-
FEATURED COMPONENTS
First time here? Check out the FAQ!
I've been working with the example of zkexample2, but I can not understand what was the structure used, it is very confusing, I hope someone can help me understand and apply a little more this issue, I have the security spring book 3, but not yet I have very clear and the examples are very basic.
What I urge is to know how the project and that structure should wear, because I'm currently developing with jpa, what are the lessons to be created and how they should link to, as I say I have information about anyone but me help chewing.
Please help, is very urgent for a project I have in development.
Thanks.
Hi Jaider2523,
welcome to zk.
The Zksample2 is a community project. So if you study the history you can see that it grows until zk 3.5.2. In that time only a few guys work with spring security and zk.
So we go the way to get the SecurityContextHolder in pure spring code. While Zksample2 is a pure AJAX ONE PAGE application, means you have every time the same web address, most of the spring features are not running for this kind of application.
So we secure what we need to secure with a manual check in the UserWorkspace.java where you'll find a method isAllowed() that searches the GrantedRights string list that are filled for the logged-in user.
For method securing we can do that with the Annotation @Secured that we evaluate by hooking the main zk onEvent method in our BaseControllers.
We know that not all rights are upToDate because it's very very time intensive to to that. Have a look on an old 'not annotate databinded' module, like 'customer' where you can find the manual ckeckRights() method and play with the @Secured annotation. But have a look for that in the customizable single rights list.
Most time that's the reason why some guys are not understand the structure. Please read the chapter in the Zksample2 documentation. We secure not 'Role_Admin' or 'Role_User1' Role_User2' by a fixed declaring in the code. If you need to modify something you must modify the code like the whole samples in the spring security documentation or in the web.
Our solution is customizable.
So we secure a 'rightName' , means a button is not secured with 'Role_Admin', no, a button is secured by its name like 'Customer.Btn.Save'. So we can take this rightName for several groups and RoleNames.
You can read a little bit more here.
best
Stephan
PS: At least. A right in spring-security is only a string in their GrantedRights list . So you must only use existing or write own mechanism to check something against that list.
Thanks for your help, I'll be reading a bit more about it, what happens is that I very little work with databinding, usually working in the traditional manner, with ORM and data management jpa and bore my own methods which are not are very different from databinding, which uses much the Apply, I'm going more with the use. Anyway I will continue reading and researching, I wonder what are the lessons exactamento related to the security area between spring and zk.
This application is very solid in structure and that is why I draw much attention, because mine is based on users, groups, groups-members, authority, group authority. I work with DAO and DAOFactory structure.
I apologize for my English because the language does not use much and I have to avail myself of google translator on many occasions, I hope to see become clear.
Sincerely,
Jaider
Asked: 2011-04-05 09:16:34 +0800
Seen: 262 times
Last updated: Apr 05 '11