Re: [Wicket-user] Authentication and page expired
On 4/25/07, Xavier Hanin [EMAIL PROTECTED] wrote: On 4/25/07, Igor Vaynberg [EMAIL PROTECTED] wrote: what do you mean by once authenticated what does your loginpage code look like, eg how do you navigate back? My login page is really very simple, it doesn't do much except include a SigninPanel. So as far as I understand from the SigninPanel code, the navigation back is handled by Component#continueToOriginalDestination(). But maybe I'd need to implement something special in my LoginPage, and not rely on the SigninPanel only? After some modifications in the code, the problem disappears if I use a BookmarkablePageLink instead of a PageLink. But I'd still would like to know if there is a way to avoid this problem with a simple PageLink being intercepted by an authentication... and for the moment I still don't know. Xavier - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication and page expired
hrm. it does seem rather strange. we have a similar authenetication stuff going on in a few projects and it works. but i wonder is the page being intercepted a stateless page? is the login page a stateless page? -igor On 4/26/07, Xavier Hanin [EMAIL PROTECTED] wrote: On 4/25/07, Xavier Hanin [EMAIL PROTECTED] wrote: On 4/25/07, Igor Vaynberg [EMAIL PROTECTED] wrote: what do you mean by once authenticated what does your loginpage code look like, eg how do you navigate back? My login page is really very simple, it doesn't do much except include a SigninPanel. So as far as I understand from the SigninPanel code, the navigation back is handled by Component#continueToOriginalDestination(). But maybe I'd need to implement something special in my LoginPage, and not rely on the SigninPanel only? After some modifications in the code, the problem disappears if I use a BookmarkablePageLink instead of a PageLink. But I'd still would like to know if there is a way to avoid this problem with a simple PageLink being intercepted by an authentication... and for the moment I still don't know. Xavier - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication and page expired
On 4/26/07, Igor Vaynberg [EMAIL PROTECTED] wrote: hrm. it does seem rather strange. we have a similar authenetication stuff going on in a few projects and it works. but i wonder is the page being intercepted a stateless page? is the login page a stateless page? I don't think so, because I haven't done anything special, but I don't know wicket well enough to say. But if you say it should be working, I will double check on my own, check again the examples, and see if I can figure out what's going on, and come back with more details if I'm really lost. Thanks for your help. Xavier -igor On 4/26/07, Xavier Hanin [EMAIL PROTECTED] wrote: On 4/25/07, Xavier Hanin [EMAIL PROTECTED] wrote: On 4/25/07, Igor Vaynberg [EMAIL PROTECTED] wrote: what do you mean by once authenticated what does your loginpage code look like, eg how do you navigate back? My login page is really very simple, it doesn't do much except include a SigninPanel. So as far as I understand from the SigninPanel code, the navigation back is handled by Component#continueToOriginalDestination(). But maybe I'd need to implement something special in my LoginPage, and not rely on the SigninPanel only? After some modifications in the code, the problem disappears if I use a BookmarkablePageLink instead of a PageLink. But I'd still would like to know if there is a way to avoid this problem with a simple PageLink being intercepted by an authentication... and for the moment I still don't know. Xavier - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user -- Learn Ivy at ApacheCon: http://www.eu.apachecon.com/ Manage your dependencies with Ivy! http://incubator.apache.org/ivy/ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication and page expired
I'm sorry, I've just noticed that I have an exception[1] before getting the Page Expired message. The exception occurs during deserialization of the page from which I come, and is related to a field injected with via Spring using the wicket-spring-annot. Then this exception is catched and simply output with a e.printStackTrace() (nothing in the log, see org.apache.wicket.util.lang.Objects.byteArrayToObject) which then results in a NPE in FilePageStore logged at debug level, which results in a null page in AbstractRequestCycleProcessor.resolveRenderedPage, which throws the PageExpiredException. So I have two questions: - is it normal that a deserialization exception is not more verbose (a printstacktrace + a not directly related debug message only)? - how can I deal with my spring injected field? Do I have to write specific serialization/deserialization code, to reinject the field at deserialization time? Isn't this case of serializing a component with spring injected fields pretty common? Ok, it's more than two questions :-) Xavier [1] org.apache.wicket.util.io.WicketSerializeableException: Error reading field: projects for object class: class org.xoocode.xooctory.web.projects.ProjectsPage NOTE: if you feel Wicket is at fault with this exception, please report to the mailing list. You can switch to JDK based serialization by calling: org.apache.wicket.util.lang.Objects.setObjectStreamFactory(new IObjectStreamFactory.DefaultObjectStreamFactory()) e.g. in the init method of your application at org.apache.wicket.util.io.ClassStreamHandler.readFields(ClassStreamHandler.java:426) at org.apache.wicket.util.io.WicketObjectInputStream.readObjectOverride(WicketObjectInputStream.java:97) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:345) at org.apache.wicket.util.lang.Objects.byteArrayToObject(Objects.java:397) at org.apache.wicket.protocol.http.FilePageStore.getPage(FilePageStore.java:476) at org.apache.wicket.protocol.http.SecondLevelCacheSessionStore$SecondLevelCachePageMap.get(SecondLevelCacheSessionStore.java:137) at org.apache.wicket.Session.getPage(Session.java:741) at org.apache.wicket.request.AbstractRequestCycleProcessor.resolveRenderedPage(AbstractRequestCycleProcessor.java:427) at org.apache.wicket.protocol.http.WebRequestCycleProcessor.resolve(WebRequestCycleProcessor.java:137) at org.apache.wicket.RequestCycle.step(RequestCycle.java:1026) at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1127) at org.apache.wicket.RequestCycle.request(RequestCycle.java:489) at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:248) at org.apache.wicket.protocol.http.WicketServlet.doGet(WicketServlet.java:126) at javax.servlet.http.HttpServlet.service(HttpServlet.java:595) at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:491) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:367) at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:185) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:689) at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:391) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139) at org.mortbay.jetty.Server.handle(Server.java:285) at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:457) at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:751) at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:500) at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:209) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:357) at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:329) at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:475) Caused by: java.lang.NullPointerException at org.apache.wicket.util.io.ClassStreamHandler.createObject(ClassStreamHandler.java:303) at org.apache.wicket.util.io.WicketObjectInputStream.readObjectOverride(WicketObjectInputStream.java:92) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:345) at org.apache.wicket.util.io.ClassStreamHandler$ObjectFieldAndIndex.readField(ClassStreamHandler.java:871) at org.apache.wicket.util.io.ClassStreamHandler.readFields(ClassStreamHandler.java:416) ... 30 more On 4/26/07, Xavier Hanin [EMAIL PROTECTED] wrote: On 4/26/07, Igor Vaynberg [EMAIL PROTECTED] wrote: hrm. it does seem rather strange. we have a similar authenetication stuff going on in a few projects and it works. but i
