Re: Wicket / OAuth2
Hi Sebastien, What exactly do you need ? I have used https://github.com/fernandezpablo85/scribe-java to create Authenticate with Xyz buttons for signing in (e.g. with Facebook, Twitter and LinkedIn). The developer of Scribe doesn't like OAuth2 (as many other developers) and at some point he stated that he will not merge any new PRs for OAuth2 impls. I don't see this statement in the README now, so he may have changed his mind. Another auth client provider is https://github.com/leleuj/pac4j. I don't have experience with it but it looks like well maintained. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Sep 1, 2014 at 6:58 PM, Sebastien seb...@gmail.com wrote: Hi all, AFAIS, there is nothing about a OAuth2 client in Wicket out-of-the-box or through a satellite project... Does somebody knows a *simple* solution for integrating OAuth2 into Wicket (like a OAuthWebApplication, or maybe a ready-to-use Filter, just giving Consumer Key, Consumer Secret URLs), without using spring-security and still keeping advantage of the role-based @AuthorizeInstantiation annotation for instance? Thanks a lot in advance, Sebastien.
Re: Wicket / OAuth2
Hi Sebastien, did you have a look at Apache Shiro? http://shiro.apache.org/integration.html There is a OAuth link... but I did not look deeper... And what I additionally have found seems to be in progress. https://issues.apache.org/jira/browse/SHIRO-119 kind regards Patrick Brown Am 01.09.2014 17:58, schrieb Sebastien: Hi all, AFAIS, there is nothing about a OAuth2 client in Wicket out-of-the-box or through a satellite project... Does somebody knows a *simple* solution for integrating OAuth2 into Wicket (like a OAuthWebApplication, or maybe a ready-to-use Filter, just giving Consumer Key, Consumer Secret URLs), without using spring-security and still keeping advantage of the role-based @AuthorizeInstantiation annotation for instance? Thanks a lot in advance, Sebastien. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket / OAuth2
Hi, Apache Shiro seems to be in a very bad state at the moment. There is no active development in the last year and its dev@ list is very quite - no one responds to users' questions like Is Shiro still alive? Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Tue, Sep 2, 2014 at 12:37 PM, Patrick Davids patrick.dav...@nubologic.com wrote: Hi Sebastien, did you have a look at Apache Shiro? http://shiro.apache.org/integration.html There is a OAuth link... but I did not look deeper... And what I additionally have found seems to be in progress. https://issues.apache.org/jira/browse/SHIRO-119 kind regards Patrick Brown Am 01.09.2014 17:58, schrieb Sebastien: Hi all, AFAIS, there is nothing about a OAuth2 client in Wicket out-of-the-box or through a satellite project... Does somebody knows a *simple* solution for integrating OAuth2 into Wicket (like a OAuthWebApplication, or maybe a ready-to-use Filter, just giving Consumer Key, Consumer Secret URLs), without using spring-security and still keeping advantage of the role-based @AuthorizeInstantiation annotation for instance? Thanks a lot in advance, Sebastien. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket / OAuth2
Hi Martin, The question is not much about having a signin button to authenticate the user but more how to make it work with AuthenticatedWebApplication (or a custom OAuthWebApplication for instance). The final goal is to keep IRoleCheckingStrategy working ie: the user access an @AuthorizeInstantiation annotated page, #restartResponseAtSignInPage (for instance) redirect to the OAuth url, the OAuth service redirect to a callback, which callback is a wicket IRequestHandler, the handler sets isSigninedIn to true, sets the roles and then call #redirectToOriginalDestination. That's how I see things, but I don't see any existing wicket solutions... Is the usecase more clear? Thanks again, Sebastien. On Tue, Sep 2, 2014 at 9:06 AM, Martin Grigorov mgrigo...@apache.org wrote: Hi Sebastien, What exactly do you need ? I have used https://github.com/fernandezpablo85/scribe-java to create Authenticate with Xyz buttons for signing in (e.g. with Facebook, Twitter and LinkedIn). The developer of Scribe doesn't like OAuth2 (as many other developers) and at some point he stated that he will not merge any new PRs for OAuth2 impls. I don't see this statement in the README now, so he may have changed his mind. Another auth client provider is https://github.com/leleuj/pac4j. I don't have experience with it but it looks like well maintained. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Sep 1, 2014 at 6:58 PM, Sebastien seb...@gmail.com wrote: Hi all, AFAIS, there is nothing about a OAuth2 client in Wicket out-of-the-box or through a satellite project... Does somebody knows a *simple* solution for integrating OAuth2 into Wicket (like a OAuthWebApplication, or maybe a ready-to-use Filter, just giving Consumer Key, Consumer Secret URLs), without using spring-security and still keeping advantage of the role-based @AuthorizeInstantiation annotation for instance? Thanks a lot in advance, Sebastien.
