From d381a5ac264a5ef628ec78a0d91f128f9e58475d Mon Sep 17 00:00:00 2001
From: Josef Rokos <pepa@bukova.info>
Date: Tue, 20 May 2014 12:45:37 +0200
Subject: [PATCH 1/3] =?UTF-8?q?P=C5=99ihla=C5=A1ov=C3=A1n=C3=AD=20proti=20?=
 =?UTF-8?q?LDAP=20serveru-=20integrace=20s=20Active=20Directory?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 pom.xml                                       |  29 +++++++
 .../info/bukova/isspst/DbInitListener.java    |  13 +--
 .../java/info/bukova/isspst/data/User.java    |   3 +
 .../bukova/isspst/security/AuthPopulator.java |  76 ++++++++++++++++++
 .../IsspstPermissionEvaluator.java            |   4 +-
 .../{ => security}/LoginFailHandler.java      |   2 +-
 .../isspst/services/AbstractOwnedService.java |   3 +-
 .../isspst/services/users/UserService.java    |   2 +
 .../services/users/UserServiceImpl.java       |  24 +++++-
 .../info/bukova/isspst/ui/ListViewModel.java  |   2 +-
 src/main/resources/users.ldif                 |  71 ++++++++++++++++
 src/main/webapp/WEB-INF/ldap.properties       |   2 +
 .../webapp/WEB-INF/spring/database-auth.xml   |  17 ++++
 src/main/webapp/WEB-INF/spring/ldap-auth.xml  |  46 +++++++++++
 .../webapp/WEB-INF/spring/root-context.xml    |  22 ++---
 src/main/webapp/app/passwd.zul                |   3 +-
 src/main/webapp/img/passwd.png                | Bin 0 -> 2657 bytes
 17 files changed, 292 insertions(+), 27 deletions(-)
 create mode 100644 src/main/java/info/bukova/isspst/security/AuthPopulator.java
 rename src/main/java/info/bukova/isspst/{ => security}/IsspstPermissionEvaluator.java (92%)
 rename src/main/java/info/bukova/isspst/{ => security}/LoginFailHandler.java (95%)
 create mode 100644 src/main/resources/users.ldif
 create mode 100644 src/main/webapp/WEB-INF/ldap.properties
 create mode 100644 src/main/webapp/WEB-INF/spring/database-auth.xml
 create mode 100644 src/main/webapp/WEB-INF/spring/ldap-auth.xml
 create mode 100644 src/main/webapp/img/passwd.png

diff --git a/pom.xml b/pom.xml
index e5e408c5..262766ee 100644
--- a/pom.xml
+++ b/pom.xml
@@ -70,6 +70,29 @@
     		<artifactId>spring-security-config</artifactId>
     		<version>${org.springframework-version}</version>
   		</dependency>
+  		<dependency>
+    		<groupId>org.springframework.security</groupId>
+    		<artifactId>spring-security-ldap</artifactId>
+    		<version>${org.springframework-version}</version>
+  		</dependency>
+  		
+  		<!-- testing LDAP server 
+  		<dependency>
+ 			<groupId>org.apache.directory.server</groupId>
+			<artifactId>apacheds-all</artifactId>
+			<version>1.5.5</version>
+			<type>jar</type>
+			<scope>compile</scope>
+		</dependency>
+		<dependency>
+ 			<groupId>org.slf4j</groupId>
+ 			<artifactId>slf4j-log4j12</artifactId>
+ 			<version>1.5.6</version>
+ 			<type>jar</type>
+ 			<scope>compile</scope>
+		</dependency>
+		-->
+				  		
   		<!-- <dependency>
         <groupId>org.springframework.data</groupId>
         <artifactId>spring-data-jpa</artifactId>
@@ -204,6 +227,12 @@
 			<groupId>org.zkoss.zk</groupId>
 			<artifactId>zul</artifactId>
 			<version>${zk.version}</version>
+			<exclusions>
+				<exclusion>
+					<groupId>org.slf4j</groupId>
+					<artifactId>slf4j-jdk14</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.zkoss.zk</groupId>
diff --git a/src/main/java/info/bukova/isspst/DbInitListener.java b/src/main/java/info/bukova/isspst/DbInitListener.java
index a72da4dd..75f6fd23 100644
--- a/src/main/java/info/bukova/isspst/DbInitListener.java
+++ b/src/main/java/info/bukova/isspst/DbInitListener.java
@@ -12,8 +12,6 @@ import javax.servlet.ServletContextListener;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
@@ -34,23 +32,16 @@ public class DbInitListener implements ServletContextListener {
 		Logger logger = LoggerFactory.getLogger(DbInitListener.class);
 		logger.info("Initializing database");
 		
-		User tmpAdmin = new User();
-		Role tmpRole = new Role();
-		tmpRole.setAuthority(Constants.ROLE_ADMIN);
-		tmpAdmin.setUsername(Constants.DEF_ADMIN);
-		tmpAdmin.addAuthority(tmpRole);
-		SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(tmpAdmin, null, tmpAdmin.getAuthorities()));
-		
 		WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(evt.getServletContext());
 		roleService = ctx.getBean(RoleService.class);
 		userService = ctx.getBean(UserService.class);
 		permService = ctx.getBean(PermissionService.class);
 		
