Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Took me some time to understand as well so I'm glad share :)
I'm in process of tuning this setup so just out of curiosity how did you
set up the Wicket properties file(s)? I don't like the idea to having
properties in src/main/java and looking for proper way to load them from
custom location like
src/main/resources/properties/MyWicketApplication.properties.
In out previous project we used I18n.init() method but I'm thinking more
Wicket-y way,
maybe using BundleStringResourceLoader ? But so far no luck making that
work...
Zbynek
On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> Yes this is exactly how I've done it :) Thanks for taking time to help...
>
> @WicketSignInPage
> @MountPath("page/login")
> public class LoginPage extends BasePage {
>
> public LoginPage(PageParameters parameters) {
> super(parameters);
>
> if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
> continueToOriginalDestination();
> }
> add(new LoginForm("loginForm"));
> }
>
> private class LoginForm extends StatelessForm {
>
> private String username;
> private String password;
>
> public LoginForm(String id) {
> super(id);
> setModel(new CompoundPropertyModel<>(this));
> add(new FeedbackPanel("feedback"));
> add(new RequiredTextField("username"));
> add(new PasswordTextField("password"));
> }
>
> @Override
> protected void onSubmit() {
> AuthenticatedWebSession session = AuthenticatedWebSession.get();
> if (session.signIn(username, password)) {
> setResponsePage(HomePage.class);
> } else {
> error("Login failed");
> }
> }
> }
> }
>
>
> On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros
> wrote:
>
> > Is seems you have mixed my code with your code somehow.
> > You must configure formLogin() and specify loginPage() pointing to your
> > Wicket login page (maybe using @MountPath?).
> > The .loginProcessingUrl() points to "/fake-url" because the
> authentication
> > itself is called from Wicket login page
> > via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism
> > in your Wicket login page?
> >
> > Zbynek
> >
> > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> > nino.martinez.w...@gmail.com> wrote:
> >
> > > It sort of works, If I go to the actuator I get the http basic auth,
> if I
> > > on the same session goto my pages.. I get an "ugly" access denied page
> > and
> > > not the configured wicket login page. So it sort of works..
> > >
> > > If I just goto localhost:8080/ I get an default spring login page not
> the
> > > wicket one.. Upon succesfull login it forwards me to the wicket login
> > page,
> > > where I can login again and then get to the real application..
> > >
> > > Below my current code:
> > >
> > >
> > > package dk.netdesign.ccadmin.frontend.security;
> > >
> > > import org.springframework.context.annotation.Bean;
> > > import org.springframework.context.annotation.Configuration;
> > > import org.springframework.core.annotation.Order;
> > > import
> org.springframework.security.authentication.AuthenticationManager;
> > > import
> > >
> > >
> >
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> > > import
> > >
> org.springframework.security.config.annotation.web.builders.HttpSecurity;
> > > import
> > >
> > >
> >
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> > > import org.springframework.security.config.http.SessionCreationPolicy;
> > > import org.springframework.security.core.Authentication;
> > > import org.springframework.security.core.context.SecurityContextHolder;
> > > import org.springframework.security.core.userdetails.User;
> > > import
> org.springframework.security.core.userdetails.UserDetailsService;
> > > import
> org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> > > import
> > > org.springframework.security.provisioning.InMemoryUserDetailsManager;
> > > import org.springframework.stereotype.Component;
> > >
> > > @Configuration
> > > public class WicketWebSecurityAdapterConfig extends
> > > WebSecurityConfigurerAdapter {
> > >
> > >
> > > @Configuration
> > > @Order(1)
> > > public static class RestSecurityConfig extends
> > > WebSecurityConfigurerAdapter {
> > >
> > > @Override
> > > protected void configure(HttpSecurity http) throws Exception {
> > >
> > >
> > >
> > >
> >
> http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
> > > .and().csrf().disable()
> > >
> > >
> > >
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > > .and().httpBasic();
> > > }
> > > }
> > >
> > > @Configuration
> > > @Order(2)
> > > public static class WicketSecurityConfig extends
> > > WebSecurityConfigurerAdapter {
> > > @Override
> > > protected void configure(HttpSecurity http) throws Exception {
> > >
Re: Wicket 8 and Edge : Known compatibilities problem ?
