Securing Wicket 6.x Applications with Java EE, Spring Jetty
Hello, I am a new subscriber to the Wicket users list but have been using the Wicket framework for about 3 years. Recently I published an article documenting an approach my company uses to secure Wicket applications. It uses a combination of Java EE container security, Spring security and a few custom wicket components (for controlling view of component by role and permission). http://iamfortress.org/WicketSecurity There is also a sample Wicket application using these controls on GIT Hub. https://github.com/shawnmckinney/wicketsecurity I plan on publishing another document later that goes beyond the simple Jetty security provider by introducing policy enforcement mechanisms more suitable for production. Comments are welcome. Regards, Shawn
Re: Securing Wicket 6.x Applications with Java EE, Spring Jetty
On 09/09/2013 01:21 AM, Martin Grigorov wrote: Thank you very much for sharing your knowledge with us, Shawn! Please let us know when you publish the second document. My pleasure Martin. I've been using this forum and it's time for me to contribute something. Hope it helps. Shawn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Using Fortress, Spring and Tomcat to Secure Wicket 6.x Applications
Hello, A couple of days ago I published article documenting an approach to secure Wicket applications running in Jetty container using a simple property file to store credentials. This new article builds on that by adding Fortress, OpenLDAP and Tomcat to the mix. http://iamfortress.org/WicketFortress Included is a sample Wicket application demonstrating these techniques on GIT Hub. https://github.com/shawnmckinney/wicketsecurityfortress Comments are welcome. Regards, Shawn
Using ANSI RBAC Security Enforcement inside Wicket 6.x Applications
Hello again, In the past couple of weeks I have shared with you articles documenting techniques to secure Wicket applications running in Jetty Tomcat containers using basic security principles. Another article in this series builds on what was demonstrated before by introducing more advanced ANSI RBAC concepts like role activation and dynamic separation of duty constraints. http://iamfortress.org/WicketRbac A sample Wicket application showing how-to is on GIT Hub: https://github.com/shawnmckinney/wicketsecurityfortresshttps://github.com/shawnmckinney/fortressdemo1 Enjoy, Shawn
Demonstrate End-to-End Security Enforcement using Open Source Software Wicket
Posting another security tutorial featuring an Apache Wicket Web sample application. This one provides end-to-end security coverage: http://iamfortress.org/FortressDemo2 - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Demonstrate End-to-End Security Enforcement using Open Source Software Wicket
On 08/20/2014 08:01 AM, Martin Grigorov wrote: I am not able to find the tutorial ... :-/ Athttp://iamfortress.org/FortressDemo2 there is only a diagram. At the bottom there is a link to the Javadocs of the application. But I cannot find the tutorial. The steps are contained within the javadoc's overview-summary.html page which lists the sections required to install and run the security demo. The javadoc is generated from the fortress demo2 source bundle located here: https://github.com/shawnmckinney/fortressdemo2 The README contains instructions for generating javadoc so you may have an offline copy: https://github.com/shawnmckinney/fortressdemo2/blob/master/README.txt
Re: Demonstrate End-to-End Security Enforcement using Open Source Software Wicket
Notably missing from the material is theory or why these types of complex security mechanisms are necessary. I'm working on that now and will publish it back here when ready. On 08/20/2014 09:43 AM, Martin Grigorov wrote: OK. Thanks! Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, Aug 20, 2014 at 5:39 PM, Shawn McKinney mckinney-sh...@att.net wrote: On 08/20/2014 08:01 AM, Martin Grigorov wrote: I am not able to find the tutorial ... :-/ Athttp://iamfortress.org/FortressDemo2 there is only a diagram. At the bottom there is a link to the Javadocs of the application. But I cannot find the tutorial. The steps are contained within the javadoc's overview-summary.html page which lists the sections required to install and run the security demo. The javadoc is generated from the fortress demo2 source bundle located here: https://github.com/shawnmckinney/fortressdemo2 The README contains instructions for generating javadoc so you may have an offline copy: https://github.com/shawnmckinney/fortressdemo2/blob/master/README.txt - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket meet-and-greet at JavaOne 2014?