+		userService.grantAdmin();
 		checkRoles();
 		checkUsers();
 		checkPermissions();
-		
-		SecurityContextHolder.getContext().setAuthentication(null);
+		userService.removeAccess();
 	}
 	
 	private void checkRoles() {
diff --git a/src/main/java/info/bukova/isspst/data/User.java b/src/main/java/info/bukova/isspst/data/User.java
index 680c668f..51adb0c0 100644
--- a/src/main/java/info/bukova/isspst/data/User.java
+++ b/src/main/java/info/bukova/isspst/data/User.java
@@ -49,12 +49,15 @@ public class User extends BaseSimpleData implements UserDetails, DataModel {
 	@Override
 	public List<Role> getAuthorities() {
 		List<Role> roles = new ArrayList<Role>();
+		int i = 10000000;
 		for (Role r : authorities) {
 			roles.add(r);
 			for (Permission p : r.getPermissions()) {
 				Role role = new Role();
 				boolean addRole = true;
 				role.setAuthority(p.getAuthority() + "_" + p.getModule());
+				role.setId(i);
+				++i;
 				
 				for (Role chRole : roles) {
 					if (chRole.getAuthority().equals(role.getAuthority())) {
diff --git a/src/main/java/info/bukova/isspst/security/AuthPopulator.java b/src/main/java/info/bukova/isspst/security/AuthPopulator.java
new file mode 100644
index 00000000..5701a609
--- /dev/null
+++ b/src/main/java/info/bukova/isspst/security/AuthPopulator.java
@@ -0,0 +1,76 @@
+package info.bukova.isspst.security;
+
+import info.bukova.isspst.Constants;
+import info.bukova.isspst.data.Role;
+import info.bukova.isspst.data.User;
+import info.bukova.isspst.services.users.RoleService;
+import info.bukova.isspst.services.users.UserService;
+
+import java.util.Collection;
+
+import javax.naming.NamingException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
+
+public class AuthPopulator implements LdapAuthoritiesPopulator {
+
+	private UserService userService;
+	private RoleService roleService;
+
+	public AuthPopulator(UserService userService, RoleService roleService) {
+		this.userService = userService;
+		this.roleService = roleService;
+	}
+
+	@Override
+	public Collection<? extends GrantedAuthority> getGrantedAuthorities(
+			DirContextOperations userData, String login) {
+
+		User user = null;
+		try {
+			user = (User) userService.loadUserByUsername(login);
+		} catch (UsernameNotFoundException e) {
+			Logger logger = LoggerFactory.getLogger(AuthPopulator.class);
+			logger.info("Importing user from LDAP");
+			
+			user = new User();
+			user.setUsername(login);
+			Role role = roleService.getRoleByAuthority(Constants.ROLE_USER);
+			user.addAuthority(role);
+			
+			if (userData.attributeExists("givenName")) {
+				try {
+					user.setFirstName(userData.getAttributes().get("givenName").get().toString());
+				} catch (NamingException e1) {
+					logger.info("LDAP object has no 'givenName' attribute");
+				}
+			}
+			if (userData.attributeExists("sn")) {
+				try {
+					user.setLastName(userData.getAttributes().get("sn").get().toString());
+				} catch (NamingException e1) {
+					logger.info("LDAP object has no 'sn' attribute");
+				}
+			}
+			if (userData.attributeExists("mail")) {
+				try {
+					user.setEmail(userData.getAttributes().get("mail").get().toString());
+				} catch (NamingException e1) {
+					logger.info("LDAP object has no 'mail' attribute");
+				}
+			}
+			
+			userService.grantAdmin();
+			userService.add(user);
+			userService.removeAccess();
+		}
+
+		return user != null ? user.getAuthorities() : null;
+	}
+
+}
diff --git a/src/main/java/info/bukova/isspst/IsspstPermissionEvaluator.java b/src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java
similarity index 92%
rename from src/main/java/info/bukova/isspst/IsspstPermissionEvaluator.java
rename to src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java
index 5aed5aa6..574e30c1 100644
--- a/src/main/java/info/bukova/isspst/IsspstPermissionEvaluator.java
+++ b/src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java
@@ -1,5 +1,7 @@
-package info.bukova.isspst;
+package info.bukova.isspst.security;
 
+import info.bukova.isspst.Constants;
+import info.bukova.isspst.Module;
 import info.bukova.isspst.data.Role;
 import info.bukova.isspst.services.Service;
 
diff --git a/src/main/java/info/bukova/isspst/LoginFailHandler.java b/src/main/java/info/bukova/isspst/security/LoginFailHandler.java
similarity index 95%
rename from src/main/java/info/bukova/isspst/LoginFailHandler.java
rename to src/main/java/info/bukova/isspst/security/LoginFailHandler.java
index 8d2bb71e..10e2313d 100644
--- a/src/main/java/info/bukova/isspst/LoginFailHandler.java
+++ b/src/main/java/info/bukova/isspst/security/LoginFailHandler.java
@@ -1,4 +1,4 @@
-package info.bukova.isspst;
+package info.bukova.isspst.security;
 
 import java.io.IOException;
 
