Uploaded image for project: 'ZK Spring'
  1. ZK Spring
  2. ZKSPRING-36

zkspring-security will show login dialog when request a zul without access control

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Normal Normal
    • 3.1.1
    • 3.1
    • security
    • None

      Create an issue based on ZKSPRING-33 zkspring-security 3.1 incompatible with spring security 3.1

      Problem Description:

      The contributor "polyvjk" reported that he made a fix on ZkEventProcessListener for the below problem:

      the modification prevents the firing of ZkEventProcessListener when the security chain u are currently on is not the one with the ZK filters installed. Also the request has to match a rule in order for it to be processed.

      When u don't have this fix, zk will show its login dialog every time there is a request to the server through the /zkau url.
      Just try it out without the fix and u can see what I mean.

      User provided configuration for reproducing:

      	<security:http pattern="/zkau/web/**" security="none" /> <!-- we dont need security for static resourses -->
	<security:http pattern="/login.zul**" security="none" /> <!-- and login page -->
         
	<security:http  access-decision-manager-ref="accessDecisionManager" access-denied-page="/access-denied.zul">
		<security:intercept-url pattern="/index.zul" access="ROLE_USER" />		
		<security:intercept-url pattern="/zkau/**"  access="IS_AUTHENTICATED_ANONYMOUSLY" />
				
		<security:form-login login-page="/login.zul" 
			authentication-failure-url="/login.zul?login_error=1" />
		<security:logout logout-success-url="/login.zul" invalidate-session="true" />
		<security:custom-filter ref="zkDesktopReuseFilter" position="FIRST" />
		<security:custom-filter ref="zkDisableSessionInvalidateFilter" before="FORM_LOGIN_FILTER" />
		<security:custom-filter ref="zkEnableSessionInvalidateFilter" before="FILTER_SECURITY_INTERCEPTOR" />
		<security:custom-filter ref="zkLoginOKFilter" after="FILTER_SECURITY_INTERCEPTOR" />
		<security:custom-filter ref="zkError403Filter" after="LOGOUT_FILTER" />
	</security:http>
	    

	<zksp:zk-event login-template-close-delay="5" path-type="ant">
		<zksp:intercept-event event="onClick" path="//**/rolesBtn*" access="ROLE_ADMIN" />
		<zksp:intercept-event event="onClick" path="//**/childrenBtn*" access="ROLE_ADMIN" />
		<zksp:intercept-event event="onClick" path="//**/new*" access="ROLE_ADMIN" />
		<zksp:intercept-event event="onClick" path="//**/add*" access="ROLE_ADMIN" />
		<zksp:intercept-event event="onClick" path="//**/edit*" access="ROLE_ADMIN" />
		<zksp:intercept-event event="onClick" path="//**/delete*" access="ROLE_ADMIN" />
		<zksp:intercept-event path="//**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
 		<zksp:form-login login-page="/login-event.zul" authentication-failure-url="/login-event.zul?login_error=1"/> 
	</zksp:zk-event>

            hawk hawk
            hawk hawk
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: