Add Page Based Security Using Authorized Roles

From Documentation
Revision as of 12:15, 22 February 2011 by Ashishd (talk | contribs)

Purpose

Secure ZK ZUML pages with Authorized roles

Example

This Example is borrowed from the standard Spring Security tutorial sample and has been modified to work with ZK using ZK Spring Security. You can download the example codes from ZK Spring Essentials Google Code source repository here. You can see this example in action by deploying ZK Spring Essentials web archive and hitting example home page at http://localhost:8080/zkspringessentials/home.zul and you will see following screen. home.zul page is configured to be accessible to anyone.

ZKSpringEssentials SecurityExampleHome.jpg

This table lists links to different pages that users can visit. Two more pages as listed in the bottom two rows of above table that can be visited by clicking "Go" buttons, secure/index.jsp and secure/extreme/index.jsp are configured to be accessible to only those users that have certain authorized roles. If users click on these "Go" buttons, first Spring security checks if they are logged in or not. If they aren't logged in they will be presented a login page. On successful login Spring Security will also verify if they have the specific roles assigned to them that will authorize access to those pages. If they have been assigned those authorized roles users will be redirected to related pages or else they will be shown access denied page.

Lets dig into the configuration to see how we secure these pages with authorized roles

Configuration

Application specific configuration for Spring security is generally specified within Spring bean configuration file or altogether in a separate xml file. But for Spring Security to discover those configuration we need to add certain configuration into web.xml as shown below 

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/applicationContext-security.xml
        </param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>


Here org.springframework.web.context.ContextLoaderListener is responsible for loading the Spring Security configurations and org.springframework.web.filter.DelegatingFilterProxy is the main entry point of Spring Security framework.

Now lets take a look at our example specific configuration that enables role based security to certain pages as described above. it is defined in applicationContext-security.xml file as shown below.

Version History

Last Update : 2011/02/22


Version Date Content
     
Retrieved from "https://www.zkoss.org/_w/index.php?title=ZK_Spring_Essentials/Working_with_ZK_Spring/Working_with_ZK_Spring_Security/Add_Page_Based_Security_Using_Authorized_Roles&oldid=17342"