Re: [Wicket-user] Authentication and page expired
ah well that explains it :) 1.3 is using our experimental serialization code to save the state which results in a much smaller size then the default serialization. currently it doesnt handle all cases, such as serializing proxies. that is why there are instructions in that error message that tell you how to switch to default serialization. once you do that everything should work. -igor On 4/26/07, Xavier Hanin [EMAIL PROTECTED] wrote: I'm sorry, I've just noticed that I have an exception[1] before getting the Page Expired message. The exception occurs during deserialization of the page from which I come, and is related to a field injected with via Spring using the wicket-spring-annot. Then this exception is catched and simply output with a e.printStackTrace() (nothing in the log, see org.apache.wicket.util.lang.Objects.byteArrayToObject) which then results in a NPE in FilePageStore logged at debug level, which results in a null page in AbstractRequestCycleProcessor.resolveRenderedPage, which throws the PageExpiredException. So I have two questions: - is it normal that a deserialization exception is not more verbose (a printstacktrace + a not directly related debug message only)? - how can I deal with my spring injected field? Do I have to write specific serialization/deserialization code, to reinject the field at deserialization time? Isn't this case of serializing a component with spring injected fields pretty common? Ok, it's more than two questions :-) Xavier [1] org.apache.wicket.util.io.WicketSerializeableException: Error reading field: projects for object class: class org.xoocode.xooctory.web.projects.ProjectsPage NOTE: if you feel Wicket is at fault with this exception, please report to the mailing list. You can switch to JDK based serialization by calling: org.apache.wicket.util.lang.Objects.setObjectStreamFactory(new IObjectStreamFactory.DefaultObjectStreamFactory()) e.g. in the init method of your application at org.apache.wicket.util.io.ClassStreamHandler.readFields( ClassStreamHandler.java:426) at org.apache.wicket.util.io.WicketObjectInputStream.readObjectOverride( WicketObjectInputStream.java:97) at java.io.ObjectInputStream.readObject(ObjectInputStream.java :345) at org.apache.wicket.util.lang.Objects.byteArrayToObject( Objects.java:397) at org.apache.wicket.protocol.http.FilePageStore.getPage( FilePageStore.java:476) at org.apache.wicket.protocol.http.SecondLevelCacheSessionStore$SecondLevelCachePageMap.get (SecondLevelCacheSessionStore.java:137) at org.apache.wicket.Session.getPage(Session.java:741) at org.apache.wicket.request.AbstractRequestCycleProcessor.resolveRenderedPage (AbstractRequestCycleProcessor.java:427) at org.apache.wicket.protocol.http.WebRequestCycleProcessor.resolve( WebRequestCycleProcessor.java:137) at org.apache.wicket.RequestCycle.step(RequestCycle.java:1026) at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1127) at org.apache.wicket.RequestCycle.request(RequestCycle.java:489) at org.apache.wicket.protocol.http.WicketFilter.doGet( WicketFilter.java:248) at org.apache.wicket.protocol.http.WicketServlet.doGet( WicketServlet.java:126) at javax.servlet.http.HttpServlet.service(HttpServlet.java:595) at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) at org.mortbay.jetty.servlet.ServletHolder.handle( ServletHolder.java:491) at org.mortbay.jetty.servlet.ServletHandler.handle( ServletHandler.java:367) at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:185) at org.mortbay.jetty.servlet.SessionHandler.handle( SessionHandler.java:181) at org.mortbay.jetty.handler.ContextHandler.handle( ContextHandler.java:689) at org.mortbay.jetty.webapp.WebAppContext.handle( WebAppContext.java:391) at org.mortbay.jetty.handler.HandlerWrapper.handle( HandlerWrapper.java:139) at org.mortbay.jetty.Server.handle(Server.java:285) at org.mortbay.jetty.HttpConnection.handleRequest( HttpConnection.java:457) at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete( HttpConnection.java:751) at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:500) at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java :209) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java :357) at org.mortbay.io.nio.SelectChannelEndPoint.run( SelectChannelEndPoint.java:329) at org.mortbay.thread.BoundedThreadPool$PoolThread.run( BoundedThreadPool.java:475) Caused by: java.lang.NullPointerException at org.apache.wicket.util.io.ClassStreamHandler.createObject( ClassStreamHandler.java:303) at org.apache.wicket.util.io.WicketObjectInputStream.readObjectOverride( WicketObjectInputStream.java:92) at java.io.ObjectInputStream.readObject(ObjectInputStream.java :345) at
Re: [Wicket-user] Authentication and page expired
On 4/26/07, Igor Vaynberg [EMAIL PROTECTED] wrote: ah well that explains it :) 1.3 is using our experimental serialization code to save the state which results in a much smaller size then the default serialization. currently it doesnt handle all cases, such as serializing proxies. that is why there are instructions in that error message that tell you how to switch to default serialization. once you do that everything should work. Indeed, everything works now :-) I guess it's only because you are in development on this feature, but I think that this kind of problem is important enough to deserve either an exception going higher on the method call stack (maybe wrapping the IOException in a RuntimeException) or at least use the logging mechanism at warn or error level, instead of calling a simple printStackTrace, because it's not straightforward to figure out the cause of this Page Expired message. Anyway, thanks a lot for your help and your time. Xavier -igor On 4/26/07, Xavier Hanin [EMAIL PROTECTED] wrote: I'm sorry, I've just noticed that I have an exception[1] before getting the Page Expired message. The exception occurs during deserialization of the page from which I come, and is related to a field injected with via Spring using the wicket-spring-annot. Then this exception is catched and simply output with a e.printStackTrace() (nothing in the log, see org.apache.wicket.util.lang.Objects.byteArrayToObject) which then results in a NPE in FilePageStore logged at debug level, which results in a null page in AbstractRequestCycleProcessor.resolveRenderedPage, which throws