Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
I did it using BundleStringResourceLoader in the end.
Well that's the point of having two WebSecurityConfigurerAdapters.
One takes care about your actuator using HTTP Basic
http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR_ROLE").and().httpBasic();
and the one one takes care about Wicket
http.antMatcher("/wicket/**").authorizeRequests()
.antMatchers("/wicket/page/login**").permitAll()
.antMatchers("/wicket/page/**").hasRole("WICKET")
.and().formLogin().loginPage("/wicket/page/login").loginProcessingUrl("/fake-url")
.and().csrf().disable();
this will redirect to login page in case you are not logged in.
Regarding lack of privileges (roles) that's another story and you should
probably read
Spring Security docs on how to properly handle those since it's not really
related (i.e.
user is already logged in, you sure you want to re-login?).
Zbynek
On Fri, Jan 25, 2019 at 11:05 AM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> Have you gone through this :
>
>
> https://ci.apache.org/projects/wicket/guide/8.x/single.html#_extending_the_default_lookup_algorithm
> (which seems you have, please show a little code)
>
> And could you tell med howto make Spring redirect to my wicket login page
> for all urls except /actuator (which is handled by basic auth)? Also every
> wicket page which requires authentication should redirect to /login page if
> you either lack permissions or arent logged in..
>
> -Nino
>
>
>
> On Fri, Jan 25, 2019 at 8:18 AM Zbynek Vavros
> wrote:
>
> > Took me some time to understand as well so I'm glad share :)
> >
> > I'm in process of tuning this setup so just out of curiosity how did you
> > set up the Wicket properties file(s)? I don't like the idea to having
> > properties in src/main/java and looking for proper way to load them from
> > custom location like
> > src/main/resources/properties/MyWicketApplication.properties.
> >
> > In out previous project we used I18n.init() method but I'm thinking more
> > Wicket-y way,
> > maybe using BundleStringResourceLoader ? But so far no luck making that
> > work...
> >
> > Zbynek
> >
> > On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael <
> > nino.martinez.w...@gmail.com> wrote:
> >
> > > Yes this is exactly how I've done it :) Thanks for taking time to
> help...
> > >
> > > @WicketSignInPage
> > > @MountPath("page/login")
> > > public class LoginPage extends BasePage {
> > >
> > > public LoginPage(PageParameters parameters) {
> > > super(parameters);
> > >
> > > if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
> > > continueToOriginalDestination();
> > > }
> > > add(new LoginForm("loginForm"));
> > > }
> > >
> > > private class LoginForm extends StatelessForm {
> > >
> > > private String username;
> > > private String password;
> > >
> > > public LoginForm(String id) {
> > > super(id);
> > > setModel(new CompoundPropertyModel<>(this));
> > > add(new FeedbackPanel("feedback"));
> > > add(new RequiredTextField("username"));
> > > add(new PasswordTextField("password"));
> > > }
> > >
> > > @Override
> > > protected void onSubmit() {
> > > AuthenticatedWebSession session = AuthenticatedWebSession.get();
> > > if (session.signIn(username, password)) {
> > > setResponsePage(HomePage.class);
> > > } else {
> > > error("Login failed");
> > > }
> > > }
> > > }
> > > }
> > >
> > >
> > > On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros
> > > wrote:
> > >
> > > > Is seems you have mixed my code with your code somehow.
> > > > You must configure formLogin() and specify loginPage() pointing to
> your
> > > > Wicket login page (maybe using @MountPath?).
> > > > The .loginProcessingUrl() points to "/fake-url" because the
> > > authentication
> > > > itself is called from Wicket login page
> > > > via AuthenticatedWebSession.get().signIn(). Or do you use other
> > mechanism
> > > > in your Wicket login page?
> > > >
> > > > Zbynek
> > > >
> > > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> > > > nino.martinez.w...@gmail.com> wrote:
> > > >
> > > > > It sort of works, If I go to the actuator I get the http basic
> auth,
> > > if I
> > > > > on the same session goto my pages.. I get an "ugly" access denied
> > page
> > > > and
> > > > > not the configured wicket login page. So it sort of works..
> > > > >
> > > > > If I just goto localhost:8080/ I get an default spring login page
> not
> > > the
> > > > > wicket one.. Upon succesfull login it forwards me to the wicket
> login
> > > > page,
> > > > > where I can login again and then get to the real application..
