My current project needs a very dynamic and fast pages without refreshs, or using the buzz word ajax, to accomplish this requirement I’m using ZK Direct RIA. As ZK heavily uses ajax requests with unpredictable url I need another way to protect the controller’s actions (composer’s method) instead of url. Using @Secured and groovy’s invokeMethod I was able to protect each method of any class (please read the post to get a better picture of what I’ll discuss) which works fines if the method call is from a groovy code, ZK is fully implemented in java though.

When a user clicks on a button, or does anything that generates events, zk process it and call the corresponding method in the composer class. ZK events processing executes this code when it find the method to call:

1

mtd.invoke(controller, new Object[] {evt});

This uses Java Reflection API and completely bypass groovy’s invokeMethod, what we need to do is use groovy’s InvokerHelper class instead of direct calling the method using reflection.

1

InvokerHelper.invokeMethod(controller, mtd.getName(), new Object[] {params});

Now that we know how to do it for any kind of java code let’s dig into the problem with ZK event and find out where we should use InvokerHelper.

Implementing InvokerHelper in GrailsComposer

The GrailsComposer in ZKGrails plugin is a subclass of GenericForwardComposer that changes the default char separator from ‘$’ to ‘_’, because groovy already uses the ‘$’ with another meaning, and allows the use of a closure as the doAfterCompose method). So when you create a new composer using grails create-composer your new class extends GrailsComposer. Let’s create a composer and protect two of it’s buttons.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

import org.springframework.security.annotation.Secured
class MainAreaComposer extends GrailsComposer {
    private Button btnEditText // automatically wired from the zul file
    private Button btnSaveText
    private Button btnCancelText

    def afterCompose = {
        // loads the current text
    }

    @Secured("mainArea_editText")
    public void onClick_btnEditText() {
        // shows the rich text editor to edit the text
        btnSaveText.visible = true
        btnCancelText.visible = btnSaveText.visible
        btnEditText.visible = false
    }

    @Secured("mainArea_editText")
    public void onClick_btnSaveText() {
        // saves the text, hide the editor and load the new text
         btnSaveText.visible = false
         btnCancelText.visible = btnSaveText.visible
         btnEditText.visible = true
    }

    public void onClick_btnCancelText(){
         // hide the editor and loads the text without any modifications
    }
}

The idea here is that only some users have access to edit the text. ZK is fully AJAX based and every event cames from client through javascript request. Because of this even if the btnEditText is invisible a malicious users could forge a request to call the method - not easy, but possible - the use of @Secured is to assure that an attempt to call this method from an unauthorized user will fail.

If you run your app using ZKGrails 0.7.5, the current version for Grails 1.1.1, and test if an unauthorized user fails when call the method - just make the button always visible to test - you will see that nothing is blocked no AccessDeniedException is thrown, and of course this isn’t good. Humm, and how could we solve this? How to make zk event handling aware of the dynamic methods?

My first thought was “ZK is open source, what about reading it’s code to understand the event system?” and there I go, downloaded the source and start reading how ZK maps the methods name to components event, in other words how it does this magic:

1

public void onClick_btnCancelText() {// event code}

The above method is the same as the not so nice:

1

btnCancelText.addEventListener("onClick", {// event code} as EventListener)

Reading the source code I find out that this kind of event is a ForwardEvent but I couldn’t find where the original method is called until I look the class diagram for GrailsComposer:

And there was the solution GenericEventListener onEvent method, I’ve finally found where the original method (onClick_componentId) is invoked and now we just need to override onEvent in GrailsComposer, this is the implementation:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

/**
 * Overrides GenericEventListener to use InvokerHelper to call methods. Because of this the events are now
 * part of groovy's dynamic methods, e.g. metaClass.invokeMethod works for event methods.
 * @param evt
 * @throws Exception
 */
@Override
public void onEvent(Event evt) throws Exception {
    final Object controller = getController();
    final Method mtd =  ComponentsCtrl.getEventMethod(controller.getClass(), evt.getName());
    if (mtd != null) {
        if (mtd.getParameterTypes().length == 0) {
            InvokerHelper.invokeMethod(controller, mtd.getName(), null);
        } else if (evt instanceof ForwardEvent) { //ForwardEvent
            final Class paramcls = (Class) mtd.getParameterTypes()[0];
            //paramcls is ForwardEvent || Event
            if (ForwardEvent.class.isAssignableFrom(paramcls)
            || Event.class.equals(paramcls)) {
                InvokerHelper.invokeMethod(controller, mtd.getName(), new Object[] {evt});
            } else {
                do {
                    evt = ((ForwardEvent)evt).getOrigin();
                } while(evt instanceof ForwardEvent);
                InvokerHelper.invokeMethod(controller, mtd.getName(), new Object[] {evt});
            }
        } else {
            InvokerHelper.invokeMethod(controller, mtd.getName(), new Object[] {evt});
        }
    }
}

Just replacing method.invoke to InvokerHelper.invokeMethod (lines 13, 19, 24 and 27) is enough to make the methods actually secured. Open your GrailsComposer class and add this method to the class, this is all you need to do. If you don’t understand how the @Secured is now working, read the previous post which is about the implementation of @Secured.

I’ve submitted this as a patch to Chanwit, the plugin’s maintainer, and ZKGrails 1.0 will have this overridin onEvent out-of-the-box. No need to change the plugin source code anymore, great news.