the PageExpiredException. So I have two questions: - is it normal that a deserialization exception is not more verbose (a printstacktrace + a not directly related debug message only)? - how can I deal with my spring injected field? Do I have to write specific serialization/deserialization code, to reinject the field at deserialization time? Isn't this case of serializing a component with spring injected fields pretty common? Ok, it's more than two questions :-) Xavier [1] org.apache.wicket.util.io.WicketSerializeableException: Error reading field: projects for object class: class org.xoocode.xooctory.web.projects.ProjectsPage NOTE: if you feel Wicket is at fault with this exception, please report to the mailing list. You can switch to JDK based serialization by calling: org.apache.wicket.util.lang.Objects.setObjectStreamFactory (new IObjectStreamFactory.DefaultObjectStreamFactory()) e.g. in the init method of your application at org.apache.wicket.util.io.ClassStreamHandler.readFields(ClassStreamHandler.java:426) at org.apache.wicket.util.io.WicketObjectInputStream.readObjectOverride (WicketObjectInputStream.java:97) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:345) at org.apache.wicket.util.lang.Objects.byteArrayToObject(Objects.java:397) at org.apache.wicket.protocol.http.FilePageStore.getPage (FilePageStore.java:476) at org.apache.wicket.protocol.http.SecondLevelCacheSessionStore$SecondLevelCachePageMap.get(SecondLevelCacheSessionStore.java:137) at org.apache.wicket.Session.getPage(Session.java :741) at org.apache.wicket.request.AbstractRequestCycleProcessor.resolveRenderedPage(AbstractRequestCycleProcessor.java:427) at org.apache.wicket.protocol.http.WebRequestCycleProcessor.resolve(WebRequestCycleProcessor.java :137) at org.apache.wicket.RequestCycle.step(RequestCycle.java:1026) at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1127) at org.apache.wicket.RequestCycle.request(RequestCycle.java :489) at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:248) at org.apache.wicket.protocol.http.WicketServlet.doGet(WicketServlet.java:126) at javax.servlet.http.HttpServlet.service (HttpServlet.java:595) at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:491) at org.mortbay.jetty.servlet.ServletHandler.handle (ServletHandler.java:367) at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:185) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) at org.mortbay.jetty.handler.ContextHandler.handle (ContextHandler.java:689) at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:391) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139) at org.mortbay.jetty.Server.handle (Server.java:285) at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:457) at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:751) at
Re: [Wicket-user] Authentication and page expired
well, at first i didnt want to believe we had a printstacktrace() somewhere. but yeah i found it. i changed it to throw an rte, hopefully there was a very good reason for swallowing it like that and someone will revert my change with an explanation. -igor On 4/26/07, Xavier Hanin [EMAIL PROTECTED] wrote: On 4/26/07, Igor Vaynberg [EMAIL PROTECTED] wrote: ah well that explains it :) 1.3 is using our experimental serialization code to save the state which results in a much smaller size then the default serialization. currently it doesnt handle all cases, such as serializing proxies. that is why there are instructions in that error message that tell you how to switch to default serialization. once you do that everything should work. Indeed, everything works now :-) I guess it's only because you are in development on this feature, but I think that this kind of problem is important enough to deserve either an exception going higher on the method call stack (maybe wrapping the IOException in a RuntimeException) or at least use the logging mechanism at warn or error level, instead of calling a simple printStackTrace, because it's not straightforward to figure out the cause of this Page Expired message. Anyway, thanks a lot for your help and your time. Xavier -igor On 4/26/07, Xavier Hanin [EMAIL PROTECTED] wrote: I'm sorry, I've just noticed that I have an exception[1] before getting the Page Expired message. The exception occurs during deserialization of the page from which I come, and is related to a field injected with via Spring using the wicket-spring-annot. Then this exception is catched and simply output with a e.printStackTrace() (nothing in the log, see org.apache.wicket.util.lang.Objects.byteArrayToObject) which then results in a NPE in FilePageStore logged at debug level, which results in a null page in AbstractRequestCycleProcessor.resolveRenderedPage, which throws the PageExpiredException. So I have two questions: - is it normal that a deserialization exception is not more verbose (a printstacktrace + a not directly related debug message only)? - how can I deal with my spring injected field? Do I have to write specific serialization/deserialization code, to reinject the field at deserialization time? Isn't this case of serializing a component with spring injected fields pretty common? Ok, it's more than two questions :-) Xavier [1] org.apache.wicket.util.io.WicketSerializeableException: Error reading field: projects for object class: class org.xoocode.xooctory.web.projects.ProjectsPage NOTE: if you feel Wicket is at fault with this exception, please report to the mailing list. You can switch to JDK based serialization by calling: org.apache.wicket.util.lang.Objects.setObjectStreamFactory (new IObjectStreamFactory.DefaultObjectStreamFactory()) e.g. in the init method of your application at org.apache.wicket.util.io.ClassStreamHandler.readFields( ClassStreamHandler.java:426) at org.apache.wicket.util.io.WicketObjectInputStream.readObjectOverride (WicketObjectInputStream.java:97) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:345) at org.apache.wicket.util.lang.Objects.byteArrayToObject(Objects.java:397) at org.apache.wicket.protocol.http.FilePageStore.getPage (FilePageStore.java:476) at org.apache.wicket.protocol.http.SecondLevelCacheSessionStore$SecondLevelCachePageMap.get (SecondLevelCacheSessionStore.java:137) at org.apache.wicket.Session.getPage(Session.java :741) at org.apache.wicket.request.AbstractRequestCycleProcessor.resolveRenderedPage (AbstractRequestCycleProcessor.java:427) at org.apache.wicket.protocol.http.WebRequestCycleProcessor.resolve( WebRequestCycleProcessor.java :137) at org.apache.wicket.RequestCycle.step(RequestCycle.java:1026) at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1127) at org.apache.wicket.RequestCycle.request(RequestCycle.java :489) at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java :248) at org.apache.wicket.protocol.http.WicketServlet.doGet(WicketServlet.java :126) at javax.servlet.http.HttpServlet.service (HttpServlet.java:595) at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:491) at org.mortbay.jetty.servlet.ServletHandler.handle (ServletHandler.java:367) at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java :185) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) at org.mortbay.jetty.handler.ContextHandler.handle (ContextHandler.java:689) at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:391) at
