In this blog post, the subject of creating a new Webflowconfigurer to extend the web flow is covered.
In the examples provided this is done through classes that extend the AbstractCasWebflowConfigurer and introducing new actions that are appended to the webflow through the included process.
Is extending already existing configurers like for instance AcceptableUsagePolicyWebflowConfigurer and overriding some of its methods feasible or is that outside the scope of CAS web flow? If its feasible, what is the correct way to do this?
p.s. currently on version 5.3.x
Is extending already existing configurers like for instance AcceptableUsagePolicyWebflowConfigurer and overriding some of its methods feasible or is that outside the scope of CAS web flow?
Yes, that is feasible.
If you examine this block, you will find that AcceptableUsagePolicyWebflowConfigurer is only created conditionally, if an existing bean is not already found in the context by the same name. So to provide your own, you just need to register a bean with the same name using your own #Configuration class. Something like this:
#Bean
#DependsOn("defaultWebflowConfigurer")
public CasWebflowConfigurer acceptableUsagePolicyWebflowConfigurer() {
return new MyAcceptableUsagePolicyWebflowConfigurer(...);
}
public class MyAcceptableUsagePolicyWebflowConfigurer extends
AcceptableUsagePolicyWebflowConfigurer {}
To learn about how #Configuration classes work in general, you can:
Review this post
or This post
or consult the documentation for Spring and/or Spring Boot.
Is there an example of extending the cas login webflow using Java for cas 6.x. I assume this can be done without having to modify the login-webflow.xml.
https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization-Extensions.html does not explain very well where these changes need to be made at.
Related
Hi we are implementing ABAC over SpringSecurity (looks same as Axiomatics solution). So we would like to define custome expression and customize underlaying mechanisms. e.g. #PreAuthorize("myexpression").
At this point I'm trying understand how can I get information about the target method (the JoinPoint): name, class, parameters. I didn't find how to do it for SpringSecurity customization.
As I Inderstand, other solution may be implemention based direct on AOP e.g. #Around, however I would like to try first to find out if the Spring Security can provide me a way to get somehow JoinPoint it self, isn't it implemented over AOP ?
If anyone have an example, thanks.
I would recommend checking out the new support for #PreAuthorize in Spring Security 5.6 with #EnableMethodSecurity. See the reference docs for information on how to customize the interceptors. There are numerous places you can hook into this support based on your requirements using delegation or fully replacing components with your own implementation.
In your case, it seems the most likely place to start would be creating an #Bean to replace the AuthorizationManagerBeforeMethodInterceptor:
#Bean
#Role(BeanDefinition.ROLE_INFRASTRUCTURE)
Advisor preAuthorizeAuthorizationMethodInterceptor() {
PreAuthorizeAuthorizationManager authorizationManager = new PreAuthorizeAuthorizationManager();
authorizationManager.setExpressionHandler(...);
return AuthorizationManagerBeforeMethodInterceptor.preAuthorize(authorizationManager);
}
You will have to implement the MethodSecurityExpressionHandler, but you can use delegation to re-use the DefaultMethodSecurityExpressionHandler for anything you don't want to implement yourself.
I have two projects, A and B. B consumes A as a jar. B is not always used in other projects (for example, projects C, D, E, etc. can either consume or not consume B, but always consume A). I can modify both projects.
There is a controller in A that I want to add functionalities related to B's bussiness model (entities, services, that kind of stuff). Of course, writing the new functionality in A won't work (compiling mainly, but also would break the well-defined structure of both projects).
The controller in A is defined as a spring bean in the Java class itself, and also is related to a zul page that uses it. Relevant code:
Java
#Controller("userController")
#Scope("prototype")
public class UserController extends GenericForwardComposer
ZUL page
<window apply="${userController}" >
How could I add the functionality in B and avoid as much possible unnecesary complexity? I want to avoid extending the controller and adding a #Primary definition. Since I'm working with Java 8, I was thinking on interfaces with default behaviour, but I haven't figured how to make the execution pick an interface in B rather than in A. Composition is also an option, but the bean in A wouldn't be properly initializated (there are components in the zul page).
Any help or pointers will be appreciated.
From a ZK's perspective there's nothing to do here. So no need to look in this direction. (based on the details/code provided so far - unless your last comment ...
there are components in the zul page
... means/should indicate something specific)
It rather seems to be a Spring topic, how to resolve duplicate bean definitions (default in A, something advanced in B), if you don't like #Primary then maybe #Priority/#Order can help to determine which bean get's injected.
Another way to manage such scenarios are spring profiles or more general the #Conditional annotations which allow dynamic configuration/instantiation of beans.
E.g. spring-boot auto-configuration as these #ConditionalOn...-annotations, which I used in zk-springboot-autoconfig de-/activate beans based on the existence of certain classes on the classpath, or other conditions based on properties.
There are many ways to achieve a dynamic bean configuration in spring. In case you need dedicated help with ZK you can try the zk forum or zk support (disclaimer: I work for ZK)
Hello first things first: Im using play framework 2.2.3 for java.
Basic tutorial about authentication in play shows how to use Annotation Security.Authenticated. The problem is that whole my application (besides login and registry forms) needs to be secured.
Now I thought of overloading GlobalSettings onRequest method and include my authentication inside, so every single call of an action would perform authentication check.
But I was told its not elegant way and was told to create another annotation similar to Security.Authenticated, but working on a whole class instead of method, and put it into my custom abstract controller class, so all my controllers that extends it will inherit this annotation.
Now I'm wondering how to make this annotation. Any tips ? Where should I start ? I know basics, how to code annotation itself, but i dont know where is right place to get annotations of controllers class to check if it contains my custom annotation, and perform authentication if so.
If you're looking for an authorization + authentication plugin for Play that can secure the whole class, and hence all the action methods within it, try SecureSocial. It has its own set of annotations, and securing every action method in a class is as easy as doing:
#SecureSocial.SecuredAction
public class MyController extends Controller {
Yes it's a little bit more work than intercepting the request and doing your check there, but its a more flexible method in case you'd like to "unsecure" some of the actions later on.
I want to inject bean inside my method. I have remote method(Direct Web Remoting) and i need to inject some bean inside this method. I can't use #Inject annotation in field declaration section because it will not work. It is even possible ?
It could be possible using serious bytecode instrumentation, but that's probably not feasible.
Does DWR prevent you from using regular Injection?
There are lots of ways to do something like this. What container do you run? DWR doesn't seem to support CDI yet.
Apache DeltaSpike has a way you can manually inject beans. One way is to do a call like this:
EchoService echoService = BeanProvider.getContextualReference(EchoService.class, false);
Another is to enrich the actual class at runtime. Take a look at getBeans in BeanManager.
So, yeah. That. I'm going through the tutorial one step at a time, so if the answer comes up later, forgive me. It's step 1 in this section.
I understand the ease of using this to have access in other methods in the EntryPoint class, but coming from the Spring MVC world, this sort of thing might be thought of as a controller and be a singleton (bean). Is it wrong to think this way in the GWT world?
With GWT you are coding as if it was a desktop AWT program. So, you do not have CDI or anything similar.
So, if you put all your information in a bean, you still would have to either:
keep a bean attribute in the class
pass it as a parameter in the method call
to get a reference to it (instead of retrieving it from CDI when needed)
While you can still use a bean when needed, these attributes are closely linked to the main class (in fact they are other graphical components to show). In general, I would only use bean when you have a bunch of attributes that are tightly coupled between them but are not tightly coupled to any other class.