Block Request for Inaccessible Widgets

From Documentation
DocumentationZK Developer's GuideAdvanced ZKSecurity TipsBlock Request for Inaccessible Widgets
Block Request for Inaccessible Widgets

Stop.png This documentation is for an older version of ZK. For the latest one, please click here.

Inaccessible widgets (such as disabled or invisible) can be accessed easily with a debugging tool running at the browser. For example, a hostile user can make an invisible button visible and then click on it to trigger unexpected actions. Thus, it is recommended not to create a widget if it is not supposedly accessible. For example, the first statement is safer than the second one in the following example:

<button unless="${accessible}"/>
<button visible="${accessible}"/>

Block with InaccessibleWidgetBlockService

[since 5.0.0]
[Enterprise Edition]

If you want to block request for inaccessible widgets for the whole application or for a particular desktop, you can implement the interface to filter out unwanted requests. ZK Enterprise Edition has provided a simple blocked called InaccessibleWidgetBlockService. To apply it to the whole application, just specify the following in WEB-INF/zk.xml as follows.


Then, each time a desktop is created, an instance of InaccessibleWidgetBlockService is added to the desktop to block the requests from the inaccessible widgets.

In many cases, you just want to block particular events, not all events. For example, you want to receive onOpen when a menupopup is going to show up. Then, you can specify a library property called to control the behavior of InaccessibleWidgetBlockService. For example,


Implement Your Own Block

The implementation of AuService is straightforward. For example, the following example blocks only button and onClick:

public class MyBlockService implements {
	public boolean service(AuRequest request, boolean everError) {
		final Component comp = request.getComponent();
		return (comp instanceof Button) && "onClick".equals(request.getCommand());
			//true means block

Last Update : 2022/01/19

Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.