[Wicket-user] Authentication and page expired
Hi, I'm trying to implement authentication using wicket and I get some trouble... My problem is that when I try to access a page requiring authentication, I get redirected to a login page. Fine. But then, once authenticated, I get a Page expired message, and I don't find how to get rid of it instead of going to the page requiring authentication. Here is some detail on what I've done: - I use the not yet released wicket 1.3.0-incubating-beta1 [1] - I use wicket-auth-roles, with an AuthenticatedWebApplication, AuthenticatedWebSession, and RoleAuthorizationStrategy - my link to the role protected page is created like this: new PageLink(project, new IPageLink() { public Class getPageIdentity() { return ProjectPage.class; } public Page getPage() { return new ProjectPage(project); } } - my page is protected with an annotation: @AuthorizeInstantiation(Roles.USER) public class ProjectCreationPage extends WebPage { - my signin page is a very simple page using a panel including the SignInPanel from wicket-auth-roles Any idea? Xavier [1] http://people.apache.org/~dashorst/releases/apache-wicket-1.3.0-incubating-beta1/m2-repo/ -- Learn Ivy at ApacheCon: http://www.eu.apachecon.com/ Manage your dependencies with Ivy! http://incubator.apache.org/ivy/ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication and page expired
what do you mean by once authenticated what does your loginpage code look like, eg how do you navigate back? -igor On 4/25/07, Xavier Hanin [EMAIL PROTECTED] wrote: Hi, I'm trying to implement authentication using wicket and I get some trouble... My problem is that when I try to access a page requiring authentication, I get redirected to a login page. Fine. But then, once authenticated, I get a Page expired message, and I don't find how to get rid of it instead of going to the page requiring authentication. Here is some detail on what I've done: - I use the not yet released wicket 1.3.0-incubating-beta1 [1] - I use wicket-auth-roles, with an AuthenticatedWebApplication, AuthenticatedWebSession, and RoleAuthorizationStrategy - my link to the role protected page is created like this: new PageLink(project, new IPageLink() { public Class getPageIdentity() { return ProjectPage.class; } public Page getPage() { return new ProjectPage(project); } } - my page is protected with an annotation: @AuthorizeInstantiation(Roles.USER) public class ProjectCreationPage extends WebPage { - my signin page is a very simple page using a panel including the SignInPanel from wicket-auth-roles Any idea? Xavier [1] http://people.apache.org/~dashorst/releases/apache-wicket-1.3.0-incubating-beta1/m2-repo/ -- Learn Ivy at ApacheCon: http://www.eu.apachecon.com/ Manage your dependencies with Ivy! http://incubator.apache.org/ivy/ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication and page expired
On 4/25/07, Igor Vaynberg [EMAIL PROTECTED] wrote: what do you mean by once authenticated what does your loginpage code look like, eg how do you navigate back? My login page is really very simple, it doesn't do much except include a SigninPanel. So as far as I understand from the SigninPanel code, the navigation back is handled by Component#continueToOriginalDestination(). But maybe I'd need to implement something special in my LoginPage, and not rely on the SigninPanel only? Xavier -igor On 4/25/07, Xavier Hanin [EMAIL PROTECTED] wrote: Hi, I'm trying to implement authentication using wicket and I get some trouble... My problem is that when I try to access a page requiring authentication, I get redirected to a login page. Fine. But then, once authenticated, I get a Page expired message, and I don't find how to get rid of it instead of going to the page requiring authentication. Here is some detail on what I've done: - I use the not yet released wicket 1.3.0-incubating-beta1 [1] - I use wicket-auth-roles, with an AuthenticatedWebApplication, AuthenticatedWebSession, and RoleAuthorizationStrategy - my link to the role protected page is created like this: new PageLink(project, new IPageLink() { public Class getPageIdentity() { return ProjectPage.class; } public Page getPage() { return new ProjectPage(project); } } - my page is protected with an annotation: @AuthorizeInstantiation(Roles.USER) public class ProjectCreationPage extends WebPage { - my signin page is a very simple page using a panel including the SignInPanel from wicket-auth-roles Any idea? Xavier [1] http://people.apache.org/~dashorst/releases/apache-wicket-1.3.0-incubating-beta1/m2-repo/ -- Learn Ivy at ApacheCon: http://www.eu.apachecon.com/ Manage your dependencies with Ivy! http://incubator.apache.org/ivy/ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user -- Learn Ivy at ApacheCon: http://www.eu.apachecon.com/ Manage your dependencies with Ivy! http://incubator.apache.org/ivy/ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
[Wicket-user] authentication depending on parameters
When using the AuthenticatedWebApplication and AuthenticatedWebSession, how do you implement authentication for MyPage, where MyPage/page/1 is allowed for UserX, but not MyPage/page/2. The page is right now protected, so only users with role USER is allowed, but how/where should I implement the database lookup to verify that page=x is allowed for the current user, and display either the homepage or SignIn page if not authorized ? Regards, Flemming This message was sent using IMP, the Internet Messaging Program. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
Hello Rik, Questions; Do you use a normal login form according to Acegi or do you use a Wicket login form? We use a signin page that is derived from the example in wicket-auth-roles-example. So it's a Wicket login form. Where do you put your authorization settings? The complete authorization picture in my current application is as follows: - We use our wicket-auth-roles port to java 1.4 (took about 15 minutes to make) with just one change so that we can do authorization based on the base class of a component (see https://issues.apache.org/jira/browse/WICKET-21). - MyApplication#init() contains the following code: getSecuritySettings().setAuthorizationStrategy(new MetaDataRoleAuthorizationStrategy(this)); MetaDataRoleAuthorizationStrategy.authorize(SecurePage.class, role_viewer role_administrator); MetaDataRoleAuthorizationStrategy.authorize(AdminPage.class, role_administrator); MetaDataRoleAuthorizationStrategy.authorize(SecurePopupPage.class, role_viewer role_administrator); All pages that need a login extend either SecurePage or SecurePopupPage. - The base class for all pages constructs a menu with links to all pages in the application. If the linked page requires authorization, during construction of the menu MetaDataRoleAuthorizationStrategy.authorize(link, Component.RENDER, roles) is called, where link is a Link instance and roles is derived from the metadata of the linked class. (Though I did not yet write the automatic role derivation, it should be easy to do so.) If desired we could have easily read that information from an ACL file. What do you have in mind as content for the ACL file. I understand from the Acegi reference guide that you can set authorization on domain objects. But what for example if the case is that a delete button may only be visible for administrators? As I said, we don't use ACL files, but it could be as simple as: com.example.app.SecurePage role_viewer role_administrator com.example.app.AdminPage role_administrator How do this for buttons depend on the structure of your application. You'll have to devise a way to identify the button (or better, the function it will perform), and call a MetaDataRoleAuthorizationStrategy.authorize... before the button component is used. Erik. -- Erik van Oosten http://day-to-day-stuff.blogspot.com/ - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
