Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
I did it using BundleStringResourceLoader in the end. Well that's the point of having two WebSecurityConfigurerAdapters. One takes care about your actuator using HTTP Basic http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR_ROLE").and().httpBasic(); and the one one takes care about Wicket http.antMatcher("/wicket/**").authorizeRequests() .antMatchers("/wicket/page/login**").permitAll() .antMatchers("/wicket/page/**").hasRole("WICKET") .and().formLogin().loginPage("/wicket/page/login").loginProcessingUrl("/fake-url") .and().csrf().disable(); this will redirect to login page in case you are not logged in. Regarding lack of privileges (roles) that's another story and you should probably read Spring Security docs on how to properly handle those since it's not really related (i.e. user is already logged in, you sure you want to re-login?). Zbynek On Fri, Jan 25, 2019 at 11:05 AM nino martinez wael < nino.martinez.w...@gmail.com> wrote: > Have you gone through this : > > > https://ci.apache.org/projects/wicket/guide/8.x/single.html#_extending_the_default_lookup_algorithm > (which seems you have, please show a little code) > > And could you tell med howto make Spring redirect to my wicket login page > for all urls except /actuator (which is handled by basic auth)? Also every > wicket page which requires authentication should redirect to /login page if > you either lack permissions or arent logged in.. > > -Nino > > > > On Fri, Jan 25, 2019 at 8:18 AM Zbynek Vavros > wrote: > > > Took me some time to understand as well so I'm glad share :) > > > > I'm in process of tuning this setup so just out of curiosity how did you > > set up the Wicket properties file(s)? I don't like the idea to having > > properties in src/main/java and looking for proper way to load them from > > custom location like > > src/main/resources/properties/MyWicketApplication.properties. > > > > In out previous project we used I18n.init() method but I'm thinking more > > Wicket-y way, > > maybe using BundleStringResourceLoader ? But so far no luck making that > > work... > > > > Zbynek > > > > On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael < > > nino.martinez.w...@gmail.com> wrote: > > > > > Yes this is exactly how I've done it :) Thanks for taking time to > help... > > > > > > @WicketSignInPage > > > @MountPath("page/login") > > > public class LoginPage extends BasePage { > > > > > > public LoginPage(PageParameters parameters) { > > > super(parameters); > > > > > > if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) { > > > continueToOriginalDestination(); > > > } > > > add(new LoginForm("loginForm")); > > > } > > > > > > private class LoginForm extends StatelessForm { > > > > > > private String username; > > > private String password; > > > > > > public LoginForm(String id) { > > > super(id); > > > setModel(new CompoundPropertyModel<>(this)); > > > add(new FeedbackPanel("feedback")); > > > add(new RequiredTextField("username")); > > > add(new PasswordTextField("password")); > > > } > > > > > > @Override > > > protected void onSubmit() { > > > AuthenticatedWebSession session = AuthenticatedWebSession.get(); > > > if (session.signIn(username, password)) { > > > setResponsePage(HomePage.class); > > > } else { > > > error("Login failed"); > > > } > > > } > > > } > > > } > > > > > > > > > On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros > > > wrote: > > > > > > > Is seems you have mixed my code with your code somehow. > > > > You must configure formLogin() and specify loginPage() pointing to > your > > > > Wicket login page (maybe using @MountPath?). > > > > The .loginProcessingUrl() points to "/fake-url" because the > > > authentication > > > > itself is called from Wicket login page > > > > via AuthenticatedWebSession.get().signIn(). Or do you use other > > mechanism > > > > in your Wicket login page? > > > > > > > > Zbynek > > > > > > > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael < > > > > nino.martinez.w...@gmail.com> wrote: > > > > > > > > > It sort of works, If I go to the actuator I get the http basic > auth, > > > if I > > > > > on the same session goto my pages.. I get an "ugly" access denied > > page > > > > and > > > > > not the configured wicket login page. So it sort of works.. > > > > > > > > > > If I just goto localhost:8080/ I get an default spring login page > not > > > the > > > > > wicket one.. Upon succesfull login it forwards me to the wicket > login > > > > page, > > > > > where I can login again and then get to the real application.. > > > > > > > > > > Below my current code: > > > > > > > > > > > > > > > package dk.netdesign.ccadmin.frontend.security; > > > > > > > > > > import org.springframework.context.annotation.Bean; > > > > > import org.springframework.context.annotation.Configuration; > > > > > import org.springframework.core.annotation.Order; > > > > > import > > >