> > > > >
> > > > > Below my current code:
> > > > >
> > > > >
> > > > > package dk.netdesign.ccadmin.frontend.security;
> > > > >
> > > > > import org.springframework.context.annotation.Bean;
> > > > > import org.springframework.context.annotation.Configuration;
> > > > > import org.springframework.core.annotation.Order;
> > > > > import
> > >
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Have you gone through this :
https://ci.apache.org/projects/wicket/guide/8.x/single.html#_extending_the_default_lookup_algorithm
(which seems you have, please show a little code)
And could you tell med howto make Spring redirect to my wicket login page
for all urls except /actuator (which is handled by basic auth)? Also every
wicket page which requires authentication should redirect to /login page if
you either lack permissions or arent logged in..
-Nino
On Fri, Jan 25, 2019 at 8:18 AM Zbynek Vavros
wrote:
> Took me some time to understand as well so I'm glad share :)
>
> I'm in process of tuning this setup so just out of curiosity how did you
> set up the Wicket properties file(s)? I don't like the idea to having
> properties in src/main/java and looking for proper way to load them from
> custom location like
> src/main/resources/properties/MyWicketApplication.properties.
>
> In out previous project we used I18n.init() method but I'm thinking more
> Wicket-y way,
> maybe using BundleStringResourceLoader ? But so far no luck making that
> work...
>
> Zbynek
>
> On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > Yes this is exactly how I've done it :) Thanks for taking time to help...
> >
> > @WicketSignInPage
> > @MountPath("page/login")
> > public class LoginPage extends BasePage {
> >
> > public LoginPage(PageParameters parameters) {
> > super(parameters);
> >
> > if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
> > continueToOriginalDestination();
> > }
> > add(new LoginForm("loginForm"));
> > }
> >
> > private class LoginForm extends StatelessForm {
> >
> > private String username;
> > private String password;
> >
> > public LoginForm(String id) {
> > super(id);
> > setModel(new CompoundPropertyModel<>(this));
> > add(new FeedbackPanel("feedback"));
> > add(new RequiredTextField("username"));
> > add(new PasswordTextField("password"));
> > }
> >
> > @Override
> > protected void onSubmit() {
> > AuthenticatedWebSession session = AuthenticatedWebSession.get();
> > if (session.signIn(username, password)) {
> > setResponsePage(HomePage.class);
> > } else {
> > error("Login failed");
> > }
> > }
> > }
> > }
> >
> >
> > On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros
> > wrote:
> >
> > > Is seems you have mixed my code with your code somehow.
> > > You must configure formLogin() and specify loginPage() pointing to your
> > > Wicket login page (maybe using @MountPath?).
> > > The .loginProcessingUrl() points to "/fake-url" because the
> > authentication
> > > itself is called from Wicket login page
> > > via AuthenticatedWebSession.get().signIn(). Or do you use other
> mechanism
> > > in your Wicket login page?
> > >
> > > Zbynek
> > >
> > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> > > nino.martinez.w...@gmail.com> wrote:
> > >
> > > > It sort of works, If I go to the actuator I get the http basic auth,
> > if I
> > > > on the same session goto my pages.. I get an "ugly" access denied
> page
> > > and
> > > > not the configured wicket login page. So it sort of works..
> > > >
> > > > If I just goto localhost:8080/ I get an default spring login page not
> > the
> > > > wicket one.. Upon succesfull login it forwards me to the wicket login
> > > page,
> > > > where I can login again and then get to the real application..
> > > >
> > > > Below my current code:
> > > >
> > > >
> > > > package dk.netdesign.ccadmin.frontend.security;
> > > >
> > > > import org.springframework.context.annotation.Bean;
> > > > import org.springframework.context.annotation.Configuration;
> > > > import org.springframework.core.annotation.Order;
> > > > import
> > org.springframework.security.authentication.AuthenticationManager;
> > > > import
> > > >
> > > >
> > >
> >
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> > > > import
> > > >
> > org.springframework.security.config.annotation.web.builders.HttpSecurity;
> > > > import
> > > >
> > > >
> > >
> >
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> > > > import
> org.springframework.security.config.http.SessionCreationPolicy;
> > > > import org.springframework.security.core.Authentication;
> > > > import
> org.springframework.security.core.context.SecurityContextHolder;
> > > > import org.springframework.security.core.userdetails.User;
> > > > import
> > org.springframework.security.core.userdetails.UserDetailsService;
> > > > import
> > org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> > > > import
> > > > org.springframework.security.provisioning.InMemoryUserDetailsManager;
> > > > import org.springframework.stereotype.Component;
> > > >
> > > > @Configuration
> > > > public class WicketWebSecurityAdapterConfig extends
> > > > WebSecurityConfigurerAdapter {
> > > >
> > > >
> > > > @Configuration
> > > > @Order(1)
> > > > public static class RestSecurityConfig