diff --git a/src/main/java/info/bukova/isspst/services/AbstractOwnedService.java b/src/main/java/info/bukova/isspst/services/AbstractOwnedService.java
index 2236fc04..af1051d0 100644
--- a/src/main/java/info/bukova/isspst/services/AbstractOwnedService.java
+++ b/src/main/java/info/bukova/isspst/services/AbstractOwnedService.java
@@ -6,6 +6,7 @@ import org.hibernate.NonUniqueResultException;
 import org.hibernate.Query;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.transaction.annotation.Transactional;
 
 import info.bukova.isspst.data.OwnedDataModel;
@@ -36,7 +37,7 @@ public class AbstractOwnedService<T extends OwnedDataModel> extends AbstractServ
 	@Transactional
 	protected User getLoggedInUser() {
 		try {
-			String query = "from User where ID = " + ((User)SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getId();
+			String query = "from User where USERNAME = '" + ((UserDetails)SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername() + "'";
 			Query q = dao.getQuery(query);
 			return (User) q.uniqueResult();
 		} catch (NonUniqueResultException e) {
diff --git a/src/main/java/info/bukova/isspst/services/users/UserService.java b/src/main/java/info/bukova/isspst/services/users/UserService.java
index 429b472b..d97e3620 100644
--- a/src/main/java/info/bukova/isspst/services/users/UserService.java
+++ b/src/main/java/info/bukova/isspst/services/users/UserService.java
@@ -12,5 +12,7 @@ public interface UserService extends UserDetailsService, Service<User> {
 	public void saveWithPwd(User user, String password);
 	public User getCurrent();
 	public String encodePassword(User user, String plain);
+	public void grantAdmin();
+	public void removeAccess();
 
 }
diff --git a/src/main/java/info/bukova/isspst/services/users/UserServiceImpl.java b/src/main/java/info/bukova/isspst/services/users/UserServiceImpl.java
index ae4ee230..ae3f5683 100644
--- a/src/main/java/info/bukova/isspst/services/users/UserServiceImpl.java
+++ b/src/main/java/info/bukova/isspst/services/users/UserServiceImpl.java
@@ -1,6 +1,7 @@
 package info.bukova.isspst.services.users;
 
 import org.hibernate.Query;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.encoding.PasswordEncoder;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -8,6 +9,7 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.transaction.annotation.Transactional;
 
+import info.bukova.isspst.Constants;
 import info.bukova.isspst.data.Role;
 import info.bukova.isspst.data.User;
 import info.bukova.isspst.services.AbstractService;
@@ -58,11 +60,16 @@ public class UserServiceImpl extends AbstractService<User> implements UserServic
 	}
 
 	@Override
+	@Transactional
 	public User getCurrent() {
 		Authentication auth = SecurityContextHolder.getContext().getAuthentication();
 		
 		if (auth != null && auth.getPrincipal() != null) {
-			return (User)auth.getPrincipal();
+			try {
+				return (User)loadUserByUsername(((UserDetails)auth.getPrincipal()).getUsername());
+			} catch(UsernameNotFoundException e) {
+				return null;
+			}
 		}
 		
 		return null;
@@ -73,5 +80,20 @@ public class UserServiceImpl extends AbstractService<User> implements UserServic
 		return encoder.encodePassword(plain, user.getUsername());
 	}
 
+	@Override
+	public void grantAdmin() {
+		User tmpAdmin = new User();
+		Role tmpRole = new Role();
+		tmpRole.setAuthority(Constants.ROLE_ADMIN);
+		tmpAdmin.setUsername(Constants.DEF_ADMIN);
+		tmpAdmin.addAuthority(tmpRole);
+		SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(tmpAdmin, null, tmpAdmin.getAuthorities()));
+	}
+
+	@Override
+	public void removeAccess() {
+		SecurityContextHolder.getContext().setAuthentication(null);
+	}
+
 