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Have you gone through this : https://ci.apache.org/projects/wicket/guide/8.x/single.html#_extending_the_default_lookup_algorithm (which seems you have, please show a little code) And could you tell med howto make Spring redirect to my wicket login page for all urls except /actuator (which is handled by basic auth)? Also every wicket page which requires authentication should redirect to /login page if you either lack permissions or arent logged in.. -Nino On Fri, Jan 25, 2019 at 8:18 AM Zbynek Vavros wrote: > Took me some time to understand as well so I'm glad share :) > > I'm in process of tuning this setup so just out of curiosity how did you > set up the Wicket properties file(s)? I don't like the idea to having > properties in src/main/java and looking for proper way to load them from > custom location like > src/main/resources/properties/MyWicketApplication.properties. > > In out previous project we used I18n.init() method but I'm thinking more > Wicket-y way, > maybe using BundleStringResourceLoader ? But so far no luck making that > work... > > Zbynek > > On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael < > nino.martinez.w...@gmail.com> wrote: > > > Yes this is exactly how I've done it :) Thanks for taking time to help... > > > > @WicketSignInPage > > @MountPath("page/login") > > public class LoginPage extends BasePage { > > > > public LoginPage(PageParameters parameters) { > > super(parameters); > > > > if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) { > > continueToOriginalDestination(); > > } > > add(new LoginForm("loginForm")); > > } > > > > private class LoginForm extends StatelessForm { > > > > private String username; > > private String password; > > > > public LoginForm(String id) { > > super(id); > > setModel(new CompoundPropertyModel<>(this)); > > add(new FeedbackPanel("feedback")); > > add(new RequiredTextField("username")); > > add(new PasswordTextField("password")); > > } > > > > @Override > > protected void onSubmit() { > > AuthenticatedWebSession session = AuthenticatedWebSession.get(); > > if (session.signIn(username, password)) { > > setResponsePage(HomePage.class); > > } else { > > error("Login failed"); > > } > > } > > } > > } > > > > > > On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros > > wrote: > > > > > Is seems you have mixed my code with your code somehow. > > > You must configure formLogin() and specify loginPage() pointing to your > > > Wicket login page (maybe using @MountPath?). > > > The .loginProcessingUrl() points to "/fake-url" because the > > authentication > > > itself is called from Wicket login page > > > via AuthenticatedWebSession.get().signIn(). Or do you use other > mechanism > > > in your Wicket login page? > > > > > > Zbynek > > > > > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael < > > > nino.martinez.w...@gmail.com> wrote: > > > > > > > It sort of works, If I go to the actuator I get the http basic auth, > > if I > > > > on the same session goto my pages.. I get an "ugly" access denied > page > > > and > > > > not the configured wicket login page. So it sort of works.. > > > > > > > > If I just goto localhost:8080/ I get an default spring login page not > > the > > > > wicket one.. Upon succesfull login it forwards me to the wicket login > > > page, > > > > where I can login again and then get to the real application.. > > > > > > > > Below my current code: > > > > > > > > > > > > package dk.netdesign.ccadmin.frontend.security; > > > > > > > > import org.springframework.context.annotation.Bean; > > > > import org.springframework.context.annotation.Configuration; > > > > import org.springframework.core.annotation.Order; > > > > import > > org.springframework.security.authentication.AuthenticationManager; > > > > import > > > > > > > > > > > > > > org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; > > > > import > > > > > > org.springframework.security.config.annotation.web.builders.HttpSecurity; > > > > import > > > > > > > > > > > > > > org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; > > > > import > org.springframework.security.config.http.SessionCreationPolicy; > > > > import org.springframework.security.core.Authentication; > > > > import > org.springframework.security.core.context.SecurityContextHolder; > > > > import org.springframework.security.core.userdetails.User; > > > > import > > org.springframework.security.core.userdetails.UserDetailsService; > > > > import > > org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; > > > > import > > > > org.springframework.security.provisioning.InMemoryUserDetailsManager; > > > > import org.springframework.stereotype.Component; > > > > > > > > @Configuration > > > > public class WicketWebSecurityAdapterConfig extends > > > > WebSecurityConfigurerAdapter { > > > > > > > > > > > > @Configuration > > > > @Order(1) > > > > public static class RestSecurityConfig
