Re: [Wicket-user] Authentication Tomcat <-> Wicket
Hi Erik, Thanks for your reply. First I will arrange authentication with Acegi in mine application and then I will take a good look to the MetaDataRoleAuthorizationStrategy. Regards, Rik On 12-nov-2006, at 13:47, Erik van Oosten wrote: > Hello Rik, >> Questions; >> Do you use a "normal" login form according to Acegi or do you use a >> Wicket login form? >> > We use a signin page that is derived from the example in > wicket-auth-roles-example. So it's a Wicket login form. >> Where do you put your authorization settings? >> > The complete authorization picture in my current application is as > follows: > - We use our wicket-auth-roles port to java 1.4 (took about 15 minutes > to make) with just one change so that we can do authorization based on > the base class of a component (see > https://issues.apache.org/jira/browse/WICKET-21). > > - MyApplication#init() contains the following code: >getSecuritySettings().setAuthorizationStrategy(new > MetaDataRoleAuthorizationStrategy(this)); >MetaDataRoleAuthorizationStrategy.authorize(SecurePage.class, > "role_viewer role_administrator"); >MetaDataRoleAuthorizationStrategy.authorize(AdminPage.class, > "role_administrator"); >MetaDataRoleAuthorizationStrategy.authorize(SecurePopupPage.class, > "role_viewer role_administrator"); >All pages that need a login extend either SecurePage or > SecurePopupPage. > > - The base class for all pages constructs a menu with links to all > pages > in the application. If the linked page requires authorization, during > construction of the menu > MetaDataRoleAuthorizationStrategy.authorize(link, Component.RENDER, > roles) is called, where link is a Link instance and roles is derived > from the metadata of the linked class. (Though I did not yet write the > automatic role derivation, it should be easy to do so.) > >>> If desired we >>> could have easily read that information from an ACL file. >>> >> What do you have in mind as content for the ACL file. I understand >> from the Acegi reference guide that you can set authorization on >> domain objects. But what for example if the case is that a delete >> button may only be visible for administrators? >> > As I said, we don't use ACL files, but it could be as simple as: > com.example.app.SecurePage role_viewer role_administrator > com.example.app.AdminPage role_administrator > > How do this for buttons depend on the structure of your application. > You'll have to devise a way to identify the button (or better, the > function it will perform), and call a > MetaDataRoleAuthorizationStrategy.authorize... before the button > component is used. > > Erik. > > -- > Erik van Oosten > http://day-to-day-stuff.blogspot.com/ > > > -- > --- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > ___ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
Hello Rik, > Questions; > Do you use a "normal" login form according to Acegi or do you use a > Wicket login form? > We use a signin page that is derived from the example in wicket-auth-roles-example. So it's a Wicket login form. > Where do you put your authorization settings? > The complete authorization picture in my current application is as follows: - We use our wicket-auth-roles port to java 1.4 (took about 15 minutes to make) with just one change so that we can do authorization based on the base class of a component (see https://issues.apache.org/jira/browse/WICKET-21). - MyApplication#init() contains the following code: getSecuritySettings().setAuthorizationStrategy(new MetaDataRoleAuthorizationStrategy(this)); MetaDataRoleAuthorizationStrategy.authorize(SecurePage.class, "role_viewer role_administrator"); MetaDataRoleAuthorizationStrategy.authorize(AdminPage.class, "role_administrator"); MetaDataRoleAuthorizationStrategy.authorize(SecurePopupPage.class, "role_viewer role_administrator"); All pages that need a login extend either SecurePage or SecurePopupPage. - The base class for all pages constructs a menu with links to all pages in the application. If the linked page requires authorization, during construction of the menu MetaDataRoleAuthorizationStrategy.authorize(link, Component.RENDER, roles) is called, where link is a Link instance and roles is derived from the metadata of the linked class. (Though I did not yet write the automatic role derivation, it should be easy to do so.) >> If desired we >> could have easily read that information from an ACL file. >> > What do you have in mind as content for the ACL file. I understand > from the Acegi reference guide that you can set authorization on > domain objects. But what for example if the case is that a delete > button may only be visible for administrators? > As I said, we don't use ACL files, but it could be as simple as: com.example.app.SecurePage role_viewer role_administrator com.example.app.AdminPage role_administrator How do this for buttons depend on the structure of your application. You'll have to devise a way to identify the button (or better, the function it will perform), and call a MetaDataRoleAuthorizationStrategy.authorize... before the button component is used. Erik. -- Erik van Oosten http://day-to-day-stuff.blogspot.com/ - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