 }
diff --git a/src/main/java/info/bukova/isspst/ui/ListViewModel.java b/src/main/java/info/bukova/isspst/ui/ListViewModel.java
index 0537287a..ca42ea03 100644
--- a/src/main/java/info/bukova/isspst/ui/ListViewModel.java
+++ b/src/main/java/info/bukova/isspst/ui/ListViewModel.java
@@ -131,7 +131,7 @@ public class ListViewModel<T extends DataModel> {
 		try {
 			newRecMode();
 			editBean = service.create();
-			if (dataBean == null) {
+			if (editBean == null) {
 				editBean = dataClass.newInstance();
 			}
 			showForm();
diff --git a/src/main/resources/users.ldif b/src/main/resources/users.ldif
new file mode 100644
index 00000000..e6bc13b2
--- /dev/null
+++ b/src/main/resources/users.ldif
@@ -0,0 +1,71 @@
+dn: ou=groups,dc=bukova,dc=info
+objectclass: top
+objectclass: organizationalUnit
+ou: groups
+
+dn: ou=people,dc=bukova,dc=info
+objectclass: top
+objectclass: organizationalUnit
+ou: people
+
+dn: uid=kadel,ou=people,dc=bukova,dc=info
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Kadel Pohlavnik
+sn: Pohlavnik
+givenName: Kadel
+uid: kadel
+userPassword: pokus
+
+dn: uid=admin,ou=people,dc=bukova,dc=info
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Administrator
+sn: admin
+uid: admin
+userPassword: xsacfgd
+
+dn: uid=dianne,ou=people,dc=bukova,dc=info
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Dianne Emu
+sn: Emu
+uid: dianne
+userPassword: emu
+
+dn: uid=scott,ou=people,dc=bukova,dc=info
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Scott
+sn: Wombat
+uid: scott
+userPassword: wombat
+
+dn: cn=user,ou=groups,dc=bukova,dc=info
+objectclass: top
+objectclass: groupOfNames
+cn: user
+member: uid=rod,ou=people,dc=bukova,dc=info
+member: uid=dianne,ou=people,dc=bukova,dc=info
+member: uid=scott,ou=people,dc=bukova,dc=info
+
+dn: cn=teller,ou=groups,dc=bukova,dc=info
+objectclass: top
+objectclass: groupOfNames
+cn: teller
+member: uid=rod,ou=people,dc=bukova,dc=info
+member: dianne=rod,ou=people,dc=bukova,dc=info
+
+dn: cn=supervisor,ou=groups,dc=bukova,dc=info
+objectclass: top
+objectclass: groupOfNames
+cn: supervisor
+member: uid=rod,ou=people,dc=bukova,dc=info
diff --git a/src/main/webapp/WEB-INF/ldap.properties b/src/main/webapp/WEB-INF/ldap.properties
new file mode 100644
index 00000000..4060b43d
--- /dev/null
+++ b/src/main/webapp/WEB-INF/ldap.properties
@@ -0,0 +1,2 @@
+ldap.server=ldap://localhost:3089
+ldap.userDNPattern=uid=\{0\},OU=people,DC=bukova,DC=info
\ No newline at end of file
diff --git a/src/main/webapp/WEB-INF/spring/database-auth.xml b/src/main/webapp/WEB-INF/spring/database-auth.xml
new file mode 100644
index 00000000..275a3c1d
--- /dev/null
+++ b/src/main/webapp/WEB-INF/spring/database-auth.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
+
+
+	<security:authentication-manager>
+		<security:authentication-provider user-service-ref="userService">
+			<security:password-encoder ref="passwordEncoder">
+				<security:salt-source user-property="username" />
+			</security:password-encoder>
+		</security:authentication-provider>
+	</security:authentication-manager>
+
+</beans>
diff --git a/src/main/webapp/WEB-INF/spring/ldap-auth.xml b/src/main/webapp/WEB-INF/spring/ldap-auth.xml
new file mode 100644
index 00000000..5670d09f
--- /dev/null
+++ b/src/main/webapp/WEB-INF/spring/ldap-auth.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
+
+	<!-- LDAP -->
+	
+	<!-- embedded server only for testing -->
+	<security:ldap-server root="dc=bukova,dc=info" ldif="classpath:users.ldif" port="3089"/>
+	
+	<security:authentication-manager>
+		<security:authentication-provider ref="ldapAuthProvider"/>
+	</security:authentication-manager>
+	
+	<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
+		<constructor-arg value="${ldap.server}"/>
+	</bean>
+	
+	<bean id="authenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
+	            <constructor-arg ref="contextSource"/>
+	            <property name="userDnPatterns">
+	                <list>
+	                    <value>${ldap.userDNPattern}</value>
+	                </list>
+	            </property>
+	</bean>
+
+	<bean id="populator" class="info.bukova.isspst.security.AuthPopulator">
+		<constructor-arg>
+		 	<ref local="userService"/>
+		 </constructor-arg>
+		 <constructor-arg>
+		 	<ref local="roleService"/>
+		 </constructor-arg>
+	</bean>
+	
+	<bean id="ldapAuthProvider"
+		class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
+			<constructor-arg ref="authenticator"/>
+	        <constructor-arg ref="populator"/>
+	</bean>
+
+
+</beans>
diff --git a/src/main/webapp/WEB-INF/spring/root-context.xml b/src/main/webapp/WEB-INF/spring/root-context.xml
index 13f46192..fe183541 100644
--- a/src/main/webapp/WEB-INF/spring/root-context.xml
+++ b/src/main/webapp/WEB-INF/spring/root-context.xml
@@ -11,7 +11,14 @@
 	<context:annotation-config />
 	<context:component-scan base-package="info.bukova.isspst,org.zkoss.spring.beans.zkcomponents"></context:component-scan>
 
-	<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" id="propertyConfigurer" p:location="/WEB-INF/jdbc.properties" />
+	<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" id="propertyConfigurer">
+		<property name="locations">
+			<list>
+				<value>/WEB-INF/jdbc.properties</value>
+				<value>/WEB-INF/ldap.properties</value>
+			</list>
+		</property>
+	</bean>
 
 	<!-- Database -->
 	<bean id="dataSource"
@@ -52,7 +59,7 @@
 		<property name="permissionEvaluator" ref="permissionEvaluator" />
 	</bean>
 	
-	<bean id="permissionEvaluator" class="info.bukova.isspst.IsspstPermissionEvaluator"/>
+	<bean id="permissionEvaluator" class="info.bukova.isspst.security.IsspstPermissionEvaluator"/>
     