On 09/08/2014 06:17 PM, Garret Wilson wrote: Hi, all. I'm traveling at the moment, but I plan to be back in San Francisco around the start of JavaOne. Do any Wicket users plan on being in town for the conference? Would you like me to organize a meet-and-greet at a local restaurant or even (depending on the number of guests) at my place? Perhaps it would be helpful and fun to put some faces with some names on the list. Let me know if you like the idea. Hello Garret, I will be there and would like to meet. Also will be presenting at a couple of sessions: Monday: The Anatomy of a Secure Web Application Using Java [CON3479] : https://oracleus.activeevents.com/2014/connect/sessionDetail.ww?SESSION_ID=3479 Tuesday: Open Source Identity and Access Management Expert Panel, Part 3 [BOF3478] : https://oracleus.activeevents.com/2014/connect/sessionDetail.ww?SESSION_ID=3478 Shawn
Re: Demonstrate End-to-End Security Enforcement using Open Source Software Wicket
On 08/20/2014 10:08 AM, Shawn McKinney wrote: Notably missing from the material is theory or why these types of complex security mechanisms are necessary. I'm working on that now and will publish it back here when ready. Hello again, just now getting back to this thread *** The fortressdemo2 web app tutorial shows an apache wicket web app deployed inside of a tomcat container using both an ldap and db server. It recommends various security layers for end-to-end security which is a 'defense in depth' approach. The fortressdemo2 source code is here: https://github.com/shawnmckinney/fortressdemo2 The fortress demo2 tutorial page has been moved to a new location: https://symas.com/kb/demonstrate-end-to-end-security-enforcement-using-open-source/ and on this page are more links to: a. static html javadoc (hosted on same server) containing instructions for actual fortressdemo2 tutorial installation. The overview page of the javadoc describes how to download the example source code and how to generate documentation locally. b. link to presentation given last week at JavaOne The J1 deck contains two parts: 1. Overview of the security controls used within the fortressdemo2 web app. 2. Description of how to drop the fortressdemo2 (and its associated infrastructure) into a cloud foundry PaaS (presented by John Field) Finally there is an abbreviated version of the slides containing the rationale for each layer by comparing to everyday situations: https://symas.com/javadocs/fortressdemo2/doc-files/AnatomyOfSecureWebApp.pdf We are donating this material to help others learn the proper way to security inside of web app envs. So there will be less violations and breaches of our personal and business data - events that are seemingly commonplace today. Suggestions or comments are welcome. Thanks for your attention, Shawn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Enabling Java EE and Fortress Security inside an Apache Wicket Web App
Hello, another post on how a wicket application can be hooked in with java EE security and fortress rbac controls: https://iamfortress.wordpress.com/2015/03/13/enabling-java-ee-and-fortress-security-inside-an-apache-wicket-web-app/ Hope you find it helpful. Shawn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
wicketstuff v10?
Hello, Any projections on when wicketstuff for v10.x will be available? Thanks! — Shawn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: wicketstuff v10?
> On Jul 10, 2023, at 1:59 AM, Maxim Solodovnik wrote: > > I'm back :) > > going to create release today :) > > You can track progress here https://github.com/wicketstuff/core/issues/752 > And I saw that it has already been released! Y’all do awesome work. Thanks — Shawn > On Tue, 4 Jul 2023 at 02:21, Shawn McKinney wrote: >> >> >>> On Jul 3, 2023, at 11:26 AM, Maxim Solodovnik wrote: >>> >>> Hello Shawn, >>> >>> I'll get back from vacation in a week or so and will create a release :) >>> >>> Or someone might create release earlier :) >>> >> >> Hey Maxim, >> >> That will be fine for me. Thanks for replying and have a nice time on your >> break. >> >> Best >> >> — >> Shawn >> >> >>> from mobile (sorry for typos ;) >>> >>> >>> On Mon, Jul 3, 2023, 18:44 Shawn McKinney wrote: >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> > > > -- > Best regards, > Maxim - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: wicketstuff v10?
