Add Security in the View Layer
Purpose
Enable or suppress rendering of certain parts of the UI based on the user's roles.
ZK Spring Security Utility Library
ZK-Spring-Security provides 2 ways to access user roles and permissions in a ZK application.
- SecurityUtil a java class providing static methods to be used in component, controller and view model code
- Taglib functions and an implicit 'authentication' object to perform permission checks conveniently in ZUL files (with EL-Expressions)
Using the Taglib Functions in ZUL code
In zul files the special attributes if and unless are ideal candidates to render or omit certain parts of a zul file.
After declaring the taglib the functions are available with the specified prefix.
<?taglib uri="http://www.zkoss.org/zkspring/security" prefix="sec"?>
<zk>
<div if="${sec:isAllGranted('ROLE_SUPERVISOR')}">
This div and all child components are only displayed for user with the SUPERVISOR ROLE
<listbox .../>
</div>
<button if="${sec:isAnyGranted('ROLE_TELLER,ROLE_ACCOUNTANT')}"
label="For TELLERs and ACCOUNTANTs only" >
<zk if="${sec:isNoneGranted('ROLE_TRAINEE,ROLE_ROOKIE')}">
TRAINEES and ROOKIES won't see this.
</zk>
</zk>
As in all zul pages the the taglib function can also be used in EL expressions of normal component attributes as in the example below to disable a button. (The button will still render but in a disabled state.)
<button label="Transfer Money" disabled="${sec:isNoneGranted('ROLE_SUPERVISOR')}" .../>
Available functions as implemented in (org.zkoss.spring.security.SecurityUtil):
- boolean isNoneGranted(String authorities): Return true if the authenticated principal is granted NONE of the roles in the specified authorities.
- boolean isAllGranted(String authorities): Return true if the authenticated principal is granted ALL of the roles in the specified authorities.
- boolean isAnyGranted(String authorities): Return true if the authenticated principal is granted ANY of the roles in the specified authorities.
- boolean isAccessible(String hasPermission, Object domainObject): Return true if the current Authentication has one of the specified permissions to the presented domain object instance.
- Authentication getAuthentication(): Return currently login Authentication (similar to implicit "authentication" object).
In Java
Of course you can just call the methods of SecurityUtil from java code directly, to build the UI conditionally:
if (SecurityUtil.isAllGranted("ROLE_SUPERVISOR")) {
Button btn = new Button();
...
btn.setParent(win);
}
The Implicit "authentication" Object
The DelegatingVariableResolver adds an implicit object "authentication" which exposes springs current authentication object org.springframework.security.core.Authentication to EL expressions.
<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>
<div>
<label value="authentication.name"/> = ${authentication.name}
</div>
<div>
<label value="authentication.principal.username"/> = ${authentication.principal.username}
</div>
<div>
<label value="authentication.principal.enabled"/> = ${authentication.principal.enabled}
</div>
<div>
<label value="authentication.principal.accountNonLocked"/> = ${authentication.principal.accountNonLocked}
</div>
As you can see in the example code. Provides the variable resolver then we can access the "authentication" implicit object.
<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>
You can use the intuitive "a.b.c" form to access properties of the Authentication object in EL expression.
${authentication.principal.username}
Version History
Version | Date | Content |
---|---|---|