Re: Wicket / OAuth2
Is Shiro still alive? I hope so... just used it google-guice integrated. But, by the way... if not alive... any alternatives to shiro? Patrick Am 02.09.2014 11:42, schrieb Martin Grigorov: Hi, Apache Shiro seems to be in a very bad state at the moment. There is no active development in the last year and its dev@ list is very quite - no one responds to users' questions like Is Shiro still alive? Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Tue, Sep 2, 2014 at 12:37 PM, Patrick Davids patrick.dav...@nubologic.com wrote: Hi Sebastien, did you have a look at Apache Shiro? http://shiro.apache.org/integration.html There is a OAuth link... but I did not look deeper... And what I additionally have found seems to be in progress. https://issues.apache.org/jira/browse/SHIRO-119 kind regards Patrick Brown Am 01.09.2014 17:58, schrieb Sebastien: Hi all, AFAIS, there is nothing about a OAuth2 client in Wicket out-of-the-box or through a satellite project... Does somebody knows a *simple* solution for integrating OAuth2 into Wicket (like a OAuthWebApplication, or maybe a ready-to-use Filter, just giving Consumer Key, Consumer Secret URLs), without using spring-security and still keeping advantage of the role-based @AuthorizeInstantiation annotation for instance? Thanks a lot in advance, Sebastien. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org -- Mit freundlichen Grüßen, Patrick Davids nuboLOGIC GmbH Co. KG Kieler Str. 103-107 • 25474 Bönningstedt Tel.: +49 40 228539 732 Email: patrick.dav...@nubologic.com http://www.nubologic.com Handelsregister: HRA6819 Pi | Amtsgericht Pinneberg Geschäftsführung der Verwaltungsgesellschaft Daniel Fraga Zander HRB10145Pi | Amtsgericht Pinneberg
Re: Wicket / OAuth2
Hi Sebastien, The button is just a UI. But the idea is the same. The difference is that the OAuth provider is rather an authentication service than an authorization one. Usually the user of some social network doesn't want to share his details with random apps (like yours and mine). So when you create an application at Twitter, Facebook, ... you have to specify what kind of details you want to be sent to the callback url. When an user authenticates (s)he is asked whether (s)he is willing to share these details (e.g. username, email, gender, ...). In my experience users use OAuth for authentication: 1) to reduce the number of accounts they have 2) to reduce the information they provide to random apps So (usually) the OAuth provider doesn't send much info about the authenticated user when calling your callback. I haven't seen anything like roles and privileges in the OAuth responses. It could be that I don't have enough experience with OAuth but I think the authorization part is left to the application. About your use case: - the user tries to load some protected resource/page - the application should: -- store the details about the requested resource (url + post data) -- redirect to the authentication url of the OAuth provider by passing the callback url - if the user agrees to share the required data then your callback url is called with the data. You should use it like normal authentication token, create a User in the session, etc. P.S. I have used a popup window for the authentication because if the user is not willing to share all the required info then the oauth provider may not call the callback url and your user may not return to your app and make a normal account Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Tue, Sep 2, 2014 at 12:46 PM, Sebastien seb...@gmail.com wrote: Hi Martin, The question is not much about having a signin button to authenticate the user but more how to make it work with AuthenticatedWebApplication (or a custom OAuthWebApplication for instance). The final goal is to keep IRoleCheckingStrategy working ie: the user access an @AuthorizeInstantiation annotated page, #restartResponseAtSignInPage (for instance) redirect to the OAuth url, the OAuth service redirect to a callback, which callback is a wicket IRequestHandler, the handler sets isSigninedIn to true, sets the roles and then call #redirectToOriginalDestination. That's how I see things, but I don't see any existing wicket solutions... Is the usecase more clear? Thanks again, Sebastien. On Tue, Sep 2, 2014 at 9:06 AM, Martin Grigorov mgrigo...