> On Jul 3, 2023, at 11:26 AM, Maxim Solodovnik wrote: > > Hello Shawn, > > I'll get back from vacation in a week or so and will create a release :) > > Or someone might create release earlier :) > Hey Maxim, That will be fine for me. Thanks for replying and have a nice time on your break. Best — Shawn > from mobile (sorry for typos ;) > > > On Mon, Jul 3, 2023, 18:44 Shawn McKinney wrote: - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Question about log warning: "IndicatingAjaxButton should be applied on a 'button' tag"
> On Jun 28, 2023, at 8:27 AM, Bas Gooren wrote: > > Hi Shawn, > > That’s more of a styling issue. > > uses the “value” attribute to render the button text. > > For a you’ll need to put the value inside the button tag: > value goes here > Ah yes, that’s it. Thank you Bas! For completeness, here is what it looks like now: ``` wspage1.button1 ``` Best — Shawn > Met vriendelijke groet, > Kind regards, > > Bas Gooren - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Question about log warning: "IndicatingAjaxButton should be applied on a 'button' tag"
> On Jun 28, 2023, at 8:23 AM, Ernesto Reinaldo Barreiro > wrote: > > I think your question has been correctly answered already. But, anyways, it > is pleasant to have questions in wicket's users list :-) Indeed. Handled REALLY quickly! Next time I won’t wait so long to ask my dumb question. No good deed goes unpunished? ;-) — Shawn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Question about log warning: "IndicatingAjaxButton should be applied on a 'button' tag"
> On Jun 29, 2023, at 3:25 AM, Martin Grigorov wrote: > > I don't see such code at > https://github.com/apache/wicket/blob/master/wicket-extensions/src/main/java/org/apache/wicket/extensions/ajax/markup/html/IndicatingAjaxButton.java > Is your IndicatingAjaxButton.java part of some third party library ? Yes it is. Sorry, should have pointed that out. ``` package com.googlecode.wicket.jquery.ui.form.button; … /** * Provides a jQuery button based on the {@link AjaxButton}, with an ajax indicator the time the {@link #onSubmit()} process. * * @since 6.0 * @author Sebastien Briquet - sebfz1 */ public abstract class IndicatingAjaxButton extends AjaxButton ``` Which begs the question. What happens when we use the wicket extensions instead? (Don’t know but I’ll find out) — Shawn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Question about log warning: "IndicatingAjaxButton should be applied on a 'button' tag"
> On Jun 29, 2023, at 6:30 AM, Shawn McKinney wrote: > > > Which begs the question. What happens when we use the wicket extensions > instead? > > (Don’t know but I’ll find out) The answer is it works as expected (with no warnings). The solution: use wicket extensions not googlecode. Very nice. — Shawn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Question about log warning: "IndicatingAjaxButton should be applied on a 'button' tag"
Howdy, I’m a little embarrassed to be asking. It seems so basic, should know it already. But, I’ve already spent a fair amount of time digging with no answers. My usage of Ajax buttons generates this warning in the logs: ``` WARN - 28 Jun 2023 07:35:56,704 - IndicatingAjaxButton - IndicatingAjaxButton should be applied on a 'button’ tag ``` Looking at the wicket source, I see: ``` public abstract class IndicatingAjaxButton extends AjaxButton ... @Override protected void onComponentTag(ComponentTag tag) { super.onComponentTag(tag); if (!"button".equalsIgnoreCase(tag.getName())) { LOG.warn("IndicatingAjaxButton should be applied on a 'button' tag”); } } ``` A head scratcher to me why that warning is in place. Obviously, there’s something I’m missing. Here’s my code. It all “seems" to work just fine (other than the warning). What am I doing wrong? ```java public Page1Form( String id ) { … add( new IndicatingAjaxButton( "wspage1.button1" ) { @Override protected void onSubmit( AjaxRequestTarget target ) { logIt( target, “..." ); } } ... ``` ```html ``` I’m using the latest Wicket (v10). This behavior (log warnings) was present on earlier versions as well. Thanks — Shawn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Question about log warning: "IndicatingAjaxButton should be applied on a 'button' tag"
> On Jun 28, 2023, at 8:11 AM, Bas Gooren wrote: > > Hi Shawn, > > The code basically checks if you apply the behavior to a element. > > In other words: > > is considered an “invalid” element for this behavior. > > is considered “valid”. > Hello, As part of my scientific ‘poke and hope’ methodology;-), I had tried that. Now, the warning has disappeared. But, the button renders on the page as a tiny dot, that actually works. I doubt my users would be a big fan of it (tiny buttons), although their eye doctors might? Anyway, all kidding aside, here’s what the html looks like: ```