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Took me some time to understand as well so I'm glad share :) I'm in process of tuning this setup so just out of curiosity how did you set up the Wicket properties file(s)? I don't like the idea to having properties in src/main/java and looking for proper way to load them from custom location like src/main/resources/properties/MyWicketApplication.properties. In out previous project we used I18n.init() method but I'm thinking more Wicket-y way, maybe using BundleStringResourceLoader ? But so far no luck making that work... Zbynek On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael < nino.martinez.w...@gmail.com> wrote: > Yes this is exactly how I've done it :) Thanks for taking time to help... > > @WicketSignInPage > @MountPath("page/login") > public class LoginPage extends BasePage { > > public LoginPage(PageParameters parameters) { > super(parameters); > > if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) { > continueToOriginalDestination(); > } > add(new LoginForm("loginForm")); > } > > private class LoginForm extends StatelessForm { > > private String username; > private String password; > > public LoginForm(String id) { > super(id); > setModel(new CompoundPropertyModel<>(this)); > add(new FeedbackPanel("feedback")); > add(new RequiredTextField("username")); > add(new PasswordTextField("password")); > } > > @Override > protected void onSubmit() { > AuthenticatedWebSession session = AuthenticatedWebSession.get(); > if (session.signIn(username, password)) { > setResponsePage(HomePage.class); > } else { > error("Login failed"); > } > } > } > } > > > On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros > wrote: > > > Is seems you have mixed my code with your code somehow. > > You must configure formLogin() and specify loginPage() pointing to your > > Wicket login page (maybe using @MountPath?). > > The .loginProcessingUrl() points to "/fake-url" because the > authentication > > itself is called from Wicket login page > > via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism > > in your Wicket login page? > > > > Zbynek > > > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael < > > nino.martinez.w...@gmail.com> wrote: > > > > > It sort of works, If I go to the actuator I get the http basic auth, > if I > > > on the same session goto my pages.. I get an "ugly" access denied page > > and > > > not the configured wicket login page. So it sort of works.. > > > > > > If I just goto localhost:8080/ I get an default spring login page not > the > > > wicket one.. Upon succesfull login it forwards me to the wicket login > > page, > > > where I can login again and then get to the real application.. > > > > > > Below my current code: > > > > > > > > > package dk.netdesign.ccadmin.frontend.security; > > > > > > import org.springframework.context.annotation.Bean; > > > import org.springframework.context.annotation.Configuration; > > > import org.springframework.core.annotation.Order; > > > import > org.springframework.security.authentication.AuthenticationManager; > > > import > > > > > > > > > org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; > > > import > > > > org.springframework.security.config.annotation.web.builders.HttpSecurity; > > > import > > > > > > > > > org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; > > > import org.springframework.security.config.http.SessionCreationPolicy; > > > import org.springframework.security.core.Authentication; > > > import org.springframework.security.core.context.SecurityContextHolder; > > > import org.springframework.security.core.userdetails.User; > > > import > org.springframework.security.core.userdetails.UserDetailsService; > > > import > org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; > > > import > > > org.springframework.security.provisioning.InMemoryUserDetailsManager; > > > import org.springframework.stereotype.Component; > > > > > > @Configuration > > > public class WicketWebSecurityAdapterConfig extends > > > WebSecurityConfigurerAdapter { > > > > > > > > > @Configuration > > > @Order(1) > > > public static class RestSecurityConfig extends > > > WebSecurityConfigurerAdapter { > > > > > > @Override > > > protected void configure(HttpSecurity http) throws Exception { > > > > > > > > > > > > > > > http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR") > > > .and().csrf().disable() > > > > > > > > > > > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > > > .and().httpBasic(); > > > } > > > } > > > > > > @Configuration > > > @Order(2) > > > public static class WicketSecurityConfig extends > > > WebSecurityConfigurerAdapter { > > > @Override > > > protected void configure(HttpSecurity http) throws Exception { > > >