Hi Erik, Thanks for your reply. First I will arrange authentication with Acegi in mine application and then I will take a good look to the MetaDataRoleAuthorizationStrategy. Regards, Rik On 12-nov-2006, at 13:47, Erik van Oosten wrote: Hello Rik, Questions; Do you use a normal login form according to Acegi or do you use a Wicket login form? We use a signin page that is derived from the example in wicket-auth-roles-example. So it's a Wicket login form. Where do you put your authorization settings? The complete authorization picture in my current application is as follows: - We use our wicket-auth-roles port to java 1.4 (took about 15 minutes to make) with just one change so that we can do authorization based on the base class of a component (see https://issues.apache.org/jira/browse/WICKET-21). - MyApplication#init() contains the following code: getSecuritySettings().setAuthorizationStrategy(new MetaDataRoleAuthorizationStrategy(this)); MetaDataRoleAuthorizationStrategy.authorize(SecurePage.class, role_viewer role_administrator); MetaDataRoleAuthorizationStrategy.authorize(AdminPage.class, role_administrator); MetaDataRoleAuthorizationStrategy.authorize(SecurePopupPage.class, role_viewer role_administrator); All pages that need a login extend either SecurePage or SecurePopupPage. - The base class for all pages constructs a menu with links to all pages in the application. If the linked page requires authorization, during construction of the menu MetaDataRoleAuthorizationStrategy.authorize(link, Component.RENDER, roles) is called, where link is a Link instance and roles is derived from the metadata of the linked class. (Though I did not yet write the automatic role derivation, it should be easy to do so.) If desired we could have easily read that information from an ACL file. What do you have in mind as content for the ACL file. I understand from the Acegi reference guide that you can set authorization on domain objects. But what for example if the case is that a delete button may only be visible for administrators? As I said, we don't use ACL files, but it could be as simple as: com.example.app.SecurePage role_viewer role_administrator com.example.app.AdminPage role_administrator How do this for buttons depend on the structure of your application. You'll have to devise a way to identify the button (or better, the function it will perform), and call a MetaDataRoleAuthorizationStrategy.authorize... before the button component is used. Erik. -- Erik van Oosten http://day-to-day-stuff.blogspot.com/ -- --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
Eelco Hillenius wrote: But as you got from the answers on this thread, URL based authorization schemes in not something we recommend for Wicket. It'll basically bring you back to page-level development again, whereas the whole point of Wicket is to provide a component based paradigm. Thank you all for help. The most helpful was the idea to put behind security constrains the login page only and use wicket authorization, that's what I did. Will it be ok if I try to write something to wiki? -- View this message in context: http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket-tf2588672.html#a7283196 Sent from the Wicket - User mailing list archive at Nabble.com. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
Yeah. There are just multiple problems with URL based authorization. It works fine for document-oriented sites, but how long ago was it when we were building those :) Take for example the use case that you want to hide a panel - but show the rest of the page - when a user is not authorized for that panel. This is very easy to do with Wicket, either by building it in in the component, or by using an authorization strategy. An URL based approach doesn't help you here. And URL approach basically forces you to bring everything back to the URL level, including your refactoring options etc. But... like said before, it can be done if you really want it, by using page mounting or even a custom IRequestCodingStrategy and some smart thinking. Just don't expect it to be pretty :) Eelco On 11/10/06, Rik van der Kleij [EMAIL PROTECTED] wrote: Hi, That is also the reason why Acegi and Wicket don't integrate well. Till now I have not found a good way to secure Wicket components by Acegi. Acegi is based on URL requests, method intercepting and securing domain objects by ACL's. According to me you want to set authorization on component level. Annotations is a way but I prefer security by configuration. Maybe the only good solution is to build a Wicket specific solution. Regards, Rik On 9-nov-2006, at 18:53, Eelco Hillenius wrote: And if you use 2.0, you can set getSecuritySettings().setEnforceMounts(true), so that these mounted pages are only reachable using these paths. But as you got from the answers on this thread, URL based authorization schemes in not something we recommend for Wicket. It'll basically bring you back to page-level development again, whereas the whole point of Wicket is to provide a component based paradigm. Eelco On 11/9/06, Igor Vaynberg [EMAIL PROTECTED] wrote: you can use package mounting to mount all pages in your admin package to a path, depends on how your classes are stored -igor On 11/9/06, Dmitry Kandalov [EMAIL PROTECTED] wrote: Erik van Oosten wrote: Wicket supports per component authorisation. You could take a look at wicket-auth-roles-example (a small project available through svn). In this project some components (pages) are marked. The mark indicates which roles are required for the component. As long as the user does not hit those components the application runs fine. As soon as the user does hit such a component, the sign-in page is displayed. Erik. Thanks for advice, example is good. But I have to use tomcat authentication (not authorization). To make it work I have to declare security-constraint. -- View this message in context: http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket- tf2588672.html#a7254648 Sent from the Wicket - User mailing list archive at Nabble.com. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user -- --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
Re: [Wicket-user] Authentication Tomcat - Wicket
