From Documentation

Jump to: navigation, search



Secure a flow based on user's authorization


We continue enhancing our booking example but now we would like to secure booking flow as it doesn't make sense to make the booking without knowing the user details. To keep things simple we secure this flow only for registered users. All they have to do is to login to the application to make a valid booking of a hotel.

Lets see the demo in action fist.


As you can see if the user isn't loogged in when he wants to book certain hotel he is requested to login by presenting him a login popup. This is the feature of ZK Spring Security as introduced in earlier section when we described features of ZK Spring Security.


To secure a certain webflow all we need to do is to declare a <secured /> element in the flow definition. Here we show how we secured our booking webflow in booking.xml

    <secured attributes="ROLE_USER" />

We secure this flow and allow only users with ROLE_USER role to be authorized to access this particular flow. As you can see in the above demo users are presented an ajax login popup to login to the application which requires certain configuration in your security configuration file. Below we show what configurations are done to achieve this.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns=""

    <!-- Configure Spring Security -->
    <security:http auto-config="true">
        <security:form-login login-page="/spring/login" login-processing-url="/spring/loginProcess" authentication-failure-url="/spring/login?login_error=1" />
        <security:logout logout-url="/spring/logout" logout-success-url="/spring/logoutSuccess" />
        <security:custom-filter ref="zkDesktopReuseFilter" position="FIRST" />
        <security:custom-filter ref="zkDisableSessionInvalidateFilter" before="FORM_LOGIN_FILTER"/>
        <security:custom-filter ref="zkEnableSessionInvalidateFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
        <security:custom-filter ref="zkLoginOKFilter" after="FILTER_SECURITY_INTERCEPTOR"/>
        <security:custom-filter ref="zkError403Filter" after="LOGOUT_FILTER"/>
    <zksp:zk-event login-template-close-delay="5">
        <!-- use own form-login definition in Ajax login -->
        <zksp:form-login login-page="/spring/loginPopup" authentication-failure-url="/spring/loginPopup?login_error=1" 
            width="597px" height="451px"/>
        Define local authentication provider, a real app would use an external provider (JDBC, LDAP, CAS, etc)
        usernames/passwords are:
        <security:password-encoder hash="md5" />
            <security:user name="keith" password="417c7382b16c395bc25b5da1398cf076" authorities="ROLE_USER, ROLE_SUPERVISOR" />
            <security:user name="erwin" password="12430911a8af075c6f41c6976af22b09" authorities="ROLE_USER, ROLE_SUPERVISOR" />
            <security:user name="jeremy" password="57c6cbff0d421449be820763f03139eb" authorities="ROLE_USER" />
            <security:user name="scott" password="942f2339bf50796de535a384f0d1af3e" authorities="ROLE_USER" />

First we declare ZK Spring Security namespace at the start of our xml file. Second we configure ZK Spring Security custom filters using <security:custom-filter /> child element of <http /> element. Third we setup a custom login popup page with the <zk-event /> element and its <form-login /> child element.

Version History

Last Update : 2011/2/25

Version Date Content

Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.