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Yes this is exactly how I've done it :) Thanks for taking time to help... @WicketSignInPage @MountPath("page/login") public class LoginPage extends BasePage { public LoginPage(PageParameters parameters) { super(parameters); if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) { continueToOriginalDestination(); } add(new LoginForm("loginForm")); } private class LoginForm extends StatelessForm { private String username; private String password; public LoginForm(String id) { super(id); setModel(new CompoundPropertyModel<>(this)); add(new FeedbackPanel("feedback")); add(new RequiredTextField("username")); add(new PasswordTextField("password")); } @Override protected void onSubmit() { AuthenticatedWebSession session = AuthenticatedWebSession.get(); if (session.signIn(username, password)) { setResponsePage(HomePage.class); } else { error("Login failed"); } } } } On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros wrote: > Is seems you have mixed my code with your code somehow. > You must configure formLogin() and specify loginPage() pointing to your > Wicket login page (maybe using @MountPath?). > The .loginProcessingUrl() points to "/fake-url" because the authentication > itself is called from Wicket login page > via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism > in your Wicket login page? > > Zbynek > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael < > nino.martinez.w...@gmail.com> wrote: > > > It sort of works, If I go to the actuator I get the http basic auth, if I > > on the same session goto my pages.. I get an "ugly" access denied page > and > > not the configured wicket login page. So it sort of works.. > > > > If I just goto localhost:8080/ I get an default spring login page not the > > wicket one.. Upon succesfull login it forwards me to the wicket login > page, > > where I can login again and then get to the real application.. > > > > Below my current code: > > > > > > package dk.netdesign.ccadmin.frontend.security; > > > > import org.springframework.context.annotation.Bean; > > import org.springframework.context.annotation.Configuration; > > import org.springframework.core.annotation.Order; > > import org.springframework.security.authentication.AuthenticationManager; > > import > > > > > org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; > > import > > org.springframework.security.config.annotation.web.builders.HttpSecurity; > > import > > > > > org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; > > import org.springframework.security.config.http.SessionCreationPolicy; > > import org.springframework.security.core.Authentication; > > import org.springframework.security.core.context.SecurityContextHolder; > > import org.springframework.security.core.userdetails.User; > > import org.springframework.security.core.userdetails.UserDetailsService; > > import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; > > import > > org.springframework.security.provisioning.InMemoryUserDetailsManager; > > import org.springframework.stereotype.Component; > > > > @Configuration > > public class WicketWebSecurityAdapterConfig extends > > WebSecurityConfigurerAdapter { > > > > > > @Configuration > > @Order(1) > > public static class RestSecurityConfig extends > > WebSecurityConfigurerAdapter { > > > > @Override > > protected void configure(HttpSecurity http) throws Exception { > > > > > > > > > http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR") > > .and().csrf().disable() > > > > > > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > > .and().httpBasic(); > > } > > } > > > > @Configuration > > @Order(2) > > public static class WicketSecurityConfig extends > > WebSecurityConfigurerAdapter { > > @Override > > protected void configure(HttpSecurity http) throws Exception { > > http.antMatcher("/page/**").authorizeRequests() > > .antMatchers("/page/login**").permitAll() > > .antMatchers("/page/**").hasAnyAuthority("USER", > > "ADMIN") > > > > > > > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > > > > .and().csrf().disable(); > > } > > } > > > > @Bean > > public static BCryptPasswordEncoder passwordEncoder() { > > return new BCryptPasswordEncoder(); > > } > > > > @Bean(name = "authenticationManager") > > @Override > > public AuthenticationManager authenticationManagerBean() throws > > Exception { > > > > return super.authenticationManagerBean(); > > } > > public interface IAuthenticationFacade { > > Authentication getAuthentication(); > > } > > @Component > > public class AuthenticationFacade
