wicket is secure by default. why use spring security?
Hi all Wicket users. While I was trying to design a wicket app in my mind - the first thing I thought of was authentication and ( spring ) security. I know that wicket is secure by default ( a quote from wicket features? :), we can use wicket auth annotation based security. Wicket will automatically redirect to original page after login. So...did anyone think of it - what is the real reason to use spring or other security framework ( shiro? ) for authentication? what benefits does it bring apart from some standards overhead for the app? is it integration with other auth systems ( OpenID, Facebook login or whatever )? or what? Just pennies for thought... Žilvinas Vilutis Mobile: (+1) 623 330 6048 E-mail: cika...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: wicket is secure by default. why use spring security?
It all depends on your needs ;-). I don't know much about Spring Security, but personally speaking I've always been fine with Wicket authentication. While I was trying to design a wicket app in my mind - the first thing I thought of was authentication and ( spring ) security. I know that wicket is secure by default ( a quote from wicket features? :), we can use wicket auth annotation based security. Wicket will automatically redirect to original page after login. So...did anyone think of it - what is the real reason to use spring or other security framework ( shiro? ) for authentication? what benefits does it bring apart from some standards overhead for the app? is it integration with other auth systems ( OpenID, Facebook login or whatever )? or what? Just pennies for thought... Žilvinas Vilutis Mobile: (+1) 623 330 6048 E-mail: cika...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: wicket is secure by default. why use spring security?
http://javajeedevelopment.blogspot.com/2011/03/integrating-spring-security-3-with.html 2011/9/19 Andrea Del Bene adelb...@ciseonweb.it It all depends on your needs ;-). I don't know much about Spring Security, but personally speaking I've always been fine with Wicket authentication. While I was trying to design a wicket app in my mind - the first thing I thought of was authentication and ( spring ) security. I know that wicket is secure by default ( a quote from wicket features? :), we can use wicket auth annotation based security. Wicket will automatically redirect to original page after login. So...did anyone think of it - what is the real reason to use spring or other security framework ( shiro? ) for authentication? what benefits does it bring apart from some standards overhead for the app? is it integration with other auth systems ( OpenID, Facebook login or whatever )? or what? Just pennies for thought... Žilvinas Vilutis Mobile: (+1) 623 330 6048 E-mail: cika...@gmail.com --**--**- To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.orgusers-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org --**--**- To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.orgusers-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org -- Cdt Moèz
Re: wicket is secure by default. why use spring security?
You're taking the statement Wicket is Secure by default out of its context. The full statement is Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. Furthermore URL encryption allows highly secure web sites. The statement has nothing to do with authorisation and authentication, but with common security pitfalls when designing web-applications which may result in exposing sensitive information, e.g. javascript related security holes in your pages. Authorisation authentication are in a completely different ballpark. The features of wicket auth annotation based security can be used to integrate Wicket with either Spring Security or Apache Shiro, they are certainly not a replacement for those frameworks (although those frameworks offer alternative ways to declare authorisation requirements). So use Spring Security or Apache Shiro if you want to integrate authorisation and authentication into your web-app, and don't want to reinvent the wheel yourself. Wicket doesn't know what LDAP is, or SSO, or how to control access to resources other than wicket components. On Monday, September 19, 2011 1:53 AM, Zilvinas Vilutis cika...@gmail.com wrote: Hi all Wicket users. While I was trying to design a wicket app in my mind - the first thing I thought of was authentication and ( spring ) security. I know that wicket is secure by default ( a quote from wicket features? :), we can use wicket auth annotation based security. Wicket will automatically redirect to original page after login. So...did anyone think of it - what is the real reason to use spring or other security framework ( shiro? ) for authentication? what benefits does it bring apart from some standards overhead for the app? is it integration with other auth systems ( OpenID, Facebook login or whatever )? or what? Just pennies for thought... Žilvinas Vilutis Mobile: (+1) 623 330 6048 E-mail: cika...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket not secure?
And that introduced a bug or unwanted behavior also, will try to fix that in the wicket code this weekend... If you use encrypted urls and then your session expires you get nasty decoding errors in your logs because it suddenly uses another key/seed Because of a new session. Some how we now have to check for this better in that strategy and throw on that level already a page expired or something On 9/19/08, Jörn Zaefferer [EMAIL PROTECTED] wrote: Though afaik the URL encryption will be even better with 1.3.5, where the encryption key is session-based, that is, per user, instead of one default key for everything (current 1.3.4 behaviour). Once that is released, you get unique-per-user URLs which provide perfect protection against CSRF without ever getting into the way of the application developer. Haven't seen that anywhere else! Jörn On Thu, Sep 18, 2008 at 7:15 PM, Jonathan Locke [EMAIL PROTECTED] wrote: to be totally explicit, the third sentence should probably say explicit steps must be taken *by the programmer* ;-) the last sentence is outdated as wicket provides URL encryption if you want it Johan Compagner wrote: Why is that sentence ambiguous? On 9/18/08, cj91 [EMAIL PROTECTED] wrote: My company is planning an extremely large web project and Wicket is a candidate for use. My manager pointed out some unsettling words on the Wicket FAQ, which are ambiguous unfortunately. http://wicket.apache.org/features.html Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. There are plans for the next version of Wicket to add URL encryption to support highly secure web sites. Can someone please elaborate on what is meant by Explicit steps must be taken to share information between sessions. Thank you, -Jonathan -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19557667.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Wicket not secure?