Hi, We are not aware of any issues with MS Edge. The error message is really strange though! Here is something that I've found: https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_store/youll-need-a-new-app-to-open-this-https/631579eb-4051-42d9-96cc-3909690421e5 On Thu, Jan 24, 2019 at 8:02 PM andre seame wrote: > Hello, > > I have a wicket application that is Ok with Mozilla. > My company will to use windows 10 and Edge. I did some test and I have an > error message : You need a new application to see this page. > > Is this a know bug for edge ? A bad configuration of my HTML code ? a New > security option of the network administrator that would say "Edge is not > allowed on internal intranet network" ? > > Thanks, > >
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Yes this is exactly how I've done it :) Thanks for taking time to help...
@WicketSignInPage
@MountPath("page/login")
public class LoginPage extends BasePage {
public LoginPage(PageParameters parameters) {
super(parameters);
if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
continueToOriginalDestination();
}
add(new LoginForm("loginForm"));
}
private class LoginForm extends StatelessForm {
private String username;
private String password;
public LoginForm(String id) {
super(id);
setModel(new CompoundPropertyModel<>(this));
add(new FeedbackPanel("feedback"));
add(new RequiredTextField("username"));
add(new PasswordTextField("password"));
}
@Override
protected void onSubmit() {
AuthenticatedWebSession session = AuthenticatedWebSession.get();
if (session.signIn(username, password)) {
setResponsePage(HomePage.class);
} else {
error("Login failed");
}
}
}
}
On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros
wrote:
> Is seems you have mixed my code with your code somehow.
> You must configure formLogin() and specify loginPage() pointing to your
> Wicket login page (maybe using @MountPath?).
> The .loginProcessingUrl() points to "/fake-url" because the authentication
> itself is called from Wicket login page
> via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism
> in your Wicket login page?
>
> Zbynek
>
> On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > It sort of works, If I go to the actuator I get the http basic auth, if I
> > on the same session goto my pages.. I get an "ugly" access denied page
> and
> > not the configured wicket login page. So it sort of works..
> >
> > If I just goto localhost:8080/ I get an default spring login page not the
> > wicket one.. Upon succesfull login it forwards me to the wicket login
> page,
> > where I can login again and then get to the real application..
> >
> > Below my current code:
> >
> >
> > package dk.netdesign.ccadmin.frontend.security;
> >
> > import org.springframework.context.annotation.Bean;
> > import org.springframework.context.annotation.Configuration;
> > import org.springframework.core.annotation.Order;
> > import org.springframework.security.authentication.AuthenticationManager;
> > import
> >
> >
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> > import
> > org.springframework.security.config.annotation.web.builders.HttpSecurity;
> > import
> >
> >
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> > import org.springframework.security.config.http.SessionCreationPolicy;
> > import org.springframework.security.core.Authentication;
> > import org.springframework.security.core.context.SecurityContextHolder;
> > import org.springframework.security.core.userdetails.User;
> > import org.springframework.security.core.userdetails.UserDetailsService;
> > import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> > import
> > org.springframework.security.provisioning.InMemoryUserDetailsManager;
> > import org.springframework.stereotype.Component;
> >
> > @Configuration
> > public class WicketWebSecurityAdapterConfig extends
> > WebSecurityConfigurerAdapter {
> >
> >
> > @Configuration
> > @Order(1)
> > public static class RestSecurityConfig extends
> > WebSecurityConfigurerAdapter {
> >
> > @Override
> > protected void configure(HttpSecurity http) throws Exception {
> >
> >
> >
> >
> http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
> > .and().csrf().disable()
> >
> >
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > .and().httpBasic();
> > }
> > }
> >
> > @Configuration
> > @Order(2)
> > public static class WicketSecurityConfig extends
> > WebSecurityConfigurerAdapter {
> > @Override
> > protected void configure(HttpSecurity http) throws Exception {
> > http.antMatcher("/page/**").authorizeRequests()
> > .antMatchers("/page/login**").permitAll()
> > .antMatchers("/page/**").hasAnyAuthority("USER",
> > "ADMIN")
> >
> >
> >
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> >
> > .and().csrf().disable();
> > }
> > }
> >
> > @Bean
> > public static BCryptPasswordEncoder passwordEncoder() {
> > return new BCryptPasswordEncoder();
> > }
> >
> > @Bean(name = "authenticationManager")
> > @Override
> > public AuthenticationManager authenticationManagerBean() throws
> > Exception {
> >
> > return super.authenticationManagerBean();
> > }
> > public interface IAuthenticationFacade {
> > Authentication getAuthentication();
> > }
> > @Component
> > public class AuthenticationFacade
Wicket 8 and Edge : Known compatibilities problem ?
Hello, I have a wicket application that is Ok with Mozilla. My company will to use windows 10 and Edge. I did some test and I have an error message : You need a new application to see this page. Is this a know bug for edge ? A bad configuration of my HTML code ? a New security option of the network administrator that would say "Edge is not allowed on internal intranet network" ? Thanks,
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Is seems you have mixed my code with your code somehow.
You must configure formLogin() and specify loginPage() pointing to your
Wicket login page (maybe using @MountPath?).
The .loginProcessingUrl() points to "/fake-url" because the authentication
itself is called from Wicket login page
via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism
in your Wicket login page?
Zbynek
On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> It sort of works, If I go to the actuator I get the http basic auth, if I
> on the same session goto my pages.. I get an "ugly" access denied page and
> not the configured wicket login page. So it sort of works..
>
> If I just goto localhost:8080/ I get an default spring login page not the
> wicket one.. Upon succesfull login it forwards me to the wicket login page,
> where I can login again and then get to the real application..
>
> Below my current code:
>
>
> package dk.netdesign.ccadmin.frontend.security;
>
> import org.springframework.context.annotation.Bean;
> import org.springframework.context.annotation.Configuration;
> import org.springframework.core.annotation.Order;
> import org.springframework.security.authentication.AuthenticationManager;
> import
>
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> import
> org.springframework.security.config.annotation.web.builders.HttpSecurity;
> import
>
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> import org.springframework.security.config.http.SessionCreationPolicy;
> import org.springframework.security.core.Authentication;
> import org.springframework.security.core.context.SecurityContextHolder;
> import org.springframework.security.core.userdetails.User;
> import org.springframework.security.core.userdetails.UserDetailsService;
> import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> import
> org.springframework.security.provisioning.InMemoryUserDetailsManager;
> import org.springframework.stereotype.Component;
>
> @Configuration
> public class WicketWebSecurityAdapterConfig extends
> WebSecurityConfigurerAdapter {
>
>
> @Configuration
> @Order(1)
> public static class RestSecurityConfig extends
> WebSecurityConfigurerAdapter {
>
> @Override
> protected void configure(HttpSecurity http) throws Exception {
>
>
>
> http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
> .and().csrf().disable()
>
>
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> .and().httpBasic();
> }
> }
>
> @Configuration
> @Order(2)
> public static class WicketSecurityConfig extends
> WebSecurityConfigurerAdapter {
> @Override
> protected void configure(HttpSecurity http) throws Exception {
> http.antMatcher("/page/**").authorizeRequests()
> .antMatchers("/page/login**").permitAll()
> .antMatchers("/page/**").hasAnyAuthority("USER",
> "ADMIN")
>
>
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
>
> .and().csrf().disable();
> }
> }
>
> @Bean
> public static BCryptPasswordEncoder passwordEncoder() {
> return new BCryptPasswordEncoder();
> }
>
> @Bean(name = "authenticationManager")
> @Override
> public AuthenticationManager authenticationManagerBean() throws
> Exception {
>
> return super.authenticationManagerBean();
> }
> public interface IAuthenticationFacade {
> Authentication getAuthentication();
> }
> @Component
> public class AuthenticationFacade implements IAuthenticationFacade {
>
> @Override
> public Authentication getAuthentication() {
> return SecurityContextHolder.getContext().getAuthentication();
> }
> }
>
> @Bean
> public UserDetailsService userDetailsService() {
> InMemoryUserDetailsManager manager = new
> InMemoryUserDetailsManager();
> manager.createUser(
> User.withUsername("admin")
>
> .password(passwordEncoder().encode("admin")).authorities("USER", "ADMIN")
> .build());
>
> manager.createUser(
> User.withUsername("actuator")
>
> .password(passwordEncoder().encode("actuator")).roles("ACTUATOR")
> .build());
>
> return manager;
> }
> }
>
>
> On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > Thanks will try it:)
> >
> > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros
> > wrote:
> >
> >> In my case it works something like this:
> >>
> >> @Configuration
> >> @EnableWebSecurity
> >> public class SecurityConfiguration {
> >>
> >> @Configuration
> >> @Order(1)
> >> public static
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
It sort of works, If I go to the actuator I get the http basic auth, if I
on the same session goto my pages.. I get an "ugly" access denied page and
not the configured wicket login page. So it sort of works..
If I just goto localhost:8080/ I get an default spring login page not the
wicket one.. Upon succesfull login it forwards me to the wicket login page,
where I can login again and then get to the real application..
Below my current code:
package dk.netdesign.ccadmin.frontend.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import
org.springframework.security.config.annotation.web.builders.HttpSecurity;
import
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.stereotype.Component;
@Configuration
public class WicketWebSecurityAdapterConfig extends
WebSecurityConfigurerAdapter {
@Configuration
@Order(1)
public static class RestSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
.and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().httpBasic();
}
}
@Configuration
@Order(2)
public static class WicketSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/page/**").authorizeRequests()
.antMatchers("/page/login**").permitAll()
.antMatchers("/page/**").hasAnyAuthority("USER",
"ADMIN")
.and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
.and().csrf().disable();
}
}
@Bean
public static BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean(name = "authenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws
Exception {
return super.authenticationManagerBean();
}
public interface IAuthenticationFacade {
Authentication getAuthentication();
}
@Component
public class AuthenticationFacade implements IAuthenticationFacade {
@Override
public Authentication getAuthentication() {
return SecurityContextHolder.getContext().getAuthentication();
}
}
@Bean
public UserDetailsService userDetailsService() {
InMemoryUserDetailsManager manager = new
InMemoryUserDetailsManager();
manager.createUser(
User.withUsername("admin")
.password(passwordEncoder().encode("admin")).authorities("USER", "ADMIN")
.build());
manager.createUser(
User.withUsername("actuator")
.password(passwordEncoder().encode("actuator")).roles("ACTUATOR")
.build());
return manager;
}
}
On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> Thanks will try it:)
>
> On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros
> wrote:
>
>> In my case it works something like this:
>>
>> @Configuration
>> @EnableWebSecurity
>> public class SecurityConfiguration {
>>
>> @Configuration
>> @Order(1)
>> public static class RestSecurityConfig extends
>> WebSecurityConfigurerAdapter {
>>
>> .. user details service, auth providers etc
>>
>> @Override
>> protected void configure(HttpSecurity http) throws Exception {
>>
>>
>> http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
>> .and().csrf().disable()
>>
>>
>> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
>> .and().httpBasic();
>> }
>> }
>>
>> @Configuration
>> @Order(2)
>> public static class WicketSecurityConfig extends
>> WebSecurityConfigurerAdapter {
>>
>> .. user details service, auth providers etc
>>
>> @Override
>>
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Thanks will try it:)
On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros
wrote:
> In my case it works something like this:
>
> @Configuration
> @EnableWebSecurity
> public class SecurityConfiguration {
>
> @Configuration
> @Order(1)
> public static class RestSecurityConfig extends
> WebSecurityConfigurerAdapter {
>
> .. user details service, auth providers etc
>
> @Override
> protected void configure(HttpSecurity http) throws Exception {
>
> http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
> .and().csrf().disable()
>
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> .and().httpBasic();
> }
> }
>
> @Configuration
> @Order(2)
> public static class WicketSecurityConfig extends
> WebSecurityConfigurerAdapter {
>
> .. user details service, auth providers etc
>
> @Override
> protected void configure(AuthenticationManagerBuilder auth) throws
> Exception {
> auth.authenticationProvider(wicketAuthenticationProvider);
> }
>
> @Override
> protected void configure(HttpSecurity http) throws Exception {
> http.antMatcher("/page/**").authorizeRequests()
> .antMatchers("/page/login**").permitAll()
> .antMatchers("/page/**").hasRole("ROLE")
>
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> .and().csrf().disable();
> }
>
> @Override
> @Bean(name = "authenticationManager")
> public AuthenticationManager authenticationManagerBean() throws
> Exception {
> return super.authenticationManagerBean();
> }
> }
> }
>
> The RestSecurityConfigwould be what you would do for actuators, for me
> thats the REST API.
> Not the order of "antMatcher", "authorizeRequests" and " antMatchers".
>
> Zbynek
>
> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > do you have an example? OR is it just to cut them into two like:
> > WebSecurityConfigurerAdapter A:
> >
> >
> http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> >
> > WebSecurityConfigurerAdapter B:
> > http
> > .csrf().disable()
> > .authorizeRequests().anyRequest().permitAll()
> > .and()
> > .logout()
> > .permitAll();
> > http.headers().frameOptions().disable();
> >
> >
> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros
> > wrote:
> >
> > > Hi,
> > >
> > > I did similar thing, the trick here is to use two
> > > WebSecurityConfigurerAdaptes.
> > >
> > > Zbynek
> > >
> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> > > nino.martinez.w...@gmail.com> wrote:
> > >
> > > > Hope its okay to use the wicket user mailing list for this:)
> > > >
> > > > First of all thanks to MarcGiffing for making the project. But I
> cannot
> > > get
> > > > actuator endpoints to work with spring security and wicket spring
> > boot..
> > > > I've tried a lot of things..
> > > >
> > > > IN my WebSecurityConfigurerAdapter:
> > > >
> > > > http
> > > >
> > > >
> > > >
> > >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > > >
> > > > http
> > > > .csrf().disable()
> > > > .authorizeRequests().anyRequest().permitAll()
> > > > .and()
> > > > .logout()
> > > > .permitAll();
> > > > http.headers().frameOptions().disable();
> > > >
> > > > But that just disables actuator and messes with the Wicket side of
> the
> > > > security.. Any one have some clues=
> > > >
> > > > --
> > > > Best regards / Med venlig hilsen
> > > > Nino Martinez
> > > >
> > >
> >
> >
> > --
> > Best regards / Med venlig hilsen
> > Nino Martinez
> >
>
--
Best regards / Med venlig hilsen
Nino Martinez
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
In my case it works something like this:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
@Configuration
@Order(1)
public static class RestSecurityConfig extends
WebSecurityConfigurerAdapter {
.. user details service, auth providers etc
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
.and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().httpBasic();
}
}
@Configuration
@Order(2)
public static class WicketSecurityConfig extends
WebSecurityConfigurerAdapter {
.. user details service, auth providers etc
@Override
protected void configure(AuthenticationManagerBuilder auth) throws
Exception {
auth.authenticationProvider(wicketAuthenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/page/**").authorizeRequests()
.antMatchers("/page/login**").permitAll()
.antMatchers("/page/**").hasRole("ROLE")
.and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
.and().csrf().disable();
}
@Override
@Bean(name = "authenticationManager")
public AuthenticationManager authenticationManagerBean() throws
Exception {
return super.authenticationManagerBean();
}
}
}
The RestSecurityConfigwould be what you would do for actuators, for me
thats the REST API.
Not the order of "antMatcher", "authorizeRequests" and " antMatchers".
Zbynek
On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> do you have an example? OR is it just to cut them into two like:
> WebSecurityConfigurerAdapter A:
>
>
> http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
>
> WebSecurityConfigurerAdapter B:
> http
> .csrf().disable()
> .authorizeRequests().anyRequest().permitAll()
> .and()
> .logout()
> .permitAll();
> http.headers().frameOptions().disable();
>
>
> On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros
> wrote:
>
> > Hi,
> >
> > I did similar thing, the trick here is to use two
> > WebSecurityConfigurerAdaptes.
> >
> > Zbynek
> >
> > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> > nino.martinez.w...@gmail.com> wrote:
> >
> > > Hope its okay to use the wicket user mailing list for this:)
> > >
> > > First of all thanks to MarcGiffing for making the project. But I cannot
> > get
> > > actuator endpoints to work with spring security and wicket spring
> boot..
> > > I've tried a lot of things..
> > >
> > > IN my WebSecurityConfigurerAdapter:
> > >
> > > http
> > >
> > >
> > >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > >
> > > http
> > > .csrf().disable()
> > > .authorizeRequests().anyRequest().permitAll()
> > > .and()
> > > .logout()
> > > .permitAll();
> > > http.headers().frameOptions().disable();
> > >
> > > But that just disables actuator and messes with the Wicket side of the
> > > security.. Any one have some clues=
> > >
> > > --
> > > Best regards / Med venlig hilsen
> > > Nino Martinez
> > >
> >
>
>
> --
> Best regards / Med venlig hilsen
> Nino Martinez
>
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Hi,
I did similar thing, the trick here is to use two
WebSecurityConfigurerAdaptes.
Zbynek
On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> Hope its okay to use the wicket user mailing list for this:)
>
> First of all thanks to MarcGiffing for making the project. But I cannot get
> actuator endpoints to work with spring security and wicket spring boot..
> I've tried a lot of things..
>
> IN my WebSecurityConfigurerAdapter:
>
> http
>
>
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
>
> http
> .csrf().disable()
> .authorizeRequests().anyRequest().permitAll()
> .and()
> .logout()
> .permitAll();
> http.headers().frameOptions().disable();
>
> But that just disables actuator and messes with the Wicket side of the
> security.. Any one have some clues=
>
> --
> Best regards / Med venlig hilsen
> Nino Martinez
>
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
do you have an example? OR is it just to cut them into two like:
WebSecurityConfigurerAdapter A:
http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
WebSecurityConfigurerAdapter B:
http
.csrf().disable()
.authorizeRequests().anyRequest().permitAll()
.and()
.logout()
.permitAll();
http.headers().frameOptions().disable();
On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros
wrote:
> Hi,
>
> I did similar thing, the trick here is to use two
> WebSecurityConfigurerAdaptes.