@apache.org wrote: Hi Sebastien, What exactly do you need ? I have used https://github.com/fernandezpablo85/scribe-java to create Authenticate with Xyz buttons for signing in (e.g. with Facebook, Twitter and LinkedIn). The developer of Scribe doesn't like OAuth2 (as many other developers) and at some point he stated that he will not merge any new PRs for OAuth2 impls. I don't see this statement in the README now, so he may have changed his mind. Another auth client provider is https://github.com/leleuj/pac4j. I don't have experience with it but it looks like well maintained. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Sep 1, 2014 at 6:58 PM, Sebastien seb...@gmail.com wrote: Hi all, AFAIS, there is nothing about a OAuth2 client in Wicket out-of-the-box or through a satellite project... Does somebody knows a *simple* solution for integrating OAuth2 into Wicket (like a OAuthWebApplication, or maybe a ready-to-use Filter, just giving Consumer Key, Consumer Secret URLs), without using spring-security and still keeping advantage of the role-based @AuthorizeInstantiation annotation for instance? Thanks a lot in advance, Sebastien.
Re: Wicket / OAuth2
Hi, We use Spring Security for Artifact Listener but I think the general principle should be the same: https://github.com/openwide-java/artifact-listener/ and you might find it interesting to see how we did it. Martin already mentioned it earlier but we use pac4j for OpenId/OAuth/whatever. -- Guillaume On Tue, Sep 2, 2014 at 12:11 PM, Martin Grigorov mgrigo...@apache.org wrote: Hi Sebastien, The button is just a UI. But the idea is the same. The difference is that the OAuth provider is rather an authentication service than an authorization one. Usually the user of some social network doesn't want to share his details with random apps (like yours and mine). So when you create an application at Twitter, Facebook, ... you have to specify what kind of details you want to be sent to the callback url. When an user authenticates (s)he is asked whether (s)he is willing to share these details (e.g. username, email, gender, ...). In my experience users use OAuth for authentication: 1) to reduce the number of accounts they have 2) to reduce the information they provide to random apps So (usually) the OAuth provider doesn't send much info about the authenticated user when calling your callback. I haven't seen anything like roles and privileges in the OAuth responses. It could be that I don't have enough experience with OAuth but I think the authorization part is left to the application. About your use case: - the user tries to load some protected resource/page - the application should: -- store the details about the requested resource (url + post data) -- redirect to the authentication url of the OAuth provider by passing the callback url - if the user agrees to share the required data then your callback url is called with the data. You should use it like normal authentication token, create a User in the session, etc. P.S. I have used a popup window for the authentication because if the user is not willing to share all the required info then the oauth provider may not call the callback url and your user may not return to your app and make a normal account Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Tue, Sep 2, 2014 at 12:46 PM, Sebastien seb...@gmail.com wrote: Hi Martin, The question is not much about having a signin button to authenticate the user but more how to make it work with AuthenticatedWebApplication (or a custom OAuthWebApplication for instance). The final goal is to keep IRoleCheckingStrategy working ie: the user access an @AuthorizeInstantiation annotated page, #restartResponseAtSignInPage (for instance) redirect to the OAuth url, the OAuth service redirect to a callback, which callback is a wicket IRequestHandler, the handler sets isSigninedIn to true, sets the roles and then call #redirectToOriginalDestination. That's how I see things, but I don't see any existing wicket solutions... Is the usecase more clear? Thanks again, Sebastien. On Tue, Sep 2, 2014 at 9:06 AM, Martin Grigorov mgrigo...