Hi Rik, We use Acegi because of its excellent backend features. We do not use Acegi to do authorization in the frontend, we just give a username/pasword and ask it for the roles. Acegi gets it out of LDAP for us, wicket-auth-roles does the authorization. The Acegi filter sets the authenticated user on a tread-local, but that is the only involvement of Acegi in the front-end. However, having the thread-local Acegi can be still for used for securing the spring configured services. The authorization settings are set by our application and stored in the Wicket metadata facility (again using wicket-auth-roles). If desired we could have easily read that information from an ACL file. Would this be an acceptable solution? Erik. Rik van der Kleij schreef: Hi, That is also the reason why Acegi and Wicket don't integrate well. Till now I have not found a good way to secure Wicket components by Acegi. Acegi is based on URL requests, method intercepting and securing domain objects by ACL's. According to me you want to set authorization on component level. Annotations is a way but I prefer security by configuration. Maybe the only good solution is to build a Wicket specific solution. Regards, Rik -- Erik van Oosten http://day-to-day-stuff.blogspot.com/ - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
Hi Erik, Yes. So you mean in short: use Acegi for authentication and use wicket-auth-roles for authorization. That is a good compromise because you get some of the features of Acegi out-of-the-box, like a LDAP-server authentication as you mention. Questions; Do you use a normal login form according to Acegi or do you use a Wicket login form? Where do you put your authorization settings? If desired we could have easily read that information from an ACL file. What do you have in mind as content for the ACL file. I understand from the Acegi reference guide that you can set authorization on domain objects. But what for example if the case is that a delete button may only be visible for administrators? Regards, Rik On 10-nov-2006, at 22:17, Erik van Oosten wrote: Hi Rik, We use Acegi because of its excellent backend features. We do not use Acegi to do authorization in the frontend, we just give a username/pasword and ask it for the roles. Acegi gets it out of LDAP for us, wicket-auth-roles does the authorization. The Acegi filter sets the authenticated user on a tread-local, but that is the only involvement of Acegi in the front-end. However, having the thread-local Acegi can be still for used for securing the spring configured services. The authorization settings are set by our application and stored in the Wicket metadata facility (again using wicket-auth-roles). If desired we could have easily read that information from an ACL file. Would this be an acceptable solution? Erik. Rik van der Kleij schreef: Hi, That is also the reason why Acegi and Wicket don't integrate well. Till now I have not found a good way to secure Wicket components by Acegi. Acegi is based on URL requests, method intercepting and securing domain objects by ACL's. According to me you want to set authorization on component level. Annotations is a way but I prefer security by configuration. Maybe the only good solution is to build a Wicket specific solution. Regards, Rik -- Erik van Oosten http://day-to-day-stuff.blogspot.com/ -- --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
Erik van Oosten wrote: Wicket supports per component authorisation. You could take a look at wicket-auth-roles-example (a small project available through svn). In this project some components (pages) are marked. The mark indicates which roles are required for the component. As long as the user does not hit those components the application runs fine. As soon as the user does hit such a component, the sign-in page is displayed. Erik. Thanks for advice, example is good. But I have to use tomcat authentication (not authorization). To make it work I have to declare security-constraint. -- View this message in context: http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket-tf2588672.html#a7254648 Sent from the Wicket - User mailing list archive at Nabble.com. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
Here is a rough outline. You'll need to study wicket-auth-roles-example to see how you can integrate this. You can put the the Wicket servlet behind 2 different url patterns. In your own session implementation you can access the http session and read the authenticated user and/or roles as was set by Tomcat. When authorisation is required and no user in the session, you can forward to a secured url with a RestartResponseAtInterceptPageException. Note that in this setup only the login page needs to be behind the secured url. Erik. Dmitry Kandalov schreef: Erik van Oosten wrote: Wicket supports per component authorisation. You could take a look at wicket-auth-roles-example (a small project available through svn). In this project some components (pages) are marked. The mark indicates which roles are required for the component. As long as the user does not hit those components the application runs fine. As soon as the user does hit such a component, the sign-in page is displayed. Erik. Thanks for advice, example is good. But I have to use tomcat authentication (not authorization). To make it work I have to declare security-constraint. -- Erik van Oosten http://www.day-to-day-stuff.blogspot.com/ - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
you can use package mounting to mount all pages in your admin package to a path, depends on how your classes are stored-igorOn 11/9/06, Dmitry Kandalov [EMAIL PROTECTED] wrote:Erik van Oosten wrote: Wicket supports per component authorisation. You could take a look at wicket-auth-roles-example (a small project available through svn). In this project some components (pages) are marked. The mark indicates which roles are required for the component. As long as the user does not hit those components the application runs fine. As soon as the user does hit such a component, the sign-in page is displayed. Erik.Thanks for advice, example is good. But I have to use tomcat authentication(not authorization). To make it work I have to declaresecurity-constraint.--View this message in context: http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket-tf2588672.html#a7254648Sent from the Wicket - User mailing list archive at Nabble.com.-Using Tomcat but need to do more? Need to support web services, security?Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimohttp://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___Wicket-user mailing listWicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
And if you use 2.0, you can set getSecuritySettings().setEnforceMounts(true), so that these mounted pages are only reachable using these paths. But as you got from the answers on this thread, URL based authorization schemes in not something we recommend for Wicket. It'll basically bring you back to page-level development again, whereas the whole point of Wicket is to provide a component based paradigm. Eelco On 11/9/06, Igor Vaynberg [EMAIL PROTECTED] wrote: you can use package mounting to mount all pages in your admin package to a path, depends on how your classes are stored -igor On 11/9/06, Dmitry Kandalov [EMAIL PROTECTED] wrote: Erik van Oosten wrote: Wicket supports per component authorisation. You could take a look at wicket-auth-roles-example (a small project available through svn). In this project some components (pages) are marked. The mark indicates which roles are required for the component. As long as the user does not hit those components the application runs fine. As soon as the user does hit such a component, the sign-in page is displayed. Erik. Thanks for advice, example is good. But I have to use tomcat authentication (not authorization). To make it work I have to declare security-constraint. -- View this message in context: http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket-tf2588672.html#a7254648 Sent from the Wicket - User mailing list archive at Nabble.com. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