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Is seems you have mixed my code with your code somehow. You must configure formLogin() and specify loginPage() pointing to your Wicket login page (maybe using @MountPath?). The .loginProcessingUrl() points to "/fake-url" because the authentication itself is called from Wicket login page via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism in your Wicket login page? Zbynek On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael < nino.martinez.w...@gmail.com> wrote: > It sort of works, If I go to the actuator I get the http basic auth, if I > on the same session goto my pages.. I get an "ugly" access denied page and > not the configured wicket login page. So it sort of works.. > > If I just goto localhost:8080/ I get an default spring login page not the > wicket one.. Upon succesfull login it forwards me to the wicket login page, > where I can login again and then get to the real application.. > > Below my current code: > > > package dk.netdesign.ccadmin.frontend.security; > > import org.springframework.context.annotation.Bean; > import org.springframework.context.annotation.Configuration; > import org.springframework.core.annotation.Order; > import org.springframework.security.authentication.AuthenticationManager; > import > > org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; > import > org.springframework.security.config.annotation.web.builders.HttpSecurity; > import > > org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; > import org.springframework.security.config.http.SessionCreationPolicy; > import org.springframework.security.core.Authentication; > import org.springframework.security.core.context.SecurityContextHolder; > import org.springframework.security.core.userdetails.User; > import org.springframework.security.core.userdetails.UserDetailsService; > import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; > import > org.springframework.security.provisioning.InMemoryUserDetailsManager; > import org.springframework.stereotype.Component; > > @Configuration > public class WicketWebSecurityAdapterConfig extends > WebSecurityConfigurerAdapter { > > > @Configuration > @Order(1) > public static class RestSecurityConfig extends > WebSecurityConfigurerAdapter { > > @Override > protected void configure(HttpSecurity http) throws Exception { > > > > http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR") > .and().csrf().disable() > > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > .and().httpBasic(); > } > } > > @Configuration > @Order(2) > public static class WicketSecurityConfig extends > WebSecurityConfigurerAdapter { > @Override > protected void configure(HttpSecurity http) throws Exception { > http.antMatcher("/page/**").authorizeRequests() > .antMatchers("/page/login**").permitAll() > .antMatchers("/page/**").hasAnyAuthority("USER", > "ADMIN") > > > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > > .and().csrf().disable(); > } > } > > @Bean > public static BCryptPasswordEncoder passwordEncoder() { > return new BCryptPasswordEncoder(); > } > > @Bean(name = "authenticationManager") > @Override > public AuthenticationManager authenticationManagerBean() throws > Exception { > > return super.authenticationManagerBean(); > } > public interface IAuthenticationFacade { > Authentication getAuthentication(); > } > @Component > public class AuthenticationFacade implements IAuthenticationFacade { > > @Override > public Authentication getAuthentication() { > return SecurityContextHolder.getContext().getAuthentication(); > } > } > > @Bean > public UserDetailsService userDetailsService() { > InMemoryUserDetailsManager manager = new > InMemoryUserDetailsManager(); > manager.createUser( > User.withUsername("admin") > > .password(passwordEncoder().encode("admin")).authorities("USER", "ADMIN") > .build()); > > manager.createUser( > User.withUsername("actuator") > > .password(passwordEncoder().encode("actuator")).roles("ACTUATOR") > .build()); > > return manager; > } > } > > > On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael < > nino.martinez.w...@gmail.com> wrote: > > > Thanks will try it:) > > > > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros > > wrote: > > > >> In my case it works something like this: > >> > >> @Configuration > >> @EnableWebSecurity > >> public class SecurityConfiguration { > >> > >> @Configuration > >> @Order(1) > >> public static
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
It sort of works, If I go to the actuator I get the http basic auth, if I on the same session goto my pages.. I get an "ugly" access denied page and not the configured wicket login page. So it sort of works.. If I just goto localhost:8080/ I get an default spring login page not the wicket one.. Upon succesfull login it forwards me to the wicket login page, where I can login again and then get to the real application.. Below my current code: package dk.netdesign.ccadmin.frontend.security; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.stereotype.Component; @Configuration public class WicketWebSecurityAdapterConfig extends WebSecurityConfigurerAdapter { @Configuration @Order(1) public static class RestSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR") .and().csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and().httpBasic(); } } @Configuration @Order(2) public static class WicketSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/page/**").authorizeRequests() .antMatchers("/page/login**").permitAll() .antMatchers("/page/**").hasAnyAuthority("USER", "ADMIN") .