Purpose

Enable or suppress rendering of certain parts of the UI based on the user's roles.

ZK Spring Security Utility Library

ZK-Spring-Security provides 2 ways to access user roles and permissions in a ZK application.

• SecurityUtil a java class providing static methods to be used in component, controller and view model code
• Taglib functions and an implicit 'authentication' object to perform permission checks conveniently in ZUL files (with EL-Expressions)

Using the Taglib Functions in ZUL code

In zul files the special attributes if and unless are ideal candidates to render or omit certain parts of a zul file.

After declaring the taglib the functions are available with the specified prefix.

<?taglib uri="http://www.zkoss.org/zkspring/security" prefix="sec"?>
<zk>

  <div if="${sec:isAllGranted('ROLE_SUPERVISOR')}">
    This div and all child components are only displayed for user with the SUPERVISOR ROLE
    <listbox .../>
  </div>

  <button if="${sec:isAnyGranted('ROLE_TELLER,ROLE_ACCOUNTANT')}" 
     label="For TELLERs and ACCOUNTANTs only" >

  <zk if="${sec:isNoneGranted('ROLE_TRAINEE,ROLE_ROOKIE')}">
     TRAINEES and ROOKIES won't see this.
  </zk>
</zk>

As in all zul pages the the taglib function can also be used in EL expressions of normal component attributes as in the example below to disable a button. (The button will still render but in a disabled state.)

<button label="Transfer Money" disabled="${sec:isNoneGranted('ROLE_SUPERVISOR')}" .../>

Available functions as implemented in (org.zkoss.spring.security.SecurityUtil):

• boolean isNoneGranted(String authorities): Return true if the authenticated principal is granted NONE of the roles in the specified authorities.
• boolean isAllGranted(String authorities): Return true if the authenticated principal is granted ALL of the roles in the specified authorities.
• boolean isAnyGranted(String authorities): Return true if the authenticated principal is granted ANY of the roles in the specified authorities.
• boolean isAccessible(String hasPermission, Object domainObject): Return true if the current Authentication has one of the specified permissions to the presented domain object instance.
• Authentication getAuthentication(): Return currently login Authentication (similar to implicit "authentication" object).

In Java

Of course you can just call the methods of SecurityUtil from java code directly, to build the UI conditionally:

if (SecurityUtil.isAllGranted("ROLE_SUPERVISOR")) {
	Button btn = new Button();
	...
	btn.setParent(win);
}

The Implicit "authentication" Object

The DelegatingVariableResolver adds an implicit object "authentication" which exposes springs current authentication object org.springframework.security.core.Authentication to EL expressions.

<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>
<div>
  <label value="authentication.name"/> = ${authentication.name}
</div>
<div>
  <label value="authentication.principal.username"/> = ${authentication.principal.username}
</div>
<div>
  <label value="authentication.principal.enabled"/>  = ${authentication.principal.enabled}
</div>
<div>
  <label value="authentication.principal.accountNonLocked"/> = ${authentication.principal.accountNonLocked}
</div>

As you can see in the example code. Provides the variable resolver then we can access the "authentication" implicit object.

<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>

You can use the intuitive "a.b.c" form to access properties of the Authentication object in EL expression.

${authentication.principal.username}

Version History