here First row provides a way to access Account Listings page. On the account listings page there are buttons to credit or debit certain amount from the specific user's account but only those users who are logged in and have either ROLE_TELLER or ROLE_ADMINISTRATOR role are allowed to perform those operations. If users of this application are not logged in Spring Security is configured to request users to logon. On clicking any of the +$5,-$5,+$20 or -$20 buttons on account listings page presents an Ajax login popup. but how does one configure to secure certain button click event and set certain role based access to the operation performed by button click? We will describe it below but before that lets see the account listing page and login popup.

Here is the account listings page screen.

ZKSpringEssentials SecurityExampleListAccounts2.jpg

ZKSpringEssentials SecurityExampleSecureComponentEvents.jpg

Configuration

Now to make Ajax login popup work you need to configure certain ZK Spring Security custom filters in your Spring Configuration as shown below

    <http auto-config="true">
        <!-- Following is list of ZK Spring Security custom filters. 
            They needs to be exactly in the same order as shown below in order to work.  -->
        <custom-filter ref="zkDesktopReuseFilter" position="FIRST" />
        <custom-filter ref="zkDisableSessionInvalidateFilter" before="FORM_LOGIN_FILTER"/>
        <custom-filter ref="zkEnableSessionInvalidateFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
        <custom-filter ref="zkLoginOKFilter" after="FILTER_SECURITY_INTERCEPTOR"/>
        <custom-filter ref="zkError403Filter" after="LOGOUT_FILTER"/>
    </http>
Moving on to configuration required to secure ZK component events, first we need to declare ZK Spring Security namespace at the top of the configuration file as shown below
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:zkc="http://www.zkoss.org/2008/zkspring/core"
    xmlns:zksp="http://www.zkoss.org/2008/zkspring/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
        http://www.zkoss.org/2008/zkspring/core http://www.zkoss.org/2008/zkspring/core/zkspring-core.xsd 
        http://www.zkoss.org/2008/zkspring/security http://www.zkoss.org/2008/zkspring/security/zkspring-security.xsd">
...
</beans:beans>

Next we use ZK Spring Security configuration namespace element <zk-event /> and its sub element <intercept-event /> to define which components and events that needs to be secured. This works the same way as securing pages in standard Spring Security i.e. certain page url patterns are intercepted by Spring Security and checked againest logged in user's assigned authorities. Here too ZK Spring Security will intercept certain components events as identified by combination of "path" and "event" attributes of <intercept-event /> element.

     <zksp:zk-event login-template-close-delay="5">
        <zksp:intercept-event event="onClick" path="//**/btn_*" access="ROLE_TELLER" />
        <zksp:intercept-event path="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
     </zksp:zk-event>