Add Security in the View Layer"

From Documentation
m
Line 50: Line 50:
 
====In Java====
 
====In Java====
  
The example we have shown are all .zul pages. "What if I would like to construct my pages with pure Java?" you might ask. We actually provide a ''org.zkoss.spring.security.SecurityUtil'' class that you can call static methods to access all functions. For example,
+
Of course you can just call the methods of SecurityUtil from java code directly, to build the UI conditionally:
  
 
<source lang="java">
 
<source lang="java">

Revision as of 07:54, 22 January 2019

Add Security in the View Layer



Purpose

Enable or suppress rendering of certain parts of the UI based on the user's roles.

ZK Spring Security Utility Library

ZK-Spring-Security provides 2 ways to access user roles and permissions in a ZK application.

  • SecurityUtil a java class providing static methods to be used in component, controller and view model code
  • Taglib functions and an implicit 'authentication' object to perform permission checks conveniently in ZUL files (with EL-Expressions)

Using the Taglib Functions in ZUL code

In zul files the special attributes if and unless are ideal candidates to render or omit certain parts of a zul file.

After declaring the taglib the functions are available with the specified prefix.

<?taglib uri="http://www.zkoss.org/zkspring/security" prefix="sec"?>
<zk>

  <div if="${sec:isAllGranted('ROLE_SUPERVISOR')}">
    This div and all child components are only displayed for user with the SUPERVISOR ROLE
    <listbox .../>
  </div>

  <button if="${sec:isAnyGranted('ROLE_TELLER,ROLE_ACCOUNTANT')}" 
     label="For TELLERs and ACCOUNTANTs only" >

  <zk if="${sec:isNoneGranted('ROLE_TRAINEE,ROLE_ROOKIE')}">
     TRAINEES and ROOKIES won't see this.
  </zk>
</zk>

As in all zul pages the the taglib function can also be used in EL expressions of normal component attributes as in the example below to disable a button. (The button will still render but in a disabled state.)

<button label="Transfer Money" disabled="${sec:isNoneGranted('ROLE_SUPERVISOR')}" .../>

Available functions as implemented in (org.zkoss.spring.security.SecurityUtil):

  • boolean isNoneGranted(String authorities): Return true if the authenticated principal is granted NONE of the roles in the specified authorities.
  • boolean isAllGranted(String authorities): Return true if the authenticated principal is granted ALL of the roles in the specified authorities.
  • boolean isAnyGranted(String authorities): Return true if the authenticated principal is granted ANY of the roles in the specified authorities.
  • boolean isAccessible(String hasPermission, Object domainObject): Return true if the current Authentication has one of the specified permissions to the presented domain object instance.
  • Authentication getAuthentication(): Return currently login Authentication (similar to implicit "authentication" object).

In Java

Of course you can just call the methods of SecurityUtil from java code directly, to build the UI conditionally:

if (SecurityUtil.isAllGranted("ROLE_SUPERVISOR")) {
	Button btn = new Button();
	...
	btn.setParent(win);
}

The Implicit "authentication" Object

We introduce a new ZK Spring Security implicit object, "authentication". When any user login(including anonymous login) and you can access to the associated Spring Security Authentication object in EL expression, zscript, or ZK annotate data binding expression.

WebContent/secure/index.zul

<?page title="Secure Page"?>
...
<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>
<window title="Secure Page" border="normal" width="500px" xmlns:n="http://www.zkoss.org/2005/zk/native">

...

<n:h4>Properties obtained using implicit Object <n:b>"authentication"</n:b>.</n:h4>
<grid>
	<columns>
		<column label="Expression"/>
		<column label="Value" width="50px"/>
	</columns>
	<rows>
		<row><label value="authentication.name"/>${authentication.name}</row>
		<row><label value="authentication.principal.username"/>${authentication.principal.username}</row>
		<row><label value="authentication.principal.enabled"/>${authentication.principal.enabled}</row>
		<row><label value="authentication.principal.accountNonLocked"/>${authentication.principal.accountNonLocked}</row>
	</rows>
</grid>

...

</window>

As you can see in the example code. Provides the variable resolver then we can access the "authentication" implicit object.

<?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>

You can use the intuitive "a.b.c" form to access properties of the Authentication object in EL expression.

${authentication.principal.username}

Version History

Last Update : 2019/01/22


Version Date Content
     


Last Update : 2019/01/22

Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.