>
> Zbynek
>
> On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > Hope its okay to use the wicket user mailing list for this:)
> >
> > First of all thanks to MarcGiffing for making the project. But I cannot
> get
> > actuator endpoints to work with spring security and wicket spring boot..
> > I've tried a lot of things..
> >
> > IN my WebSecurityConfigurerAdapter:
> >
> > http
> >
> >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> >
> > http
> > .csrf().disable()
> > .authorizeRequests().anyRequest().permitAll()
> > .and()
> > .logout()
> > .permitAll();
> > http.headers().frameOptions().disable();
> >
> > But that just disables actuator and messes with the Wicket side of the
> > security.. Any one have some clues=
> >
> > --
> > Best regards / Med venlig hilsen
> > Nino Martinez
> >
>
--
Best regards / Med venlig hilsen
Nino Martinez
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Already done that.. Thanks for the idea.. On my webservice project I am
doing this:
http
.authorizeRequests()
.antMatchers("/services/**").hasRole("USER").and().httpBasic().and().
csrf().disable();
http
.authorizeRequests()
.antMatchers("/actuator/**").hasRole("ACTUATOR").and().httpBasic().and().
csrf().disable();
And its working fine, I am wondering if its because my mountpoints for
wicket all are mapped to root like /home /login .. Which could conflict
with /actuator?
On Thu, Jan 24, 2019 at 3:01 PM Andrea Del Bene
wrote:
> I had a problem with Spring Boot 2 and actuator as many of them are
> disabled by default in the new version. I don't know if this is the case
> for you, but I would try enabling all of them via config file. For example
> with yml is something like:
>
> management:
> endpoints:
> web:
> exposure:
> include: "*"
>
> On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > Hope its okay to use the wicket user mailing list for this:)
> >
> > First of all thanks to MarcGiffing for making the project. But I cannot
> get
> > actuator endpoints to work with spring security and wicket spring boot..
> > I've tried a lot of things..
> >
> > IN my WebSecurityConfigurerAdapter:
> >
> > http
> >
> >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> >
> > http
> > .csrf().disable()
> > .authorizeRequests().anyRequest().permitAll()
> > .and()
> > .logout()
> > .permitAll();
> > http.headers().frameOptions().disable();
> >
> > But that just disables actuator and messes with the Wicket side of the
> > security.. Any one have some clues=
> >
> > --
> > Best regards / Med venlig hilsen
> > Nino Martinez
> >
>
>
> --
> Andrea Del Bene.
> Apache Wicket committer.
>
--
Best regards / Med venlig hilsen
Nino Martinez
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
I had a problem with Spring Boot 2 and actuator as many of them are
disabled by default in the new version. I don't know if this is the case
for you, but I would try enabling all of them via config file. For example
with yml is something like:
management:
endpoints:
web:
exposure:
include: "*"
On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> Hope its okay to use the wicket user mailing list for this:)
>
> First of all thanks to MarcGiffing for making the project. But I cannot get
> actuator endpoints to work with spring security and wicket spring boot..
> I've tried a lot of things..
>
> IN my WebSecurityConfigurerAdapter:
>
> http
>
>
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
>
> http
> .csrf().disable()
> .authorizeRequests().anyRequest().permitAll()
> .and()
> .logout()
> .permitAll();
> http.headers().frameOptions().disable();
>
> But that just disables actuator and messes with the Wicket side of the
> security.. Any one have some clues=
>
> --
> Best regards / Med venlig hilsen
> Nino Martinez
>
--
Andrea Del Bene.
Apache Wicket committer.
Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Hope its okay to use the wicket user mailing list for this:)
First of all thanks to MarcGiffing for making the project. But I cannot get
actuator endpoints to work with spring security and wicket spring boot..
I've tried a lot of things..
IN my WebSecurityConfigurerAdapter:
http
.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
http
.csrf().disable()
.authorizeRequests().anyRequest().permitAll()
.and()
.logout()
.permitAll();
http.headers().frameOptions().disable();
But that just disables actuator and messes with the Wicket side of the
security.. Any one have some clues=
--
Best regards / Med venlig hilsen
Nino Martinez
