Re: Does wicket have parameter-based security?
hey we use Apache SHIRO project for all security on wicket applications ... apache shiro has targets (part of permission) to resolve this kind of issues. you can also write custom shiro filter to let wicket know if problems with authorization accured .. or let shiro handle it in his own way ;) Regards Armando -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Does-wicket-have-parameter-based-security-tp4665174p4665208.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Does wicket have parameter-based security?
Hi Tom, I do not see any reason preventing you from delivering a custom IAuthorizationStrategy that does what you want. On Fri, Mar 28, 2014 at 8:37 PM, Tom Norton < tomwnorton.mailing.li...@gmail.com> wrote: > Let's say I have a page called: /order-details/${orderId}. > > Let's also say I want to ensure that some customer named Bob can only see > the order-details pages for the orders he placed, but not any of the > order-details pages for orders that John placed. > > I already know wicket has role-based security. Does wicket also have some > form of parameter-based security? Am I barking up the wrong tree? Should > this security check be inside a hibernate on-load event listener instead? > > Thanks, > Tom > -- Regards - Ernesto Reinaldo Barreiro
Re: Does wicket have parameter-based security?
Hi, Tom Norton wrote: > Let's say I have a page called: /order-details/${orderId}. > > Let's also say I want to ensure that some customer named Bob can only see > the order-details pages for the orders he placed, but not any of the > order-details pages for orders that John placed. > > I already know wicket has role-based security. Does wicket also have some > form of parameter-based security? Am I barking up the wrong tree? Should > this security check be inside a hibernate on-load event listener instead? I'm not aware of a built-in mechanism. After all, wicket couldn't know about the meaning of a parameter... We check access in the page constructor, either explicity there (call a DAO, or call a Service), or by using a behavior that does the check if the check needs to be elsewhere. If violated, we throw an AuthrozationException. But I'd be interested on how you would pass the query parameter value to a Hibernate event listener. Aren't they registered rather statically with the SessionFactory? > > Thanks, > Tom > Hope this helps, bye Stefan - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Does wicket have parameter-based security?
Let's say I have a page called: /order-details/${orderId}. Let's also say I want to ensure that some customer named Bob can only see the order-details pages for the orders he placed, but not any of the order-details pages for orders that John placed. I already know wicket has role-based security. Does wicket also have some form of parameter-based security? Am I barking up the wrong tree? Should this security check be inside a hibernate on-load event listener instead? Thanks, Tom