@apache.org wrote: Hi Sebastien, What exactly do you need ? I have used https://github.com/fernandezpablo85/scribe-java to create Authenticate with Xyz buttons for signing in (e.g. with Facebook, Twitter and LinkedIn). The developer of Scribe doesn't like OAuth2 (as many other developers) and at some point he stated that he will not merge any new PRs for OAuth2 impls. I don't see this statement in the README now, so he may have changed his mind. Another auth client provider is https://github.com/leleuj/pac4j. I don't have experience with it but it looks like well maintained. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Sep 1, 2014 at 6:58 PM, Sebastien seb...@gmail.com wrote: Hi all, AFAIS, there is nothing about a OAuth2 client in Wicket out-of-the-box or through a satellite project... Does somebody knows a *simple* solution for integrating OAuth2 into Wicket (like a OAuthWebApplication, or maybe a ready-to-use Filter, just giving Consumer Key, Consumer Secret URLs), without using spring-security and still keeping advantage of the role-based @AuthorizeInstantiation annotation for instance? Thanks a lot in advance, Sebastien. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket / OAuth2
On Tue, Sep 2, 2014 at 12:49 PM, Patrick Davids patrick.dav...@nubologic.com wrote: Is Shiro still alive? I hope so... just used it google-guice integrated. I also hope so. It is a nice product and there are not many alternatives. The only commit in the last few months was by Les Hazlewood (the creator of the project) on Shiro 2.0. But for some reason none of the other developers said something about it and there is no second commit in this branch for 3 months now (https://github.com/apache/shiro/tree/2.0-api-design-changes) But, by the way... if not alive... any alternatives to shiro? PicketLink is more JavaEE oriented. It is developed by JBoss (for good or bad) and uses CDI heavily. If I need something like this now I'd try https://github.com/leleuj/pac4j first. Patrick Am 02.09.2014 11:42, schrieb Martin Grigorov: Hi, Apache Shiro seems to be in a very bad state at the moment. There is no active development in the last year and its dev@ list is very quite - no one responds to users' questions like Is Shiro still alive? Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Tue, Sep 2, 2014 at 12:37 PM, Patrick Davids patrick.dav...@nubologic.com wrote: Hi Sebastien, did you have a look at Apache Shiro? http://shiro.apache.org/integration.html There is a OAuth link... but I did not look deeper... And what I additionally have found seems to be in progress. https://issues.apache.org/jira/browse/SHIRO-119 kind regards Patrick Brown Am 01.09.2014 17:58, schrieb Sebastien: Hi all, AFAIS, there is nothing about a OAuth2 client in Wicket out-of-the-box or through a satellite project... Does somebody knows a *simple* solution for integrating OAuth2 into Wicket (like a OAuthWebApplication, or maybe a ready-to-use Filter, just giving Consumer Key, Consumer Secret URLs), without using spring-security and still keeping advantage of the role-based @AuthorizeInstantiation annotation for instance? Thanks a lot in advance, Sebastien. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org -- Mit freundlichen Grüßen, Patrick Davids nuboLOGIC GmbH Co. KG Kieler Str. 103-107 • 25474 Bönningstedt Tel.: +49 40 228539 732 Email: patrick.dav...@nubologic.com http://www.nubologic.com Handelsregister: HRA6819 Pi | Amtsgericht Pinneberg Geschäftsführung der Verwaltungsgesellschaft Daniel Fraga Zander HRB10145Pi | Amtsgericht Pinneberg
Re: Wicket / OAuth2
Hi Martin, but I think the authorization part is left to the application. Absolutely. Actually the OAuth service is specific to the company I'm working for, it's just a authentication system (based on our central directory) and there is no data the user can choose to share or not. Roles are then application specific -- store the details about the requested resource (url + post data) Was thinking about reusing org.apache.wicket.RestartResponseAtInterceptPageException.InterceptData (which unfortunately has package visibility) -- redirect to the authentication url of the OAuth provider by passing the callback url As the authorization is part of the application, we need a slot, in the cycle, to set AuthenticatedWebSession#signin(true) and set application's role. That's why I though about an IRequestHandler's url as callback (or an IRequestListener url?) before redirecting to the original destination... the oauth provider may not call the callback url and your user may not return to your app Good point! Will take care of that... Thanks everybody for your responses. I will try manage this properly... Best regards, Sebastien. On Tue, Sep 2, 2014 at 12:11 PM, Martin Grigorov mgrigo...