Hi Erik, Yes. So you mean in short: use Acegi for authentication and use wicket-auth-roles for authorization. That is a good compromise because you get some of the features of Acegi out-of-the-box, like a LDAP-server authentication as you mention. Questions; Do you use a "normal" login form according to Acegi or do you use a Wicket login form? Where do you put your authorization settings? > If desired we > could have easily read that information from an ACL file. What do you have in mind as content for the ACL file. I understand from the Acegi reference guide that you can set authorization on domain objects. But what for example if the case is that a delete button may only be visible for administrators? Regards, Rik On 10-nov-2006, at 22:17, Erik van Oosten wrote: > Hi Rik, > > We use Acegi because of its excellent backend features. We do not use > Acegi to do authorization in the frontend, we just give a > username/pasword and ask it for the roles. Acegi gets it out of > LDAP for > us, wicket-auth-roles does the authorization. The Acegi filter sets > the > authenticated user on a tread-local, but that is the only > involvement of > Acegi in the front-end. However, having the thread-local Acegi can be > still for used for securing the spring configured services. > > The authorization settings are set by our application and stored in > the > Wicket metadata facility (again using wicket-auth-roles). If > desired we > could have easily read that information from an ACL file. > > Would this be an acceptable solution? > > Erik. > > > Rik van der Kleij schreef: >> Hi, >> >> That is also the reason why Acegi and Wicket don't integrate well. >> Till now I have not found a good way to secure Wicket components by >> Acegi. Acegi is based on URL requests, method intercepting and >> securing domain objects by ACL's. According to me you want to set >> authorization on component level. Annotations is a way but I prefer >> security by configuration. Maybe the only good solution is to build a >> Wicket specific solution. >> >> Regards, >> Rik >> > > -- > Erik van Oosten > http://day-to-day-stuff.blogspot.com/ > > > -- > --- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > ___ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
Hi Rik, We use Acegi because of its excellent backend features. We do not use Acegi to do authorization in the frontend, we just give a username/pasword and ask it for the roles. Acegi gets it out of LDAP for us, wicket-auth-roles does the authorization. The Acegi filter sets the authenticated user on a tread-local, but that is the only involvement of Acegi in the front-end. However, having the thread-local Acegi can be still for used for securing the spring configured services. The authorization settings are set by our application and stored in the Wicket metadata facility (again using wicket-auth-roles). If desired we could have easily read that information from an ACL file. Would this be an acceptable solution? Erik. Rik van der Kleij schreef: > Hi, > > That is also the reason why Acegi and Wicket don't integrate well. > Till now I have not found a good way to secure Wicket components by > Acegi. Acegi is based on URL requests, method intercepting and > securing domain objects by ACL's. According to me you want to set > authorization on component level. Annotations is a way but I prefer > security by configuration. Maybe the only good solution is to build a > Wicket specific solution. > > Regards, > Rik > -- Erik van Oosten http://day-to-day-stuff.blogspot.com/ - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
Yeah. There are just multiple problems with URL based authorization. It works fine for document-oriented sites, but how long ago was it when we were building those :) Take for example the use case that you want to hide a panel - but show the rest of the page - when a user is not authorized for that panel. This is very easy to do with Wicket, either by building it in in the component, or by using an authorization strategy. An URL based approach doesn't help you here. And URL approach basically forces you to bring everything back to the URL level, including your refactoring options etc. But... like said before, it can be done if you really want it, by using page mounting or even a custom IRequestCodingStrategy and some smart thinking. Just don't expect it to be pretty :) Eelco On 11/10/06, Rik van der Kleij <[EMAIL PROTECTED]> wrote: > Hi, > > That is also the reason why Acegi and Wicket don't integrate well. > Till now I have not found a good way to secure Wicket components by > Acegi. Acegi is based on URL requests, method intercepting and > securing domain objects by ACL's. According to me you want to set > authorization on component level. Annotations is a way but I prefer > security by configuration. Maybe the only good solution is to build a > Wicket specific solution. > > Regards, > Rik > > > On 9-nov-2006, at 18:53, Eelco Hillenius wrote: > > > And if you use 2.0, you can set > > getSecuritySettings().setEnforceMounts(true), so that these mounted > > pages are only reachable using these paths. > > > > But as