Though afaik the URL encryption will be even better with 1.3.5, where the encryption key is session-based, that is, per user, instead of one default key for everything (current 1.3.4 behaviour). Once that is released, you get unique-per-user URLs which provide perfect protection against CSRF without ever getting into the way of the application developer. Haven't seen that anywhere else! Jörn On Thu, Sep 18, 2008 at 7:15 PM, Jonathan Locke [EMAIL PROTECTED] wrote: to be totally explicit, the third sentence should probably say explicit steps must be taken *by the programmer* ;-) the last sentence is outdated as wicket provides URL encryption if you want it Johan Compagner wrote: Why is that sentence ambiguous? On 9/18/08, cj91 [EMAIL PROTECTED] wrote: My company is planning an extremely large web project and Wicket is a candidate for use. My manager pointed out some unsettling words on the Wicket FAQ, which are ambiguous unfortunately. http://wicket.apache.org/features.html Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. There are plans for the next version of Wicket to add URL encryption to support highly secure web sites. Can someone please elaborate on what is meant by Explicit steps must be taken to share information between sessions. Thank you, -Jonathan -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19557667.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Wicket not secure?
that is trivial to implement with 1.3.4 also -igor On Fri, Sep 19, 2008 at 12:51 AM, Jörn Zaefferer [EMAIL PROTECTED] wrote: Though afaik the URL encryption will be even better with 1.3.5, where the encryption key is session-based, that is, per user, instead of one default key for everything (current 1.3.4 behaviour). Once that is released, you get unique-per-user URLs which provide perfect protection against CSRF without ever getting into the way of the application developer. Haven't seen that anywhere else! Jörn On Thu, Sep 18, 2008 at 7:15 PM, Jonathan Locke [EMAIL PROTECTED] wrote: to be totally explicit, the third sentence should probably say explicit steps must be taken *by the programmer* ;-) the last sentence is outdated as wicket provides URL encryption if you want it Johan Compagner wrote: Why is that sentence ambiguous? On 9/18/08, cj91 [EMAIL PROTECTED] wrote: My company is planning an extremely large web project and Wicket is a candidate for use. My manager pointed out some unsettling words on the Wicket FAQ, which are ambiguous unfortunately. http://wicket.apache.org/features.html Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. There are plans for the next version of Wicket to add URL encryption to support highly secure web sites. Can someone please elaborate on what is meant by Explicit steps must be taken to share information between sessions. Thank you, -Jonathan -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19557667.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Wicket not secure?
Sure, but why bother when its already implemented? Security-related stuff isn't exactly the right place to roll your own. Jörn On Fri, Sep 19, 2008 at 4:34 PM, Igor Vaynberg [EMAIL PROTECTED] wrote: that is trivial to implement with 1.3.4 also -igor On Fri, Sep 19, 2008 at 12:51 AM, Jörn Zaefferer [EMAIL PROTECTED] wrote: Though afaik the URL encryption will be even better with 1.3.5, where the encryption key is session-based, that is, per user, instead of one default key for everything (current 1.3.4 behaviour). Once that is released, you get unique-per-user URLs which provide perfect protection against CSRF without ever getting into the way of the application developer. Haven't seen that anywhere else! Jörn On Thu, Sep 18, 2008 at 7:15 PM, Jonathan Locke [EMAIL PROTECTED] wrote: to be totally explicit, the third sentence should probably say explicit steps must be taken *by the programmer* ;-) the last sentence is outdated as wicket provides URL encryption if you want it Johan Compagner wrote: Why is that sentence ambiguous? On 9/18/08, cj91 [EMAIL PROTECTED] wrote: My company is planning an extremely large web project and Wicket is a candidate for use. My manager pointed out some unsettling words on the Wicket FAQ, which are ambiguous unfortunately. http://wicket.apache.org/features.html Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. There are plans for the next version of Wicket to add URL encryption to support highly secure web sites. Can someone please elaborate on what is meant by Explicit steps must be taken to share information between sessions. Thank you, -Jonathan -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19557667.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Wicket not secure?
