Using Spring Security to Secure <tab>s

asked 2009-04-29 21:49:24 +0800

bdrhoa
90 ● 2

updated 2009-04-29 22:04:15 +0800

I am trying to model the security in my app after Ajax Based Login with ZK and Spring Security System which secures
ZK button click events with:

applicationContext-security.xml

 	
. . .
<zksp:zk-event login-template-close-delay="5">
     <zksp:intercept-event event="onClick" path="//**/btn_*" access="ROLE_TELLER"/>
     <zksp:intercept-event path="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
</zksp:zk-event>
. . .

I'm using a

<borderlayout>

, which means the URL for my app is always
index.zul. So I assume to secure pieces of the application, I must use event security
as shown the article. First, is my assumption correct?

Now my 2nd question. Please explain the syntax for

path="//**/btn_*"

.
How do you know what the pattern should be? Of course the end of this pattern says look
at components that start with btn_. But what does the start of the pattern (//**/)mean?
Is there documentation on the pattern?

Now my big question. I am looking to secure specific <tab>s in <tabbox>s and I am
getting this error (possibly because of the pattern (path="//**/tbUsers_*) I'm using in my
applicationContext-security.xml shown below):

 
Failed to load /control/users.zul

Cause: org.xml.sax.SAXParseException: Element type "tab" must be followed by either attribute specifications, ">" or "/>".
org.zkoss.lang.SystemException: org.xml.sax.SAXParseException: Element type "tab" must be followed by either attribute specifications, ">" or "/>".
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
	at org.zkoss.lang.Classes.newInstance(Classes.java:78)
	at org.zkoss.lang.Exceptions.wrap(Exceptions.java:164)
	at org.zkoss.lang.SystemException$Aide.wrap(SystemException.java:47)
	at org.zkoss.util.resource.ResourceCache.get(ResourceCache.java:159)
	at org.zkoss.web.util.resource.ResourceCaches.get(ResourceCaches.java:131)
...

in the following code:

control.zul

<zk>
	<borderlayout width="100%">
		<center autoscroll="true" flex="true" border="0">
			<tabbox id="tabbox">
				<tabs>
					. . .
					<tab label="Users" />
					. . .
				</tabs>
				<tabpanels>
					. . .
					<tabpanel height="320px">
						<include id="tpCtlUsers" sclass="ctlUsers" src="control/users.zul" />
					</tabpanel>
					. . .
				</tabpanels>
			</tabbox>
		</center>
	</borderlayout>
</zk>

users.zul

<zk>
	<tabbox id="tbUsers" mold="accordion-lite">
		<tabs>
			<tab id="tbUsers_Groups" label="Groups" />
			<tab id="tbUsers_Users"label="Users" />
			<tab id="tbUsers_Tab3" label="Tab 3" />
			<tab id="tbUsers_Tab4"label="Tab 4" />
		</tabs>
	</tabbox>
</zk>

applicationContext-security.xml

<?xml version="1.0" encoding="UTF-8"?>


<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:zksp="http://www.zkoss.org/2008/zkspring"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd
                        http://www.zkoss.org/2008/zkspring http://www.zkoss.org/2008/zkspring/zkspring.xsd">
	
	<global-method-security secured-annotations="enabled">
	</global-method-security>


    <http auto-config="true" >
        <intercept-url pattern="/control/import/**" access="ROLE_SUPERVISOR"/>
        <intercept-url pattern="/control/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        
           <!-- use own login page rather than the default one provided by the SPRING (not ZK) frame work (no .zul or .jsp) -->
        <form-login login-page="/login.zul"/>
        
    </http>

	. . .

 	<zksp:zk-event login-template-close-delay="5">
		<zksp:intercept-event event="onClick" path="//**/tbUsers_*" access="ROLE_TELLER"/>
		<zksp:intercept-event path="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
 	</zksp:zk-event>
	
</beans:beans>

delete flag offensive retag edit

7 Replies

Sort by » oldest newest

answered 2009-04-30 07:35:36 +0800

dennis
3679 ● 1 ● 6
http://www.javaworld.com....

updated 2009-04-30 07:39:34 +0800

about the exception, your biggest problem , isn't just a typo?

  <tab id="tbUsers_Users" label="Users" />
  <tab id="tbUsers_Tab4" label="Tab 4" />

you need to give space between attributes.

  <tab id="tbUsers_Users"        label="Users" />
  <tab id="tbUsers_Tab4"         label="Tab 4" />

link publish delete flag offensive edit

answered 2009-05-01 07:25:08 +0800

bdrhoa
90 ● 2

Yes, the spacing was the cause of the exception. Thank you! I might not have seen that for a very long time.

So now, I'd expect that once I click on the USER tab that I'd be redirected to the login.zul. But nothing happens. What else am I missing?

link publish delete flag offensive edit

answered 2009-05-04 01:25:11 +0800

dennis
3679 ● 1 ● 6
http://www.javaworld.com....

updated 2009-05-05 01:00:39 +0800

not every event been triggered and sent to server,
Usually, if you didn't listen a event, then the event will not be sent back or sent back directly.
So, try this, add a empty onClick, <tab id="tbUsers_Users" label="Users" onClick=""/>
(I didn't try it, but it should work.)

link publish delete flag offensive edit

answered 2009-05-04 22:48:19 +0800

bdrhoa
90 ● 2

updated 2009-05-04 22:48:50 +0800

That worked!

Now what I really want to do is only show certain tabs to users, based on their role. But I'm running into problems trying to use the spring security taglib.

I found a related thread and posted the detail there.

Thanks for all the help!