 	<security:http auto-config="true" use-expressions="true">
 		<security:intercept-url pattern="/app/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')"/>
@@ -65,13 +72,8 @@
 		<security:logout invalidate-session="true"/>
 	</security:http>
 
-	<security:authentication-manager>
-		<security:authentication-provider user-service-ref="userService">
-			<security:password-encoder ref="passwordEncoder">
-				<security:salt-source user-property="username" />
-			</security:password-encoder>
-		</security:authentication-provider>
-	</security:authentication-manager>
+	<import resource="database-auth.xml"/>
+	<!-- <import resource="ldap-auth.xml"/> --> 
 
 	<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
 		<property name="targetClass" value="org.springframework.security.core.context.SecurityContextHolder" />
@@ -81,7 +83,7 @@
 	
 	<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
 	
-	<bean id="loginFail" class="info.bukova.isspst.LoginFailHandler"/>
+	<bean id="loginFail" class="info.bukova.isspst.security.LoginFailHandler"/>
     
     <!-- DAO -->
     <bean id="userDao" class="info.bukova.isspst.dao.jpa.UserDaoJPA">
diff --git a/src/main/webapp/app/passwd.zul b/src/main/webapp/app/passwd.zul
index fbed95d7..d79f4b0a 100644
--- a/src/main/webapp/app/passwd.zul
+++ b/src/main/webapp/app/passwd.zul
@@ -2,9 +2,10 @@
 <zk>
 <?variable-resolver class="org.zkoss.zkplus.spring.DelegatingVariableResolver"?>
 