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") .and().csrf().disable(); } } @Bean public static BCryptPasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } @Bean(name = "authenticationManager") @Override public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } public interface IAuthenticationFacade { Authentication getAuthentication(); } @Component public class AuthenticationFacade implements IAuthenticationFacade { @Override public Authentication getAuthentication() { return SecurityContextHolder.getContext().getAuthentication(); } } @Bean public UserDetailsService userDetailsService() { InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager(); manager.createUser( User.withUsername("admin") .password(passwordEncoder().encode("admin")).authorities("USER", "ADMIN") .build()); manager.createUser( User.withUsername("actuator") .password(passwordEncoder().encode("actuator")).roles("ACTUATOR") .build()); return manager; } } On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael < nino.martinez.w...@gmail.com> wrote: > Thanks will try it:) > > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros > wrote: > >> In my case it works something like this: >> >> @Configuration >> @EnableWebSecurity >> public class SecurityConfiguration { >> >> @Configuration >> @Order(1) >> public static class RestSecurityConfig extends >> WebSecurityConfigurerAdapter { >> >> .. user details service, auth providers etc >> >> @Override >> protected void configure(HttpSecurity http) throws Exception { >> >> >> http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated() >> .and().csrf().disable() >> >> >> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) >> .and().httpBasic(); >> } >> } >> >> @Configuration >> @Order(2) >> public static class WicketSecurityConfig extends >> WebSecurityConfigurerAdapter { >> >> .. user details service, auth providers etc >> >> @Override >>
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Thanks will try it:) On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros wrote: > In my case it works something like this: > > @Configuration > @EnableWebSecurity > public class SecurityConfiguration { > > @Configuration > @Order(1) > public static class RestSecurityConfig extends > WebSecurityConfigurerAdapter { > > .. user details service, auth providers etc > > @Override > protected void configure(HttpSecurity http) throws Exception { > > http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated() > .and().csrf().disable() > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > .and().httpBasic(); > } > } > > @Configuration > @Order(2) > public static class WicketSecurityConfig extends > WebSecurityConfigurerAdapter { > > .. user details service, auth providers etc > > @Override > protected void configure(AuthenticationManagerBuilder auth) throws > Exception { > auth.authenticationProvider(wicketAuthenticationProvider); > } > > @Override > protected void configure(HttpSecurity http) throws Exception { > http.antMatcher("/page/**").authorizeRequests() > .antMatchers("/page/login**").permitAll() > .antMatchers("/page/**").hasRole("ROLE") > > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > .and().csrf().disable(); > } > > @Override > @Bean(name = "authenticationManager") > public AuthenticationManager authenticationManagerBean() throws > Exception { > return super.authenticationManagerBean(); > } > } > } > > The RestSecurityConfigwould be what you would do for actuators, for me > thats the REST API. > Not the order of "antMatcher", "authorizeRequests" and " antMatchers". > > Zbynek > > On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael < > nino.martinez.w...@gmail.com> wrote: > > > do you have an example? OR is it just to cut them into two like: > > WebSecurityConfigurerAdapter A: > > > > > http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > > > WebSecurityConfigurerAdapter B: > > http > > .csrf().disable() > > .authorizeRequests().anyRequest().permitAll() > > .and() > > .logout() > > .permitAll(); > > http.headers().frameOptions().disable(); > > > > > > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros > > wrote: > > > > > Hi, > > > > > > I did similar thing, the trick here is to use two > > > WebSecurityConfigurerAdaptes. > > > > > > Zbynek > > > > > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael < > > > nino.martinez.w...