@apache.org wrote: Hi Sebastien, The button is just a UI. But the idea is the same. The difference is that the OAuth provider is rather an authentication service than an authorization one. Usually the user of some social network doesn't want to share his details with random apps (like yours and mine). So when you create an application at Twitter, Facebook, ... you have to specify what kind of details you want to be sent to the callback url. When an user authenticates (s)he is asked whether (s)he is willing to share these details (e.g. username, email, gender, ...). In my experience users use OAuth for authentication: 1) to reduce the number of accounts they have 2) to reduce the information they provide to random apps So (usually) the OAuth provider doesn't send much info about the authenticated user when calling your callback. I haven't seen anything like roles and privileges in the OAuth responses. It could be that I don't have enough experience with OAuth but I think the authorization part is left to the application. About your use case: - the user tries to load some protected resource/page - the application should: -- store the details about the requested resource (url + post data) -- redirect to the authentication url of the OAuth provider by passing the callback url - if the user agrees to share the required data then your callback url is called with the data. You should use it like normal authentication token, create a User in the session, etc. P.S. I have used a popup window for the authentication because if the user is not willing to share all the required info then the oauth provider may not call the callback url and your user may not return to your app and make a normal account Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Tue, Sep 2, 2014 at 12:46 PM, Sebastien seb...@gmail.com wrote: Hi Martin, The question is not much about having a signin button to authenticate the user but more how to make it work with AuthenticatedWebApplication (or a custom OAuthWebApplication for instance). The final goal is to keep IRoleCheckingStrategy working ie: the user access an @AuthorizeInstantiation annotated page, #restartResponseAtSignInPage (for instance) redirect to the OAuth url, the OAuth service redirect to a callback, which callback is a wicket IRequestHandler, the handler sets isSigninedIn to true, sets the roles and then call #redirectToOriginalDestination. That's how I see things, but I don't see any existing wicket solutions... Is the usecase more clear? Thanks again, Sebastien. On Tue, Sep 2, 2014 at 9:06 AM, Martin Grigorov mgrigo...@apache.org wrote: Hi Sebastien, What exactly do you need ? I have used https://github.com/fernandezpablo85/scribe-java to create Authenticate with Xyz buttons for signing in (e.g. with Facebook, Twitter and LinkedIn). The developer of Scribe doesn't like OAuth2 (as many other developers) and at some point he stated that he will not merge any new PRs for OAuth2 impls. I don't see this statement in the README now, so he may have changed his mind. Another auth client provider is https://github.com/leleuj/pac4j. I don't have experience with it but it looks like well maintained. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Sep 1, 2014 at 6:58 PM, Sebastien seb...@gmail.com wrote: Hi all, AFAIS, there is nothing about a OAuth2 client in Wicket out-of-the-box or through a satellite project... Does somebody knows a *simple* solution for integrating OAuth2 into Wicket (like a OAuthWebApplication, or maybe a
Re: Wicket / OAuth2