-<window id="passwd" title="Změnit heslo" border="normal" closable="true" width="350px"
+<window id="passwd" border="normal" closable="true" width="350px"
 	apply="org.zkoss.bind.BindComposer"
 	viewModel="@id('vm') @init('info.bukova.isspst.ui.users.PasswdVM')">
+	<caption src="/img/passwd.png" zclass="form-caption" label="Změnit heslo" />
 	<style src="/app/form.css"/>
 	<grid>
 		<columns>
diff --git a/src/main/webapp/img/passwd.png b/src/main/webapp/img/passwd.png
new file mode 100644
index 0000000000000000000000000000000000000000..f9ca66aa23179d02e0020b459fa6ea51713c21be
GIT binary patch
literal 2657
zcmV-n3ZC_eP)<h;3K|Lk000e1NJLTq001Ze001Zm1^@s6jQ+T700006VoOIv0RI60
z0RN!9r;`8x010qNS#tmY3ljhU3ljkVnw%H_000McNliru-USjA6BjQ72x0&L3GPWm
zK~z}7y_j2UT~&I3zkjW@_dds$#BuCN;v{WT;&h0RT2dILB%`zwDS!f^8VDL8jphXj
zi5H$qTTzu(?aNf9^o6Pqy@`h+#3Yp=nJF!ZqH0J>M>7m&Vx$n_TnM(~*v>gVm%aB|
z>+i!pp_vwpoj{kgv@d6`y}$F{*Du`UICA93Zxu!HKnUSbe}DhB7~`Obbn`sF=)M18
ztycS|qeqWU-01t|CcyT2?_aw0)?2sSefQnEXU`sa=9y>MuwesBOH15)@4bwUj_QdM
zC*<VGld;q3JaX*Vu^0be03Uqt!RJRuN5B2#lTYf79Xn)xex48lB0`K2V+;Tx1O^8O
z85kJg*=L{St+(EKH%XE^UwGk#;!6X3=%I(E_V3^S)hC{Kf@ZTxqtRe#X^GcfdyUD-
zNfs6s=<Dlae0-e4hYz!P^JdaCWn^T8vuDrhQ%^nBdGW;;`@a;xBS((B`skyN9y)aB
z5cBi%T)upn=bn3xMx#Nu+l{Iky!Q>~+&U34&N=Ix<FUscW5<pijE;^{mZd)O$RqO;
z6BA$gLIEFs_~CEt-o5+vr=NaWXJ=<+a&nTFUV2Fv7Z;hDn)<6#r%t^WV+_CokXvhI
z`}XZy@3`ZRX9orbvI7SW$UXPmLw|q2Hk(a({PD;Cbz)-T(C2;EtrjrGI59Rh#_a5@
zT)1$7qeqYG%*@Qkue|cgAFFBr=6Y~ffjopzOixe0KRrGDwfpY7?=Rnc^UZGz4i0kH
zU3bak<fPW?^@G4K0n;me*Q`={U%&0P+XnXT-Aj@roH%hp=jP^GFTecqAE{~wI1hXP
z{0R6Na2hxVoOaH=cl`MAdlnZLPrmWS8yaI|*REZ%efxHE|NZyB0Ia`hK;Um~zx{TG
zhlhFl?YB91?wm|bP5muU0v`eI15-c_==BS|_X?EGx!+z~T$G843F`GaTefV`EX($$
zY5I#RnVMOJ^b%FwH9kJB)>=-VK25vbE~loZ-T`KTv%rPVd(Y9MN9T&7I6gl=uhv=)
z9y}<w+;R(Pn(hGB-7sK`(QeqVfqK0zBEtIh>zSFEISF)nHg|EgcC4z;&(6+@sxmS%
z!tUL>86F<q3~atBz_GD0`uh5aF|vOBdYaAV$31n<^whlCF|%>wMnVVxjE#*kIy(BR
zKp$Xl)CQ$quQN0>R9%SRy)S@fZ?c9+Pz((XQLEJe$g&J$%z7aEEEaQvsaSiG^J`k9
zN|Gd~>NQ}rx=6naKn3E><bG8}RpUw=Hwt*eLqvWKFvb}FcW7EuCOLNOH#&R2R&eF=
zM}!cFzRh4=lJV{R0|)QiG<10X)>UVt<L{K~if)s}(q*hQL>y&MzY^ezx%dZvw(lSN
zhPFMhdDs5FYfdI2h%r6&{9nz-P!fZ$j=n^LCq_>U1;i4KrTQ|L=u3)jgT;mU_8<P;
zJKuWmOyggAkzsX!-~aBuf7tWQ?|x^~&V7|ZhZ19x6<l-~^-VN1h-HgdE)#u|&^r%h
zi-pCK^H<0Dm0degRW6-9MSlJV+FF>FcTO*j{O(`>_{yqO{Lg=WVC&%ME#KL+b03|?
z9LA-9a^{DBPwUEgH2R(mfk?o*5^E#Qc#QKn6A&A*CSWCEYygR*C_A&);bKB<!yZPq
zex3KuEXd%%ux=Y|{~qu=t8$W1c6W{L*h{B5N7^@pbu}iB|0$iNOBm}gE<<dBO)N=G
zNK-?aL0X3_6Ot6NG?FF}mj+xCNE44s0%C+DQ)25!Z2N_Awr(3E&8+nI$v1(Wt8)_7
zT2fm_XK4l_j<ValJ}dwcL9w>PniA_gXwJf76K4Zys%+fguqGfTU~IrhL}SDN&M6|0
z&mH5JcYT#JSO1N^S}_c40_K6GRe7-(!Iy28uY8EAUKb)1(}Q!iL?~ElG)a<xbrBIy
zS$fhw#kfk%Vib*@paEwDVhh^;MQz=$lO`RqT9;nwm99F>grbYL9lS3PV7b+z-EJX9
zan9pxz&cOrJV_F<F5+x;zgq^1Mv0*Veiq^)Mgq=3|K<@y6t!D1(jrYuYPI~D$=S~b
z6d{xyyl)|;BbGU>PMc1rjflb85@#!*#72x$tPPcu(8hOXF**+}VtT+PRg4K3qbyvR
zW8=suMea$`4oQ+z&$?>~)PgTsgrb8HN8Vnh-EQ~PUfGi|5i1dE6$wr9_B7GvSm#Nc
z$GKSj5f`ww0*k>?dI2?je6c|`tYprUCOKIxUp=6R;PV#Iw+TiN^=#a@v2uIKNnD%M
zwbA?n&RnINcgUrvq-X=y1*|REy4jE<kq}eVTT1UJLO)4bCkA0|8DdtFWCgWs4S<MH
z=2dV-!TV~lHA2x{!Y@xFX%m;0Sn*gJurXk4#Mz!5x`1<$7%kCTVwn(wrJEZ>6Jms=
zs~*WpMr$RkNrF@oY&9CBS)}N;S-yIOGQW(~Ws;;#Vggwf5gRcfVyt3K_{8R{4XCCB
zZwX~e2!<Fe5)7RV#As->0%@yY%U}U%xfTf;e9_{{!Xo|klEv8%n7jA^Nm`O7C5bOF
zCa`XuR<>w*S;JQ6#zsVx5Gu)qU<kgFpb<-vM|@B^9gkZs@nwQ9Q=q$g75ltJt2;;0
zn4#!2Fb0e$Vk#(OA|k!{$!}F!Gd2)|C6<<;h7cSvSbRtbJ^{554b5eRtf0tKd|qEY
zpdge*o6LEfsUfb*x&a|cgftb>#8Arw5w3&mdA3mu5TYTfB?f~=ONfr(6M}by;P9nk
zxdoEu6nRQ0vbCrfG<XIFAOxxcpsxa}04rFbN?l?UBh^GAQ4JceO-qbDDMm{Oj^G{M
zTRM3{xv)%GW|W@+XjUlc>FaNyA~=_!pVVfGs3M}(4bk2NK`};qd0S8gjZ%SX<s>m0
zVsw;+qf=OBX6Nx`M%k_DssUBZOb8`|eQk)KYA_-d9H7zzrOMAj1&90(94gnIAYv*|
z6*O8jTK;3IMWB!Qr3Rv@p1UMxKdnCfR28@Ktv_AIB`$uvmEE`gj4KP<X?HfE#T-@&
z5@)c^VjYMRmKF;x&4WvX#91^7WvSe`yH3;u)f5#+lmwjP)Q273J>MnhDIWOEZD_YG
z$KGuI`={-VKeM8K^)C+m8n~a-1~;m6Qh9`~&?a+{G|5TRf;210(t<20NNd%-#Cb}e
z((R<QS_z@7L8uWrE#CjI{qB9g|KsO+EtLQ4bu2!APx8G#+4q&jX7L9@gW2I2sIBz0
zv!1NhrIuBBwVoDaS(jQpr<Ua;iN}{IMP8#UGRmT+AATg~zW4g_ThG5bf4Wx#P6O{=
zA8%IEz^nt~z5Yq|1@A&lZ~9(;@l3B^U2}&u1qOOO6yb{>9iY`a{@nO)$0aPcFMo8n
P00000NkvXXu0mjf*Dd*P