you got from the answers on this thread, URL based > > authorization schemes in not something we recommend for Wicket. It'll > > basically bring you back to page-level development again, whereas the > > whole point of Wicket is to provide a component based paradigm. > > > > Eelco > > > > > > On 11/9/06, Igor Vaynberg <[EMAIL PROTECTED]> wrote: > >> you can use package mounting to mount all pages in your admin > >> package to a > >> path, depends on how your classes are stored > >> > >> -igor > >> > >> > >> > >> On 11/9/06, Dmitry Kandalov <[EMAIL PROTECTED]> wrote: > >>> > >>> > >>> Erik van Oosten wrote: > > Wicket supports per component authorisation. You could take a > look at > wicket-auth-roles-example (a small project available through svn). > In this project some components (pages) are marked. The mark > indicates > which roles are required for the component. As long as the user > does not > hit those components the application runs fine. As soon as the > user does > hit such a component, the sign-in page is displayed. > > Erik. > > >>> > >>> Thanks for advice, example is good. But I have to use tomcat > >> authentication > >>> (not authorization). To make it work I have to declare > >>> . > >>> -- > >>> View this message in context: > >> http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket- > >> tf2588672.html#a7254648 > >>> Sent from the Wicket - User mailing list archive at Nabble.com. > >>> > >>> > >>> > >> - > >> > >>> Using Tomcat but need to do more? Need to support web services, > >>> security? > >>> Get stuff done quickly with pre-integrated technology to make > >>> your job > >> easier > >>> Download IBM WebSphere Application Server v.1.0.1 based on Apache > >>> Geronimo > >>> > >> http://sel.as-us.falkag.net/sel? > >> cmd=lnk&kid=120709&bid=263057&dat=121642 > >>> ___ > >>> Wicket-user mailing list > >>> Wicket-user@lists.sourceforge.net > >>> https://lists.sourceforge.net/lists/listinfo/wicket-user > >>> > >> > >> > >> - > >> > >> Using Tomcat but need to do more? Need to support web services, > >> security? > >> Get stuff done quickly with pre-integrated technology to make your > >> job > >> easier > >> Download IBM WebSphere Application Server v.1.0.1 based on Apache > >> Geronimo > >> http://sel.as-us.falkag.net/sel? > >> cmd=lnk&kid=120709&bid=263057&dat=121642 > >> > >> ___ > >> Wicket-user mailing list > >> Wicket-user@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/wicket-user > >> > >> > >> > > > > -- > > --- > > Using Tomcat but need to do more? Need to support web services, > > security? > > Get stuff done quickly with pre-integrated technology to make your > > job easier > > Download IBM WebSphere Application Server v.1.0.1 based on Apache > > Geronimo > > http://sel.as-us.falkag.net/sel? > > cmd=lnk&kid=120709&bid=263057&dat=121642 > > ___ > > Wicket-user mailing list > > Wicket-user@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wicket-user > > > ---
Re: [Wicket-user] Authentication Tomcat <-> Wicket
Hi, That is also the reason why Acegi and Wicket don't integrate well. Till now I have not found a good way to secure Wicket components by Acegi. Acegi is based on URL requests, method intercepting and securing domain objects by ACL's. According to me you want to set authorization on component level. Annotations is a way but I prefer security by configuration. Maybe the only good solution is to build a Wicket specific solution. Regards, Rik On 9-nov-2006, at 18:53, Eelco Hillenius wrote: > And if you use 2.0, you can set > getSecuritySettings().setEnforceMounts(true), so that these mounted > pages are only reachable using these paths. > > But as you got from the answers on this thread, URL based > authorization schemes in not something we recommend for Wicket. It'll > basically bring you back to page-level development again, whereas the > whole point of Wicket is to provide a component based paradigm. > > Eelco > > > On 11/9/06, Igor Vaynberg <[EMAIL PROTECTED]> wrote: >> you can use package mounting to mount all pages in your admin >> package to a >> path, depends on how your classes are stored >> >> -igor >> >> >> >> On 11/9/06, Dmitry Kandalov <[EMAIL PROTECTED]> wrote: >>> >>> >>> Erik van Oosten wrote: Wicket supports per component authorisation. You could take a look at wicket-auth-roles-example (a small project available through svn). In this project some components (pages) are marked. The mark indicates which roles are required for the component. As long as the user does not hit those components the application runs fine. As soon as the user does hit such a component, the sign-in page is displayed. Erik. >>> >>> Thanks for advice, example is good. But I have to use tomcat >> authentication >>> (not authorization). To make it work I have to declare >>> . >>> -- >>> View this message in context: >> http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket- >> tf2588672.html#a7254648 >>> Sent from the Wicket - User mailing list archive at Nabble.com. >>> >>> >>> >> - >> >>> Using Tomcat but need to do more? Need to support web services, >>> security? >>> Get stuff done quickly with pre-integrated technology to make >>> your job >> easier >>> Download IBM WebSphere Application Server v.1.0.1 based on Apache >>> Geronimo >>> >> http://sel.as-us.falkag.net/sel? >> cmd=lnk&kid=120709&bid=263057&dat=121642 >>> ___ >>> Wicket-user mailing list >>> Wicket-user@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/wicket-user >>> >> >> >> - >> >> Using Tomcat but need to do more? Need to support web services, >> security? >> Get stuff done quickly with pre-integrated technology to make your >> job >> easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache >> Geronimo >> http://sel.as-us.falkag.net/sel? >> cmd=lnk&kid=120709&bid=263057&dat=121642 >> >> ___ >> Wicket-user mailing list >> Wicket-user@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/wicket-user >> >> >> > > -- > --- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > ___ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
> Will it be ok if I try to write something to wiki? Sure, any contribution to the WIKI is appreciated. Thanks, Eelco - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
Eelco Hillenius wrote: > > But as you got from the answers on this thread, URL based > authorization schemes in not something we recommend for Wicket. It'll > basically bring you back to page-level development again, whereas the > whole point of Wicket is to provide a component based paradigm. > Thank you all for help. The most helpful was the idea to put behind security constrains the login page only and use wicket authorization, that's what I did. Will it be ok if I try to write something to wiki? -- View this message in context: http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket-tf2588672.html#a7283196 Sent from the Wicket - User mailing list archive at Nabble.com. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
And if you use 2.0, you can set getSecuritySettings().setEnforceMounts(true), so that these mounted pages are only reachable using these paths. But as you got from the answers on this thread, URL based authorization schemes in not something we recommend for Wicket. It'll basically bring you back to page-level development again, whereas the whole point of Wicket is to provide a component based paradigm. Eelco On 11/9/06, Igor Vaynberg <[EMAIL PROTECTED]> wrote: > you can use package mounting to mount all pages in your admin package to a > path, depends on how your classes are stored > > -igor > > > > On 11/9/06, Dmitry Kandalov <[EMAIL PROTECTED]> wrote: > > > > > > Erik van Oosten wrote: > > > > > > Wicket supports per component authorisation. You could take a look at > > > wicket-auth-roles-example (a small project available through svn). > > > In this project some components (pages) are marked. The mark indicates > > > which roles are required for the component. As long as the user does not > > > hit those components the application runs fine. As soon as the user does > > > hit such a component, the sign-in page is displayed. > > > > > > Erik. > > > > > > > Thanks for advice, example is good. But I have to use tomcat > authentication > > (not authorization). To make it work I have to declare > > . > > -- > > View this message in context: > http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket-tf2588672.html#a7254648 > > Sent from the Wicket - User mailing list archive at Nabble.com. > > > > > > > - > > Using Tomcat but need to do more? Need to support web services, security? > > Get stuff done quickly with pre-integrated technology to make your job > easier > > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > ___ > > Wicket-user mailing list > > Wicket-user@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/wicket-user > > > > > - > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > ___ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user > > > - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
you can use package mounting to mount all pages in your admin package to a path, depends on how your classes are stored-igorOn 11/9/06, Dmitry Kandalov <[EMAIL PROTECTED]> wrote:Erik van Oosten wrote: >> Wicket supports per component authorisation. You could take a look at> wicket-auth-roles-example (a small project available through svn).> In this project some components (pages) are marked. The mark indicates > which roles are required for the component. As long as the user does not> hit those components the application runs fine. As soon as the user does> hit such a component, the sign-in page is displayed. >> Erik.>Thanks for advice, example is good. But I have to use tomcat authentication(not authorization). To make it work I have to declare.--View this message in context: http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket-tf2588672.html#a7254648Sent from the Wicket - User mailing list archive at Nabble.com.-Using Tomcat but need to do more? Need to support web services, security?Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimohttp://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___Wicket-user mailing listWicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