@gmail.com> wrote: > > > > > > > Hope its okay to use the wicket user mailing list for this:) > > > > > > > > First of all thanks to MarcGiffing for making the project. But I > cannot > > > get > > > > actuator endpoints to work with spring security and wicket spring > > boot.. > > > > I've tried a lot of things.. > > > > > > > > IN my WebSecurityConfigurerAdapter: > > > > > > > > http > > > > > > > > > > > > > > > > > > .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > > > > > > > http > > > > .csrf().disable() > > > > .authorizeRequests().anyRequest().permitAll() > > > > .and() > > > > .logout() > > > > .permitAll(); > > > > http.headers().frameOptions().disable(); > > > > > > > > But that just disables actuator and messes with the Wicket side of > the > > > > security.. Any one have some clues= > > > > > > > > -- > > > > Best regards / Med venlig hilsen > > > > Nino Martinez > > > > > > > > > > > > > -- > > Best regards / Med venlig hilsen > > Nino Martinez > > > -- Best regards / Med venlig hilsen Nino Martinez
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
In my case it works something like this: @Configuration @EnableWebSecurity public class SecurityConfiguration { @Configuration @Order(1) public static class RestSecurityConfig extends WebSecurityConfigurerAdapter { .. user details service, auth providers etc @Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated() .and().csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and().httpBasic(); } } @Configuration @Order(2) public static class WicketSecurityConfig extends WebSecurityConfigurerAdapter { .. user details service, auth providers etc @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(wicketAuthenticationProvider); } @Override protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/page/**").authorizeRequests() .antMatchers("/page/login**").permitAll() .antMatchers("/page/**").hasRole("ROLE") .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") .and().csrf().disable(); } @Override @Bean(name = "authenticationManager") public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } } } The RestSecurityConfigwould be what you would do for actuators, for me thats the REST API. Not the order of "antMatcher", "authorizeRequests" and " antMatchers". Zbynek On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael < nino.martinez.w...@gmail.com> wrote: > do you have an example? OR is it just to cut them into two like: > WebSecurityConfigurerAdapter A: > > > http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > WebSecurityConfigurerAdapter B: > http > .csrf().disable() > .authorizeRequests().anyRequest().permitAll() > .and() > .logout() > .permitAll(); > http.headers().frameOptions().disable(); > > > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros > wrote: > > > Hi, > > > > I did similar thing, the trick here is to use two > > WebSecurityConfigurerAdaptes. > > > > Zbynek > > > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael < > > nino.martinez.w...@gmail.com> wrote: > > > > > Hope its okay to use the wicket user mailing list for this:) > > > > > > First of all thanks to MarcGiffing for making the project. But I cannot > > get > > > actuator endpoints to work with spring security and wicket spring > boot.. > > > I've tried a lot of things.. > > > > > > IN my WebSecurityConfigurerAdapter: > > > > > > http > > > > > > > > > > > > .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > > > > > http > > > .csrf().disable() > > > .authorizeRequests().anyRequest().permitAll() > > > .and() > > > .logout() > > > .permitAll(); > > > http.headers().frameOptions().disable(); > > > > > > But that just disables actuator and messes with the Wicket side of the > > > security.. Any one have some clues= > > > > > > -- > > > Best regards / Med venlig hilsen > > > Nino Martinez > > > > > > > > -- > Best regards / Med venlig hilsen > Nino Martinez >
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Hi, I did similar thing, the trick here is to use two WebSecurityConfigurerAdaptes. Zbynek On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael < nino.martinez.w...@gmail.com> wrote: > Hope its okay to use the wicket user mailing list for this:) > > First of all thanks to MarcGiffing for making the project. But I cannot get > actuator endpoints to work with spring security and wicket spring boot.. > I've tried a lot of things.. > > IN my WebSecurityConfigurerAdapter: > > http > > > .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > http > .csrf().disable() > .authorizeRequests().anyRequest().permitAll() > .and() > .logout() > .permitAll(); > http.headers().frameOptions().disable(); > > But that just disables actuator and messes with the Wicket side of the > security.. Any one have some clues= > > -- > Best regards / Med venlig hilsen > Nino Martinez >
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