you dont have to roll your own security, just where wicket looks for the key :) -igor On Fri, Sep 19, 2008 at 7:40 AM, Jörn Zaefferer [EMAIL PROTECTED] wrote: Sure, but why bother when its already implemented? Security-related stuff isn't exactly the right place to roll your own. Jörn On Fri, Sep 19, 2008 at 4:34 PM, Igor Vaynberg [EMAIL PROTECTED] wrote: that is trivial to implement with 1.3.4 also -igor On Fri, Sep 19, 2008 at 12:51 AM, Jörn Zaefferer [EMAIL PROTECTED] wrote: Though afaik the URL encryption will be even better with 1.3.5, where the encryption key is session-based, that is, per user, instead of one default key for everything (current 1.3.4 behaviour). Once that is released, you get unique-per-user URLs which provide perfect protection against CSRF without ever getting into the way of the application developer. Haven't seen that anywhere else! Jörn On Thu, Sep 18, 2008 at 7:15 PM, Jonathan Locke [EMAIL PROTECTED] wrote: to be totally explicit, the third sentence should probably say explicit steps must be taken *by the programmer* ;-) the last sentence is outdated as wicket provides URL encryption if you want it Johan Compagner wrote: Why is that sentence ambiguous? On 9/18/08, cj91 [EMAIL PROTECTED] wrote: My company is planning an extremely large web project and Wicket is a candidate for use. My manager pointed out some unsettling words on the Wicket FAQ, which are ambiguous unfortunately. http://wicket.apache.org/features.html Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. There are plans for the next version of Wicket to add URL encryption to support highly secure web sites. Can someone please elaborate on what is meant by Explicit steps must be taken to share information between sessions. Thank you, -Jonathan -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19557667.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Wicket not secure?
urls are session-relative. meaning a url you get from one session will not work in another. if you want urls to work across session, such as the case with bookmarkable pages - http://server.com/view/profile/15 - you must explicitly mount the page to the url. -igor On Thu, Sep 18, 2008 at 9:02 AM, cj91 [EMAIL PROTECTED] wrote: My company is planning an extremely large web project and Wicket is a candidate for use. My manager pointed out some unsettling words on the Wicket FAQ, which are ambiguous unfortunately. http://wicket.apache.org/features.html Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. There are plans for the next version of Wicket to add URL encryption to support highly secure web sites. Can someone please elaborate on what is meant by Explicit steps must be taken to share information between sessions. Thank you, -Jonathan -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Wicket not secure?
Why is that sentence ambiguous? On 9/18/08, cj91 [EMAIL PROTECTED] wrote: My company is planning an extremely large web project and Wicket is a candidate for use. My manager pointed out some unsettling words on the Wicket FAQ, which are ambiguous unfortunately. http://wicket.apache.org/features.html Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. There are plans for the next version of Wicket to add URL encryption to support highly secure web sites. Can someone please elaborate on what is meant by Explicit steps must be taken to share information between sessions. Thank you, -Jonathan -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Wicket not secure?
We were kind of reading the sentence backwards, the last poster described it very well. Secure URL's would be a 'nice-to-have', but I'm not sure very many frameworks support that. Thanks for the replies, -Jonathan Johan Compagner wrote: Why is that sentence ambiguous? On 9/18/08, cj91 [EMAIL PROTECTED] wrote: My company is planning an extremely large web project and Wicket is a candidate for use. My manager pointed out some unsettling words on the Wicket FAQ, which are ambiguous unfortunately. http://wicket.apache.org/features.html Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. There are plans for the next version of Wicket to add URL encryption to support highly secure web sites. Can someone please elaborate on what is meant by Explicit steps must be taken to share information between sessions. Thank you, -Jonathan -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19557425.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Wicket not secure?
afaik wicket is one of very few frameworks to offer this out of the box if not the only one. this feature is really a side-effect of how wicket works :) for complete security you probably want to have a look into CryptedUrlWebRequestCodingStrategy, it completely encrpypts the urls so they look something like ?x=sdf7saf7sd9f7sd89f7sadf7sa789sd7f89sdf7sssdf and offers csrf protection. -igor On Thu, Sep 18, 2008 at 10:01 AM, cj91 [EMAIL PROTECTED] wrote: We were kind of reading the sentence backwards, the last poster described it very well. Secure URL's would be a 'nice-to-have', but I'm not sure very many frameworks support that. Thanks for the replies, -Jonathan Johan Compagner wrote: Why is that sentence ambiguous? On 9/18/08, cj91 [EMAIL PROTECTED] wrote: My company is planning an extremely large web project and Wicket is a candidate for use. My manager pointed out some unsettling words on the Wicket FAQ, which are ambiguous unfortunately. http://wicket.apache.org/features.html Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. There are plans for the next version of Wicket to add URL encryption to support highly secure web sites. Can someone please elaborate on what is meant by Explicit steps must be taken to share information between sessions. Thank you, -Jonathan -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19557425.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Wicket not secure?
to be totally explicit, the third sentence should probably say explicit steps must be taken *by the programmer* ;-) the last sentence is outdated as wicket provides URL encryption if you want it Johan Compagner wrote: Why is that sentence ambiguous? On 9/18/08, cj91 [EMAIL PROTECTED] wrote: My company is planning an extremely large web project and Wicket is a candidate for use. My manager pointed out some unsettling words on the Wicket FAQ, which are ambiguous unfortunately. http://wicket.apache.org/features.html Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. There are plans for the next version of Wicket to add URL encryption to support highly secure web sites. Can someone please elaborate on what is meant by Explicit steps must be taken to share information between sessions. Thank you, -Jonathan -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Wicket-not-secure--tp19556259p19557667.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]