I want to define security constraints for tomcat authentication so that one part of my wicket application would be anonymously available and another not. So I guess I need different url's. What is the best way to do this? Should I make two different WebApplication's and map them to different url's or should I implement IRequestCodingStrategy? -- View this message in context: http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket-tf2588672.html#a7252917 Sent from the Wicket - User mailing list archive at Nabble.com. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
Wicket supports per component authorisation. You could take a look at wicket-auth-roles-example (a small project available through svn). In this project some components (pages) are marked. The mark indicates which roles are required for the component. As long as the user does not hit those components the application runs fine. As soon as the user does hit such a component, the sign-in page is displayed. Erik. Dmitry Kandalov schreef: I want to define security constraints for tomcat authentication so that one part of my wicket application would be anonymously available and another not. So I guess I need different url's. What is the best way to do this? Should I make two different WebApplication's and map them to different url's or should I implement IRequestCodingStrategy? -- Erik van Oosten http://www.day-to-day-stuff.blogspot.com/ - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
On 11/9/06, Erik van Oosten [EMAIL PROTECTED] wrote: Wicket supports per component authorisation. You could take a look at wicket-auth-roles-example (a small project available through svn). You can also download the auth-roles-examples project from sourceforge for Wicket 1.2(.3). Look under 'examples'. http://sourceforge.net/project/showfiles.php?group_id=119783package_id=138752 Martijn -- a href=http://www.thebeststuffintheworld.com/vote_for/wicket;Vote/a for a href=http://www.thebeststuffintheworld.com/stuff/wicket;Wicket/a at the a href=http://www.thebeststuffintheworld.com/;Best Stuff in the World!/a - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
[Wicket-user] Authentication Tomcat - Wicket
Dear, I search to implements security on my wicket Application. I plan to use Tomcat 5.X for Authentication, So I search a simple Authentication page to use it (Email,Password,Role), do you know how to implement this in Wicket. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat - Wicket
I search to implements security on my wicket Application. I plan to use Tomcat 5.X for Authentication, So I search a simple Authentication page to use it (Email,Password,Role), do you know how to implement this in Wicket. If you want to use a login page that is used by the container to authenticate, you're better off just using some default login page: form method=POST action=j_security_check input type=text name=j_username input type=password name=j_password /form It's outlined here: http://www.onjava.com/pub/a/onjava/2002/06/12/form.html Once authenticated, you can pull the Principal by doing ((WebRequestCycle)(RequestCycle.get()).getWebRequest().getHttpServletRequest().getUserPrincipal(); How you use that is up to you. Look at wicket-auth-roles for ideas. Eelco - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
[Wicket-user] Authentication and redirectToInterceptPage
I'm currently migrating over to the new Authentication stuff in Wicket 1.2. My current code in my Application class is:getSecuritySettings().setAuthorizationStrategy( new SimplePageAuthorizationStrategy( ISecurePage.class) { @Override protected boolean isAuthorized() { return MySession.get().isUserAuthenticated(); } });So, with this code, it redirects to the AccessDenied page. How can I have it do a redirectToInterceptPage instead?--Andrew
Re: [Wicket-user] Authentication and redirectToInterceptPage
see the LibraryExample:getSecuritySettings().setUnauthorizedComponentInstantiationListener(new IUnauthorizedComponentInstantiationListener() { public void onUnauthorizedInstantiation(final Component component) {// If there is a sign in page class declared, and the unauthorized// component is a page, but it's not the sign in pageif (component instanceof Page) { // Redirect to intercept page to let the user sign in throw new RestartResponseAtInterceptPageException(SignIn.class);}else { // The component was not a page, so throw an exception throw new UnauthorizedInstantiationException(component.getClass());} } }); // Create a simple authorization strategy, that checks all pages of type // Authenticated web page. SimplePageAuthorizationStrategy authorizationStrategy = new SimplePageAuthorizationStrategy( AuthenticatedWebPage.class) { protected boolean isAuthorized() {// check whether the user is logged onreturn (((LibrarySession)Session.get()).isSignedIn()); } };i guess to make it even simpler SimplePageAuthorizationStrategy should also implement IUnauthorizedComponentInstantiationListenerand have the above default behaviour. I think this is the default behaviour most people want/expect. johanOn 3/17/06, Andrew Berman [EMAIL PROTECTED] wrote: I'm currently migrating over to the new Authentication stuff in Wicket 1.2. My current code in my Application class is:getSecuritySettings().setAuthorizationStrategy( new SimplePageAuthorizationStrategy( ISecurePage.class) { @Override protected boolean isAuthorized() { return MySession.get().isUserAuthenticated(); } });So, with this code, it redirects to the AccessDenied page. How can I have it do a redirectToInterceptPage instead?--Andrew
Re: [Wicket-user] Authentication
Thanks. We made a utility function in the our session. Works great. On 3/14/06, Eelco Hillenius [EMAIL PROTECTED] wrote: There is no build in function for that. If you want to shorten that, just provide your own request cycle that passes this function through, or make it a utility function somewhere. Eelco On 3/14/06, Mats Norén [EMAIL PROTECTED] wrote: Mmm...ok, I'll rephrase. Is there a way within wicket to obtain the logged in user if the user is authenticated by the container with basic authentication and writing the user to a wicket session? Without having to do this: ((WebRequest)getRequest()).getHttpServletRequest().getUserPrincipal() --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmdlnkkid0944bid$1720dat1642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmdlnkkid0944bid$1720dat1642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
[Wicket-user] Authentication
