Spring Security
Overview
Spring Security is an application framework that provides security services for J2EE-based enterprise software application. It is a popular and widely adopted framework, in this article we will demonstrate how to integrate it to secure a ZK application including securing pages, handling authentication process, securing components, and securing events. Our example is a simple forum-like application. Users can read, create, edit, and delete an article according to his authorities.
Configuration
Maven
We need to add dependencies for Spring Security and Maven’s transitive dependency management can include all necessary dependencies of Spring for us.
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${springsecurity.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${springsecurity.version}</version>
</dependency>
<!-- extra -->
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.1</version>
</dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib</artifactId>
<version>2.2</version>
</dependency>
- Line 4: Becuase we use the security namespace in the application
context, we need
spring-security-config. - Line 16: Spring-core depends on commons-logging.
- Line 21: The cglib is optional. We add it because we use CGLIB-based class proxy.
 **Note:** If you don't use Maven,
please refer to Spring Security Reference Documentation to check which
JAR files are needed.
Spring
Our example application also integrates Spring framework, the required
configuration in web.xml is as follows:
web.xml
<!-- Loads the Spring application context configuration -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- For using web scoped bean -->
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
The ContextLoaderListener will load /WEB-INF/applicationContext.xml
(Spring configuration file) by default, and we follow this convention so
we don’t need to add extra configuration in web.xml.
applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation=
"http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">
<context:component-scan base-package="org.zkoss.reference.developer.spring.security.model"/>
<import resource="applicationContext-security.xml"/>
</beans>
- Line 9: We can register beans by class-path scanning to reduce XML configuration effort.
- Line 11: We can import another configuration file for Spring Security.
Security Namespace Configuration
The first configuration you should add to use Spring Security is a
filter declaration in web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This filter is a hook into Spring Security’s web infrastructure. It intercepts all requests and hands over them to be processed by Spring Security internal filters.
Namespace configuration has been supported by Spring framework since
version 2.0 and it is an alternative configuration syntax which is
closer to problem domain. It also can reduce configuration’s complexity
because one element may contain multiple beans and processing steps. To
use the security namespace, you should have spring-security-config in
your classpath and add the schema declaration to your application
context file:
applicationContext-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation=
"http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- HTTP configuration sample -->
<http auto-config="true">
<!-- ZK AU reqeust -->
<intercept-url pattern="/zkau/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<!-- the login page -->
<intercept-url pattern="/login.zul" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<!-- pages for anonymous access in an application -->
<intercept-url pattern="/index.zul" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/articleContent.zul" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<!-- secure pages -->
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login.zul"
authentication-failure-url="/login.zul?login_error=1"
login-processing-url="/j_spring_security_check"/>
<logout logout-success-url="/index.zul" invalidate-session="true" />
</http>
<!-- omit inactive configurations -->
<authentication-manager>
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
</beans:beans>
Here we introduce some main elements and will leave the details in the subsequent sections.
- LIne 12: The
element is the parent for all web-related namespace functions and we use `auto-config` to save configuration efforts. We also create a HTTPS configuration sample in `applicationContext-security.xml`. Please see source code for details.
- Line 32: Each Spring Security application which uses the namespace
configuration must include
. It is responsible for registering the `AuthenticationManager` which provides authentication services to the application. - Line 33:We implement our
MyUserDetailsServicebean to provide authentication service and configure it inelement.
Secure Pages
In Spring Security, pages are protected by
**What a anonymous user see**
**What a user with "ROLE_USER" see**
**What a user with "ROLE_EDITOR" see**
How do we achieve this security control in a zul? We can implement a
custom tag library to check current user's authorities and apply the tag
library on `if` or `disable` attribute. Please refer to
[ZUML_Reference/ZUML/Processing_Instructions/taglib/Custom_Taglib](ZUML_Reference/ZUML/Processing_Instructions/taglib/Custom_Taglib)
for details.
The tag library's function is implemented in
`org.zkoss.reference.developer.spring.security.SecurityUtil`. Here we
just briefly explain how `isAllGranted()` is implemented and you can
read other methods in the source code .
The `SecurityContextHolder` is the most fundamental object and is where
Spring Security stores the present security context of the application,
which includes details of the principal currently using the application.
We can obtain user information from `SecurityContextHolder` including
his authorities.
**SecurityUtil.java**
```java
package org.zkoss.reference.developer.spring.security;
//omit import
public class SecurityUtil {
public static boolean isAllGranted(String authorities) {
if (null == authorities || "".equals(authorities)) {
return false;
}
final Collection granted = getPrincipalAuthorities();
boolean isAllGranted = granted.containsAll(parseAuthorities(authorities));
return isAllGranted;
}
private static Collection getPrincipalAuthorities() {
Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();
if (null == currentUser) {
return Collections.emptyList();
}
if ((null == currentUser.getAuthorities()) || (currentUser.getAuthorities().isEmpty())) {
return Collections.emptyList();
}
Collection granted = currentUser.getAuthorities();
return granted;
}
//omit other methods
}
```
- Line 7: Return true if the authenticated principal is granted ALL of
the roles specified in authorities. The input parameter is a comma
separated list of roles which the user have been granted.
Then we still have to write a description file to describe the functions
that we can use in a zul. In our example, it is `/WEB-INF/security.tld`.
You can read the file in the source code.
**security.tld**
```xml