Secure Flow"
Line 73: | Line 73: | ||
</beans> | </beans> | ||
</source> | </source> | ||
− | + | First we declare ZK Spring Security namespace at the start of our xml file. | |
− | + | Second we configure ZK Spring Security custom filters using <code><security:custom-filter /></code> child element of <code><http /></code> element. | |
+ | Third we setup a custom login popup page with the <code><zk-event /></code> element and its <code><form-login /></code> child element. | ||
Latest revision as of 05:55, 25 February 2011
Purpose
Secure a flow based on user's authorization
Example
We continue enhancing our booking example but now we would like to secure booking flow as it doesn't make sense to make the booking without knowing the user details. To keep things simple we secure this flow only for registered users. All they have to do is to login to the application to make a valid booking of a hotel.
Lets see the demo in action fist.
demo
As you can see if the user isn't loogged in when he wants to book certain hotel he is requested to login by presenting him a login popup. This is the feature of ZK Spring Security as introduced in earlier section when we described features of ZK Spring Security.
Configuration
To secure a certain webflow all we need to do is to declare a <secured />
element in the flow definition. Here we show how we secured our booking webflow in booking.xml
...
<secured attributes="ROLE_USER" />
...
We secure this flow and allow only users with ROLE_USER role to be authorized to access this particular flow. As you can see in the above demo users are presented an ajax login popup to login to the application which requires certain configuration in your security configuration file. Below we show what configurations are done to achieve this.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:zksp="http://www.zkoss.org/2008/zkspring/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.zkoss.org/2008/zkspring/security
http://www.zkoss.org/2008/zkspring/security/zkspring-security.xsd">
<!-- Configure Spring Security -->
<security:http auto-config="true">
<security:form-login login-page="/spring/login" login-processing-url="/spring/loginProcess" authentication-failure-url="/spring/login?login_error=1" />
<security:logout logout-url="/spring/logout" logout-success-url="/spring/logoutSuccess" />
<security:custom-filter ref="zkDesktopReuseFilter" position="FIRST" />
<security:custom-filter ref="zkDisableSessionInvalidateFilter" before="FORM_LOGIN_FILTER"/>
<security:custom-filter ref="zkEnableSessionInvalidateFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
<security:custom-filter ref="zkLoginOKFilter" after="FILTER_SECURITY_INTERCEPTOR"/>
<security:custom-filter ref="zkError403Filter" after="LOGOUT_FILTER"/>
</security:http>
<zksp:zk-event login-template-close-delay="5">
<!-- use own form-login definition in Ajax login -->
<zksp:form-login login-page="/spring/loginPopup" authentication-failure-url="/spring/loginPopup?login_error=1"
width="597px" height="451px"/>
</zksp:zk-event>
<!--
Define local authentication provider, a real app would use an external provider (JDBC, LDAP, CAS, etc)
usernames/passwords are:
keith/melbourne
erwin/leuven
jeremy/atlanta
scott/rochester
-->
<security:authentication-manager>
<security:authentication-provider>
<security:password-encoder hash="md5" />
<security:user-service>
<security:user name="keith" password="417c7382b16c395bc25b5da1398cf076" authorities="ROLE_USER, ROLE_SUPERVISOR" />
<security:user name="erwin" password="12430911a8af075c6f41c6976af22b09" authorities="ROLE_USER, ROLE_SUPERVISOR" />
<security:user name="jeremy" password="57c6cbff0d421449be820763f03139eb" authorities="ROLE_USER" />
<security:user name="scott" password="942f2339bf50796de535a384f0d1af3e" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
First we declare ZK Spring Security namespace at the start of our xml file.
Second we configure ZK Spring Security custom filters using <security:custom-filter />
child element of <http />
element.
Third we setup a custom login popup page with the <zk-event />
element and its <form-login />
child element.
Version History
Version | Date | Content |
---|---|---|