do you have an example? OR is it just to cut them into two like: WebSecurityConfigurerAdapter A: http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); WebSecurityConfigurerAdapter B: http .csrf().disable() .authorizeRequests().anyRequest().permitAll() .and() .logout() .permitAll(); http.headers().frameOptions().disable(); On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros wrote: > Hi, > > I did similar thing, the trick here is to use two > WebSecurityConfigurerAdaptes. > > Zbynek > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael < > nino.martinez.w...@gmail.com> wrote: > > > Hope its okay to use the wicket user mailing list for this:) > > > > First of all thanks to MarcGiffing for making the project. But I cannot > get > > actuator endpoints to work with spring security and wicket spring boot.. > > I've tried a lot of things.. > > > > IN my WebSecurityConfigurerAdapter: > > > > http > > > > > > > .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > > > http > > .csrf().disable() > > .authorizeRequests().anyRequest().permitAll() > > .and() > > .logout() > > .permitAll(); > > http.headers().frameOptions().disable(); > > > > But that just disables actuator and messes with the Wicket side of the > > security.. Any one have some clues= > > > > -- > > Best regards / Med venlig hilsen > > Nino Martinez > > > -- Best regards / Med venlig hilsen Nino Martinez
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Already done that.. Thanks for the idea.. On my webservice project I am doing this: http .authorizeRequests() .antMatchers("/services/**").hasRole("USER").and().httpBasic().and(). csrf().disable(); http .authorizeRequests() .antMatchers("/actuator/**").hasRole("ACTUATOR").and().httpBasic().and(). csrf().disable(); And its working fine, I am wondering if its because my mountpoints for wicket all are mapped to root like /home /login .. Which could conflict with /actuator? On Thu, Jan 24, 2019 at 3:01 PM Andrea Del Bene wrote: > I had a problem with Spring Boot 2 and actuator as many of them are > disabled by default in the new version. I don't know if this is the case > for you, but I would try enabling all of them via config file. For example > with yml is something like: > > management: > endpoints: > web: > exposure: > include: "*" > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael < > nino.martinez.w...@gmail.com> wrote: > > > Hope its okay to use the wicket user mailing list for this:) > > > > First of all thanks to MarcGiffing for making the project. But I cannot > get > > actuator endpoints to work with spring security and wicket spring boot.. > > I've tried a lot of things.. > > > > IN my WebSecurityConfigurerAdapter: > > > > http > > > > > > > .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > > > http > > .csrf().disable() > > .authorizeRequests().anyRequest().permitAll() > > .and() > > .logout() > > .permitAll(); > > http.headers().frameOptions().disable(); > > > > But that just disables actuator and messes with the Wicket side of the > > security.. Any one have some clues= > > > > -- > > Best regards / Med venlig hilsen > > Nino Martinez > > > > > -- > Andrea Del Bene. > Apache Wicket committer. > -- Best regards / Med venlig hilsen Nino Martinez
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
I had a problem with Spring Boot 2 and actuator as many of them are disabled by default in the new version. I don't know if this is the case for you, but I would try enabling all of them via config file. For example with yml is something like: management: endpoints: web: exposure: include: "*" On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael < nino.martinez.w...@gmail.com> wrote: > Hope its okay to use the wicket user mailing list for this:) > > First of all thanks to MarcGiffing for making the project. But I cannot get > actuator endpoints to work with spring security and wicket spring boot.. > I've tried a lot of things.. > > IN my WebSecurityConfigurerAdapter: > > http > > > .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > http > .csrf().disable() > .authorizeRequests().anyRequest().permitAll() > .and() > .logout() > .permitAll(); > http.headers().frameOptions().disable(); > > But that just disables actuator and messes with the Wicket side of the > security.. Any one have some clues= > > -- > Best regards / Med venlig hilsen > Nino Martinez > -- Andrea Del Bene. Apache Wicket committer.
Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Hope its okay to use the wicket user mailing list for this:) First of all thanks to MarcGiffing for making the project. But I cannot get actuator endpoints to work with spring security and wicket spring boot.. I've tried a lot of things.. IN my WebSecurityConfigurerAdapter: http .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); http .csrf().disable() .authorizeRequests().anyRequest().permitAll() .and() .logout() .permitAll(); http.headers().frameOptions().disable(); But that just disables actuator and messes with the Wicket side of the security.. Any one have some clues= -- Best regards / Med venlig hilsen Nino Martinez