literal 0
HcmV?d00001


From 95964aaeeb49cd4f03b418e563c475c1b4383a5c Mon Sep 17 00:00:00 2001
From: Josef Rokos <pepa@bukova.info>
Date: Tue, 20 May 2014 12:55:38 +0200
Subject: [PATCH 2/3] =?UTF-8?q?Oprava=20z=C3=A1vislost=C3=AD=20knihoven?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 pom.xml | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/pom.xml b/pom.xml
index 262766ee..04fe105a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -83,16 +83,8 @@
 			<version>1.5.5</version>
 			<type>jar</type>
 			<scope>compile</scope>
-		</dependency>
-		<dependency>
- 			<groupId>org.slf4j</groupId>
- 			<artifactId>slf4j-log4j12</artifactId>
- 			<version>1.5.6</version>
- 			<type>jar</type>
- 			<scope>compile</scope>
-		</dependency>
-		-->
-				  		
+		</dependency>-->
+						  		
   		<!-- <dependency>
         <groupId>org.springframework.data</groupId>
         <artifactId>spring-data-jpa</artifactId>
@@ -114,6 +106,13 @@
 		
 		<!-- Logging -->
 		<dependency>
+ 			<groupId>org.slf4j</groupId>
+ 			<artifactId>slf4j-log4j12</artifactId>
+ 			<version>1.5.6</version>
+ 			<type>jar</type>
+ 			<scope>compile</scope>
+		</dependency>
+		<!-- <dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
 			<version>${org.slf4j-version}</version>
@@ -129,7 +128,7 @@
 			<artifactId>slf4j-log4j12</artifactId>
 			<version>${org.slf4j-version}</version>
 			<scope>runtime</scope>
-		</dependency>
+		</dependency> -->
 		<dependency>
 			<groupId>log4j</groupId>
 			<artifactId>log4j</artifactId>

From a056c620d3d1d55947753998c87c86de45283880 Mon Sep 17 00:00:00 2001
From: Josef Rokos <pepa@bukova.info>
Date: Thu, 22 May 2014 10:22:20 +0200
Subject: [PATCH 3/3] =?UTF-8?q?Zobrazov=C3=A1n=C3=AD=20chyb=20validace=20Z?=
 =?UTF-8?q?K=20frameworkem?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../info/bukova/isspst/ui/FormViewModel.java  |  8 +++
 .../bukova/isspst/ui/ServiceConstraint.java   | 54 +++++++++++++++++++
 src/main/webapp/admin/addressbook/address.zul | 17 +++---
 src/main/webapp/buildings/buildingForm.zul    |  6 +--
 4 files changed, 69 insertions(+), 16 deletions(-)
 create mode 100644 src/main/java/info/bukova/isspst/ui/ServiceConstraint.java

diff --git a/src/main/java/info/bukova/isspst/ui/FormViewModel.java b/src/main/java/info/bukova/isspst/ui/FormViewModel.java
index a5dab5a5..f0dc3b4e 100644
--- a/src/main/java/info/bukova/isspst/ui/FormViewModel.java
+++ b/src/main/java/info/bukova/isspst/ui/FormViewModel.java
@@ -21,11 +21,15 @@ public class FormViewModel<T extends DataModel> {
 	private Map<String, String> errMessages;
 	private Service<T> service;
 	private boolean newRec;
+	private ServiceConstraint<T> constraint;
 	
 	@Init
 	public void init(@ExecutionArgParam("selected") T selected, @ExecutionArgParam("service") Service<T> service) {
 		this.dataBean = selected;
 		this.service = service;
+		constraint = new ServiceConstraint<T>();
+		constraint.setDataBean(selected);
+		constraint.setService(service);
 		if (selected.getId() == 0 && selected.getCreated() == null) {
 			newRec = true;
 		} else {
@@ -33,6 +37,10 @@ public class FormViewModel<T extends DataModel> {
 		}
 	}
 	