On Tue, Sep 2, 2014 at 3:04 PM, Sebastien seb...@gmail.com wrote: Hi Martin, but I think the authorization part is left to the application. Absolutely. Actually the OAuth service is specific to the company I'm working for, it's just a authentication system (based on our central directory) and there is no data the user can choose to share or not. Roles are then application specific -- store the details about the requested resource (url + post data) Was thinking about reusing org.apache.wicket.RestartResponseAtInterceptPageException.InterceptData (which unfortunately has package visibility) We can improve this for 6.18.0. Please file a ticket (+ PR/patch would be nice!) -- redirect to the authentication url of the OAuth provider by passing the callback url As the authorization is part of the application, we need a slot, in the cycle, to set AuthenticatedWebSession#signin(true) and set application's This is what I meant by a User in the Session - MySession#user MySession#isSignedIn() {return user != null} MySession#getRoles() {return user != null ? user.getRoles() : anonymous } role. That's why I though about an IRequestHandler's url as callback (or an IRequestListener url?) before redirecting to the original destination... Whatever kind of endpoint you choose it has to be well protected. Because otherwise a bad user can use it to send fake data directly to it and authenticate as whatever (s)he wants. the oauth provider may not call the callback url and your user may not return to your app Good point! Will take care of that... Thanks everybody for your responses. I will try manage this properly... Best regards, Sebastien. On Tue, Sep 2, 2014 at 12:11 PM, Martin Grigorov mgrigo...@apache.org wrote: Hi Sebastien, The button is just a UI. But the idea is the same. The difference is that the OAuth provider is rather an authentication service than an authorization one. Usually the user of some social network doesn't want to share his details with random apps (like yours and mine). So when you create an application at Twitter, Facebook, ... you have to specify what kind of details you want to be sent to the callback url. When an user authenticates (s)he is asked whether (s)he is willing to share these details (e.g. username, email, gender, ...). In my experience users use OAuth for authentication: 1) to reduce the number of accounts they have 2) to reduce the information they provide to random apps So (usually) the OAuth provider doesn't send much info about the authenticated user when calling your callback. I haven't seen anything like roles and privileges in the OAuth responses. It could be that I don't have enough experience with OAuth but I think the authorization part is left to the application. About your use case: - the user tries to load some protected resource/page - the application should: -- store the details about the requested resource (url + post data) -- redirect to the authentication url of the OAuth provider by passing the callback url - if the user agrees to share the required data then your callback url is called with the data. You should use it like normal authentication token, create a User in the session, etc. P.S. I have used a popup window for the authentication because if the user is not willing to share all the required info then the oauth provider may not call the callback url and your user may not return to your app and make a normal account Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Tue, Sep 2, 2014 at 12:46 PM, Sebastien seb...@gmail.com wrote: Hi Martin, The question is not much about having a signin button to authenticate the user but more how to make it work with AuthenticatedWebApplication (or a custom OAuthWebApplication for instance). The final goal is to keep IRoleCheckingStrategy working ie: the user access an @AuthorizeInstantiation annotated page, #restartResponseAtSignInPage (for instance) redirect to the OAuth url, the OAuth service redirect to a callback, which callback is a wicket IRequestHandler, the handler sets isSigninedIn to true, sets the roles and then call #redirectToOriginalDestination. That's how I see things, but I don't see any existing wicket solutions... Is the usecase more clear? Thanks again, Sebastien. On Tue, Sep 2, 2014 at 9:06 AM, Martin Grigorov mgrigo...@apache.org wrote: Hi Sebastien, What exactly do you need ? I have used https://github.com/fernandezpablo85/scribe-java to create Authenticate with Xyz buttons for signing in (e.g. with Facebook, Twitter and LinkedIn). The developer of Scribe doesn't like OAuth2 (as many other developers) and at some point he stated that he will not merge any new PRs for OAuth2 impls. I don't see this