I'm trying to understand authentication in the new version of Wicket, but am not having a great deal of success so far. My dilemna is a simple one - I have a lot of static pages that I would like to allow people who are logged in access to. I do not want to create programmatic links for every page in this area of my site, nor do I want these pages bookmarkable. I've been looking into the different RealmBase derived authentication classes, but would rather use something within Wicket if similar functionality can be derived. Is there a way to, on a global basis, enact this type of security? Let me know and best regards, Steve -- --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication
are these static pages just in the webroot?if so then you can just have links to them in youre dynamic/wicket pagesAnd through a Filter you test if they are also logged in (puur for those static pages) On 3/14/06, Steve Thompson [EMAIL PROTECTED] wrote: I'm trying to understand authentication in the new version of Wicket, but amnot having a great deal of success so far.My dilemna is a simple one - Ihave a lot of static pages that I would like to allow people who are logged in access to.I do not want to create programmatic links for every page inthis area of my site, nor do I want these pages bookmarkable.I've been looking into the different RealmBase derived authentication classes, but would rather use something within Wicket if similar functionality can bederived.Is there a way to, on a global basis, enact this type of security?Let me know and best regards,Steve -This SF.Net email is sponsored by xPML, a groundbreaking scripting languagethat extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory!http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___Wicket-user mailing listWicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication
Can I add a stupid question? :) Is there wicket way tm on how to get the logged in user and put it in a Wicket Session-object? Mats On 3/14/06, Johan Compagner [EMAIL PROTECTED] wrote: are these static pages just in the webroot? if so then you can just have links to them in youre dynamic/wicket pages And through a Filter you test if they are also logged in (puur for those static pages) On 3/14/06, Steve Thompson [EMAIL PROTECTED] wrote: I'm trying to understand authentication in the new version of Wicket, but am not having a great deal of success so far. My dilemna is a simple one - I have a lot of static pages that I would like to allow people who are logged in access to. I do not want to create programmatic links for every page in this area of my site, nor do I want these pages bookmarkable. I've been looking into the different RealmBase derived authentication classes, but would rather use something within Wicket if similar functionality can be derived. Is there a way to, on a global basis, enact this type of security? Let me know and best regards, Steve -- --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication
there is no wicket tm way to do it because every application will probably be different. there is an example implementation in wicket-auth-roles-examples project, and a shallow implementation in wicket signin examples. -IgorOn 3/14/06, Mats Norén [EMAIL PROTECTED] wrote: Can I add a stupid question? :)Is there wicket way tm on how to get the logged in user and put itin a Wicket Session-object?MatsOn 3/14/06, Johan Compagner [EMAIL PROTECTED] wrote: are these static pages just in the webroot? if so then you can just have links to them in youre dynamic/wicket pages And through a Filter you test if they are also logged in (puur for those static pages)On 3/14/06, Steve Thompson [EMAIL PROTECTED] wrote: I'm trying to understand authentication in the new version of Wicket, but am not having a great deal of success so far.My dilemna is a simple one - I have a lot of static pages that I would like to allow people who are logged in access to.I do not want to create programmatic links for every page in this area of my site, nor do I want these pages bookmarkable. I've been looking into the different RealmBase derived authentication classes, but would rather use something within Wicket if similar functionality can be derived.Is there a way to, on a global basis, enact this type of security? Let me know and best regards,Steve ----- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user --- This SF.Net email is sponsored by xPML, a groundbreaking scripting languagethat extends applications into web and mobile media. Attend the live webcastand join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmdlnkkid0944bid$1720dat1642___ Wicket-user mailing listWicket-user@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication
Mmm...ok, I'll rephrase. Is there a way within wicket to obtain the logged in user if the user is authenticated by the container with basic authentication and writing the user to a wicket session? Without having to do this: ((WebRequest)getRequest()).getHttpServletRequest().getUserPrincipal() --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication
afaik basic authentication doesnt have an event handler you can register to know when the user has been authenticated.if you want you can wrap that call into your session subclassPrincipal MySessionSubclass.getLoggedinUser () { return RequestCycle.get().getRequest().-IgorOn 3/14/06, Mats Norén [EMAIL PROTECTED] wrote:Mmm...ok, I'll rephrase. Is there a way within wicket to obtain the logged in user if the user is authenticated by the container withbasic authentication and writing the user to a wicket session?Without having to do this:((WebRequest)getRequest()).getHttpServletRequest().getUserPrincipal() ---This SF.Net email is sponsored by xPML, a groundbreaking scripting languagethat extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory!http://sel.as-us.falkag.net/sel?cmdlnkkid0944bid$1720dat1642 ___Wicket-user mailing listWicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication
There is no build in function for that. If you want to shorten that, just provide your own request cycle that passes this function through, or make it a utility function somewhere. Eelco On 3/14/06, Mats Norén [EMAIL PROTECTED] wrote: Mmm...ok, I'll rephrase. Is there a way within wicket to obtain the logged in user if the user is authenticated by the container with basic authentication and writing the user to a wicket session? Without having to do this: ((WebRequest)getRequest()).getHttpServletRequest().getUserPrincipal() --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmdlnkkid0944bid$1720dat1642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
[Wicket-user] Authentication
I'm trying to understand authentication in the new version of Wicket, but am not having a great deal of success so far. My dilemna is a simple one - I have a lot of static pages that I would like to allow people who are logged in access to. I do not want to create programmatic links for every page in this area of my site, nor do I want these pages bookmarkable. I've been looking into the different RealmBase derived authentication classes, but would rather use something within Wicket if similar functionality can be derived. Is there a way to, on a global basis, enact this type of security? Let me know and best regards, Steve -- --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user