Add Security in the View Layer"

From Documentation
Line 61: Line 61:
  
 
===The Implicit "authentication" Object===
 
===The Implicit "authentication" Object===
We introduce a new ZK Spring Security implicit object, "authentication". When any user login(including anonymous login) and you can access to the associated Spring Security [http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/Authentication.html Authentication] object in EL expression, zscript, or ZK annotate data binding expression.
 
  
'''WebContent/secure/index.zul'''
+
The DelegatingVariableResolver adds an implicit object "authentication" which exposes springs current authentication object org.springframework.security.core.Authentication to EL expressions.
<source lang="xml">
+
 
<?page title="Secure Page"?>
+
<source lang="xml" high="1,3,6,9,12">
...
 
 
<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>
 
<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>
<window title="Secure Page" border="normal" width="500px" xmlns:n="http://www.zkoss.org/2005/zk/native">
+
<div>
 
+
  <label value="authentication.name"/> = ${authentication.name}
...
+
</div>
 
+
<div>
<n:h4>Properties obtained using implicit Object <n:b>"authentication"</n:b>.</n:h4>
+
  <label value="authentication.principal.username"/> = ${authentication.principal.username}
<grid>
+
</div>
<columns>
+
<div>
<column label="Expression"/>
+
  <label value="authentication.principal.enabled"/> = ${authentication.principal.enabled}
<column label="Value" width="50px"/>
+
</div>
</columns>
+
<div>
<rows>
+
  <label value="authentication.principal.accountNonLocked"/> = ${authentication.principal.accountNonLocked}
<row><label value="authentication.name"/>${authentication.name}</row>
+
</div>
<row><label value="authentication.principal.username"/>${authentication.principal.username}</row>
 
<row><label value="authentication.principal.enabled"/>${authentication.principal.enabled}</row>
 
<row><label value="authentication.principal.accountNonLocked"/>${authentication.principal.accountNonLocked}</row>
 
</rows>
 
</grid>
 
 
 
...
 
 
 
</window>
 
 
</source>
 
</source>
  

Revision as of 07:59, 22 January 2019

Add Security in the View Layer



Purpose

Enable or suppress rendering of certain parts of the UI based on the user's roles.

ZK Spring Security Utility Library

ZK-Spring-Security provides 2 ways to access user roles and permissions in a ZK application.

  • SecurityUtil a java class providing static methods to be used in component, controller and view model code
  • Taglib functions and an implicit 'authentication' object to perform permission checks conveniently in ZUL files (with EL-Expressions)

Using the Taglib Functions in ZUL code

In zul files the special attributes if and unless are ideal candidates to render or omit certain parts of a zul file.

After declaring the taglib the functions are available with the specified prefix.

<?taglib uri="http://www.zkoss.org/zkspring/security" prefix="sec"?>
<zk>

  <div if="${sec:isAllGranted('ROLE_SUPERVISOR')}">
    This div and all child components are only displayed for user with the SUPERVISOR ROLE
    <listbox .../>
  </div>

  <button if="${sec:isAnyGranted('ROLE_TELLER,ROLE_ACCOUNTANT')}" 
     label="For TELLERs and ACCOUNTANTs only" >

  <zk if="${sec:isNoneGranted('ROLE_TRAINEE,ROLE_ROOKIE')}">
     TRAINEES and ROOKIES won't see this.
  </zk>
</zk>

As in all zul pages the the taglib function can also be used in EL expressions of normal component attributes as in the example below to disable a button. (The button will still render but in a disabled state.)

<button label="Transfer Money" disabled="${sec:isNoneGranted('ROLE_SUPERVISOR')}" .../>

Available functions as implemented in (org.zkoss.spring.security.SecurityUtil):

  • boolean isNoneGranted(String authorities): Return true if the authenticated principal is granted NONE of the roles in the specified authorities.
  • boolean isAllGranted(String authorities): Return true if the authenticated principal is granted ALL of the roles in the specified authorities.
  • boolean isAnyGranted(String authorities): Return true if the authenticated principal is granted ANY of the roles in the specified authorities.
  • boolean isAccessible(String hasPermission, Object domainObject): Return true if the current Authentication has one of the specified permissions to the presented domain object instance.
  • Authentication getAuthentication(): Return currently login Authentication (similar to implicit "authentication" object).

In Java

Of course you can just call the methods of SecurityUtil from java code directly, to build the UI conditionally:

if (SecurityUtil.isAllGranted("ROLE_SUPERVISOR")) {
	Button btn = new Button();
	...
	btn.setParent(win);
}

The Implicit "authentication" Object

The DelegatingVariableResolver adds an implicit object "authentication" which exposes springs current authentication object org.springframework.security.core.Authentication to EL expressions.

<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>
<div>
  <label value="authentication.name"/> = ${authentication.name}
</div>
<div>
  <label value="authentication.principal.username"/> = ${authentication.principal.username}
</div>
<div>
  <label value="authentication.principal.enabled"/>  = ${authentication.principal.enabled}
</div>
<div>
  <label value="authentication.principal.accountNonLocked"/> = ${authentication.principal.accountNonLocked}
</div>

As you can see in the example code. Provides the variable resolver then we can access the "authentication" implicit object.

<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>

You can use the intuitive "a.b.c" form to access properties of the Authentication object in EL expression.

${authentication.principal.username}

Version History

Last Update : 2019/01/22


Version Date Content
     


Last Update : 2019/01/22

Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.