Add Security in the View Layer

From Documentation
Revision as of 12:03, 23 February 2011 by Ashishd (talk | contribs) (→‎Example)
Add Security in the View Layer



Subsections:


Purpose

Hide or un-hide certain parts of UI based on user's authorization

Example

This example is similar to the one introduced in "Add page based security using authorized roles" section except we have rewritten secured pages in ZUML to demonstrate how certain part of page be displayed or hidden based on user's authorization. You can run this example code by deploying ZK Spring Essentials examples web archive (download here) and either visiting http://localhost:8080/zkspringessentials/home1.zul directly or visiting the index page and clicking on Example 2 link. From home1.zul page you can navigate to secure pages by using the links from the bottom two rows. Once on the secure/index.zul page based on logged in user's assigned role being ROLE_SUPERVISOR we display relative message about secure/extreme/index.zul page access.

Configuration

Since this example is similar to the one introduced in earlier sections you can follow the same configuration steps.

ZK Spring Secuirty Utility Library

For using security features in view layer you can utilize ZK Spring Security utility library which is defined as a tag library. You can use utility functions from this library with ZK components "if", "unless" attributes to show/hide/enable/disable some specific ZK compoents. To use this library simply declare a taglib directive at the start of your ZUML pages and you can use utility functions from this library as a part of your EL expressions.

<?taglib uri="http://www.zkoss.org/zkspring/security" prefix="sec"?>

In ZUML

Lets take a look at secure/index.zul page to see how we can use the utility functions.

<?page title="Secure Page"?>
<?taglib uri="http://www.zkoss.org/zkspring/security" prefix="sec"?>
<?variable-resolver class="org.zkoss.spring.DelegatingVariableResolver"?>
<window title="Secure Page" border="normal" width="500px" xmlns:n="http://www.zkoss.org/2005/zk/native">
<n:p>
This is a protected page. You can get to me if you've been remembered,
or if you've authenticated this session.
</n:p>

<zk if="${sec:isAllGranted('ROLE_SUPERVISOR')}">
    You are a supervisor! You can therefore see the <n:a href="extreme/index.zul">extremely secure page</n:a>.
</zk>
<zk unless="${sec:isAllGranted('ROLE_SUPERVISOR')}">
    You are NOT a supervisor! You can NOT see the <n:a href="extreme/index.zul">extremely secure page</n:a>.
</zk>

<n:h4>Properties obtained using implicit Object <n:b>"authentication"</n:b>.</n:h4>
<grid>
    <columns>
        <column label="Expression"/>
        <column label="Value" width="50px"/>
    </columns>
    <rows>
        <row><label value="authentication.name"/>${authentication.name}</row>
        <row><label value="authentication.principal.username"/>${authentication.principal.username}</row>
        <row><label value="authentication.principal.enabled"/>${authentication.principal.enabled}</row>
        <row><label value="authentication.principal.accountNonLocked"/>${authentication.principal.accountNonLocked}</row>
    </rows>
</grid>
<separator bar="true"></separator>
<button label="Home" href="../home1.zul"/>
<button label="Logout" href="../j_spring_security_logout"/>
</window>


The expression "sec:isAllGranted('role1,role2, ...')" will check whether the currently authenticated user has ALL roles specified in the isAllGranted() function and return true or false. Then according to the if/unless condition statement, the corresponding part of the page is thus rendered. You can also provide such expression to other ZK components. e.g. if a button shall only show to a supervisor user:

<button label="Transfer Money" if="${sec:isAllGranted('ROLE_SUPERVISOR')}" .../>

Or if you just want to disable the button but still visible to non-supervisor user.

<button label="Transfer Money" disabled="${sec:isNoneGranted('ROLE_SUPERVISOR')}" .../>

Functions of ZK Spring Security Utitlity Library (org.zkoss.spring.security.SecurityUtil):

  • boolean isNoneGranted(String authorities): Return true if the authenticated principal is granted NONE of the roles in the specified authorities.
  • boolean isAllGranted(String authorities): Return true if the authenticated principal is granted ALL of the roles in the specified authorities.
  • boolean isAnyGranted(String authorities): Return true if the authenticated principal is granted ANY of the roles in the specified authorities.
  • boolean isAccessible(String hasPermission, Object domainObject): Return true if the current Authentication has one of the specified permissions to the presented domain object instance.
  • Authentication getAuthentication(): Return currently login Authentication (similar to implicit "authentication" object).

In Java

The example we have shown are all .zul pages. "What if I would like to construct my pages with pure Java?" you might ask. We actually provide a org.zkoss.spring.security.SecurityUtil class that you can call static methods to access all functions. e.g.

if (SecurityUtil.isAllGranted("ROLE_SUPERVISOR")) {
	Button btn = new Button();
	...
	btn.setParent(win);
}

The Implicit "authentication" Object

We introduce a new ZK Spring Security implicit object, "authentication". When any user login(including anonymous login) and you can access to the associated Spring Security Authentication object in EL expression, zscript, or ZK annotate data binding expression.

WebContent/secure/index.zul

<?page title="Secure Page"?>
...
<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>
<window title="Secure Page" border="normal" width="500px" xmlns:n="http://www.zkoss.org/2005/zk/native">

...

<n:h4>Properties obtained using implicit Object <n:b>"authentication"</n:b>.</n:h4>
<grid>
	<columns>
		<column label="Expression"/>
		<column label="Value" width="50px"/>
	</columns>
	<rows>
		<row><label value="authentication.name"/>${authentication.name}</row>
		<row><label value="authentication.principal.username"/>${authentication.principal.username}</row>
		<row><label value="authentication.principal.enabled"/>${authentication.principal.enabled}</row>
		<row><label value="authentication.principal.accountNonLocked"/>${authentication.principal.accountNonLocked}</row>
	</rows>
</grid>

...

</window>

As you can see in the example code. Provides the variable resolver then we can access the "authentication" implicit object.

<?variable-resolver class="org.zkoss.spring.DelegatingVariableResolver"?>

You can use the intuitive "a.b.c" form to access properties of the Authentication object in EL expression.

${authentication.principal.username}

Version History

Last Update : 2011/02/23


Version Date Content
     


Last Update : 2011/02/23

Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.