+	public ServiceConstraint<T> getConstriant() {
+		return constraint;
+	}
+	
 	public T getDataBean() {
 		return dataBean;
 	}
diff --git a/src/main/java/info/bukova/isspst/ui/ServiceConstraint.java b/src/main/java/info/bukova/isspst/ui/ServiceConstraint.java
new file mode 100644
index 00000000..dd0e4283
--- /dev/null
+++ b/src/main/java/info/bukova/isspst/ui/ServiceConstraint.java
@@ -0,0 +1,54 @@
+package info.bukova.isspst.ui;
+
+import info.bukova.isspst.data.DataModel;
+import info.bukova.isspst.services.Service;
+import info.bukova.isspst.services.ValidationException;
+
+import java.lang.reflect.InvocationTargetException;
+import java.util.Map;
+
+import org.apache.commons.beanutils.BeanUtils;
+import org.zkoss.zk.ui.Component;
+import org.zkoss.zk.ui.WrongValueException;
+import org.zkoss.zul.Constraint;
+
+public class ServiceConstraint<T extends DataModel> implements Constraint {
+	
+	private Service<T> service;
+	private T dataBean;
+	
+	@Override
+	public void validate(Component component, Object value)
+			throws WrongValueException {
+
+		String id = component.getId();
+		if (id == null || id.isEmpty()) {
+			return;
+		}
+		
+		try {
+			BeanUtils.setProperty(dataBean, id, value);
+			service.validate(dataBean);
+		} catch (ValidationException e) {
+			Map<String, String> errMessages = e.getMessages();
+			
+			if (errMessages != null && errMessages.get(id) != null && !errMessages.get(id).isEmpty()) {
+				WrongValueException ex = new WrongValueException(component, errMessages.get(id)); 
+				throw ex;
+			}
+		} catch (IllegalAccessException e) {
+			
+		} catch (InvocationTargetException e) {
+			
+		}
+	}
+
+	public void setService(Service<T> service) {
+		this.service = service;
+	}
+
+	public void setDataBean(T dataBean) {
+		this.dataBean = dataBean;
+	}
+
+}
diff --git a/src/main/webapp/admin/addressbook/address.zul b/src/main/webapp/admin/addressbook/address.zul
index 2d54e43c..9fe94a87 100644
--- a/src/main/webapp/admin/addressbook/address.zul
+++ b/src/main/webapp/admin/addressbook/address.zul
@@ -12,12 +12,10 @@
 			<column label="" hflex="min"/>
 			<column label="" hflex="min"/>
 			<column label=""/>
-			<column label=""/>
 		</columns>
 		<rows>
 			<row>
-				<label value="Firma" /> <textbox value="@bind(vm.dataBean.company)" instant="true"/>
-				<label visible="true" value="@load(vm.errMessages['company'])" style="color:red"/>
+				<label value="Firma" /> <textbox id="company" constraint="@load(vm.constriant)" value="@bind(vm.dataBean.company)" instant="true" width="320px"/>
 				<button image="/img/search.png" label="Hledat v ARESu" onClick="@command('searchAres')" sclass="nicebutton" disabled="@load((vm.dataBean.ic == 0) &amp;&amp; (empty vm.dataBean.company))" />				
 			</row>
 			<row>
@@ -33,14 +31,13 @@
 				<label value="Kontaktní osoba" /> <textbox value="@bind(vm.dataBean.contactName)"/>				
 			</row>
 			<row>
-				<label value="Ulice" /> <textbox value="@bind(vm.dataBean.street)"/>				
+				<label value="Ulice" /> <textbox value="@bind(vm.dataBean.street)" width="320px"/>				
 			</row>
 			<row>
-				<label value="Číslo domu" /> <textbox value="@bind(vm.dataBean.houseNumber)"/>				
+				<label value="Číslo domu" /> <textbox value="@bind(vm.dataBean.houseNumber)" width="80px"/>				
 			</row>
 			<row>
-				<label value="Město" /> <textbox value="@bind(vm.dataBean.city)"/>
-				<label visible="true" value="@load(vm.errMessages['city'])" style="color:red"/>				
+				<label value="Město" /> <textbox id="city" constraint="@load(vm.constriant)" value="@bind(vm.dataBean.city)" width="320px"/>				
 			</row>
 			<row>
 				<label value="PSČ" /> <textbox value="@bind(vm.dataBean.zipCode)"/>				
@@ -49,12 +46,10 @@
 				<label value="Telefon" /> <textbox value="@bind(vm.dataBean.phone)"/>				
 			</row>
 			<row>
-				<label value="E-mail" /> <textbox value="@bind(vm.dataBean.email)"/>
-				<label visible="true" value="@load(vm.errMessages['email'])" style="color:red"/>				
+				<label value="E-mail" /> <textbox id="email" constraint="@load(vm.constriant)" value="@bind(vm.dataBean.email)" width="320px"/>				
 			</row>
 			<row>
-				<label value="Web" /> <textbox value="@bind(vm.dataBean.web)"/>
-				<label visible="true" value="@load(vm.errMessages['web'])" style="color:red"/>				
+				<label value="Web" /> <textbox id="web" constraint="@load(vm.constriant)" value="@bind(vm.dataBean.web)" width="320px"/>				
 			</row>
 		</rows>
 	</grid>
diff --git a/src/main/webapp/buildings/buildingForm.zul b/src/main/webapp/buildings/buildingForm.zul
index 6360ca1d..4d96b660 100644
--- a/src/main/webapp/buildings/buildingForm.zul
+++ b/src/main/webapp/buildings/buildingForm.zul
@@ -8,16 +8,12 @@
 				<columns>
 					<column align="right" hflex="min" />
 					<column />
-					<column />
 				</columns>
 				<rows>
 					<row>
 						<cell sclass="row-title">${labels.BuildingsFormCode} :</cell>
 						<cell>
-							<textbox width="200px" value="@bind(vm.dataBean.code)" />
-						</cell>
-						<cell>
-							<label visible="true" value="@load(vm.errMessages['code'])" style="color:red" />
+							<textbox id="code" constraint="@load(vm.constriant)" width="200px" value="@bind(vm.dataBean.code)" />
 						</cell>
 					</row>
 					<row>