Here is a rough outline. You'll need to study wicket-auth-roles-example to see how you can integrate this. You can put the the Wicket servlet behind 2 different url patterns. In your own session implementation you can access the http session and read the authenticated user and/or roles as was set by Tomcat. When authorisation is required and no user in the session, you can forward to a secured url with a RestartResponseAtInterceptPageException. Note that in this setup only the login page needs to be behind the secured url. Erik. Dmitry Kandalov schreef: > Erik van Oosten wrote: > >> Wicket supports per component authorisation. You could take a look at >> wicket-auth-roles-example (a small project available through svn). >> In this project some components (pages) are marked. The mark indicates >> which roles are required for the component. As long as the user does not >> hit those components the application runs fine. As soon as the user does >> hit such a component, the sign-in page is displayed. >> >> Erik. >> >> > > Thanks for advice, example is good. But I have to use tomcat authentication > (not authorization). To make it work I have to declare > . > -- Erik van Oosten http://www.day-to-day-stuff.blogspot.com/ - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
Erik van Oosten wrote: > > Wicket supports per component authorisation. You could take a look at > wicket-auth-roles-example (a small project available through svn). > In this project some components (pages) are marked. The mark indicates > which roles are required for the component. As long as the user does not > hit those components the application runs fine. As soon as the user does > hit such a component, the sign-in page is displayed. > > Erik. > Thanks for advice, example is good. But I have to use tomcat authentication (not authorization). To make it work I have to declare . -- View this message in context: http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket-tf2588672.html#a7254648 Sent from the Wicket - User mailing list archive at Nabble.com. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
On 11/9/06, Erik van Oosten <[EMAIL PROTECTED]> wrote: > Wicket supports per component authorisation. You could take a look at > wicket-auth-roles-example (a small project available through svn). You can also download the auth-roles-examples project from sourceforge for Wicket 1.2(.3). Look under 'examples'. http://sourceforge.net/project/showfiles.php?group_id=119783&package_id=138752 Martijn -- http://www.thebeststuffintheworld.com/vote_for/wicket";>Vote for http://www.thebeststuffintheworld.com/stuff/wicket";>Wicket at the http://www.thebeststuffintheworld.com/";>Best Stuff in the World! - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
Wicket supports per component authorisation. You could take a look at wicket-auth-roles-example (a small project available through svn). In this project some components (pages) are marked. The mark indicates which roles are required for the component. As long as the user does not hit those components the application runs fine. As soon as the user does hit such a component, the sign-in page is displayed. Erik. Dmitry Kandalov schreef: > I want to define security constraints for tomcat authentication so that one > part of my wicket application would be anonymously available and another > not. So I guess I need different url's. What is the best way to do this? > Should I make two different WebApplication's and map them to different url's > or should I implement IRequestCodingStrategy? > -- Erik van Oosten http://www.day-to-day-stuff.blogspot.com/ - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
I want to define security constraints for tomcat authentication so that one part of my wicket application would be anonymously available and another not. So I guess I need different url's. What is the best way to do this? Should I make two different WebApplication's and map them to different url's or should I implement IRequestCodingStrategy? -- View this message in context: http://www.nabble.com/Authentication-Tomcat-%3C-%3E-Wicket-tf2588672.html#a7252917 Sent from the Wicket - User mailing list archive at Nabble.com. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Authentication Tomcat <-> Wicket
> I search to implements security on my wicket Application. > I plan to use Tomcat 5.X for Authentication, So I search a simple > Authentication page to use it (Email,Password,Role), do you know how to > implement this in Wicket. If you want to use a login page that is used by the container to authenticate, you're better off just using some default login page: It's outlined here: http://www.onjava.com/pub/a/onjava/2002/06/12/form.html Once authenticated, you can pull the Principal by doing ((WebRequestCycle)(RequestCycle.get()).getWebRequest().getHttpServletRequest().getUserPrincipal(); How you use that is up to you. Look at wicket-auth-roles for ideas. Eelco - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
[Wicket-user] Authentication Tomcat <-> Wicket
Dear, I search to implements security on my wicket Application. I plan to use Tomcat 5.X for Authentication, So I search a simple Authentication page to use it (Email,Password,Role), do you know how to implement this in Wicket. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user