Re: Does wicket have parameter-based security?

2014-04-01 Thread armandoxxx
hey 

we use Apache SHIRO project for all security on wicket applications ... 
apache shiro has targets (part of permission) to resolve this kind of
issues. 

you can also write custom shiro filter to let wicket know if problems with
authorization accured .. or let shiro handle it in his own way ;)

Regards

Armando



--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Does-wicket-have-parameter-based-security-tp4665174p4665208.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Does wicket have parameter-based security?

2014-03-29 Thread Stefan Renz
Hi,

Tom Norton wrote:
 Let's say I have a page called: /order-details/${orderId}.
 
 Let's also say I want to ensure that some customer named Bob can only see
 the order-details pages for the orders he placed, but not any of the
 order-details pages for orders that John placed.
 
 I already know wicket has role-based security.  Does wicket also have some
 form of parameter-based security?  Am I barking up the wrong tree?  Should
 this security check be inside a hibernate on-load event listener instead?

I'm not aware of a built-in mechanism. After all, wicket couldn't know
about the meaning of a parameter...

We check access in the page constructor, either explicity there (call a
DAO, or call a Service), or by using a behavior that does the check if
the check needs to be elsewhere. If violated, we throw an
AuthrozationException.

But I'd be interested on how you would pass the query parameter value to
a Hibernate event listener. Aren't they registered rather statically
with the SessionFactory?

 
 Thanks,
 Tom
 

Hope this helps, bye
Stefan



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Does wicket have parameter-based security?

2014-03-29 Thread Ernesto Reinaldo Barreiro
Hi Tom,

I do not see any reason preventing you from delivering a custom
IAuthorizationStrategy that does what you want.


On Fri, Mar 28, 2014 at 8:37 PM, Tom Norton 
tomwnorton.mailing.li...@gmail.com wrote:

 Let's say I have a page called: /order-details/${orderId}.

 Let's also say I want to ensure that some customer named Bob can only see
 the order-details pages for the orders he placed, but not any of the
 order-details pages for orders that John placed.

 I already know wicket has role-based security.  Does wicket also have some
 form of parameter-based security?  Am I barking up the wrong tree?  Should
 this security check be inside a hibernate on-load event listener instead?

 Thanks,
 Tom




-- 
Regards - Ernesto Reinaldo Barreiro


Does wicket have parameter-based security?

2014-03-28 Thread Tom Norton
Let's say I have a page called: /order-details/${orderId}.

Let's also say I want to ensure that some customer named Bob can only see
the order-details pages for the orders he placed, but not any of the
order-details pages for orders that John placed.

I already know wicket has role-based security.  Does wicket also have some
form of parameter-based security?  Am I barking up the wrong tree?  Should
this security check be inside a hibernate on-load event listener instead?

Thanks,
Tom