Re: Security in a Spring Wicket layered application

2009-04-06 Thread Eduardo Nunes
Are you using something else together with wicket-jsecurity? I saw the
example in the svn and there is no annotation based authorization or
something like this. How did you implement the authorization in your
(big) application?

Thanks,
Eduardo S. Nunes

On Tue, Mar 10, 2009 at 2:53 PM, Les Hazlewood lhazlew...@apache.org wrote:
 Hi Kent,

 Although it is early, I am using the wicket-jsecurity integration in one of
 my (big) projects.  It is working pretty well.  Feel free to ask questions -
 I'm happy to help along the way.

 Cheers,

 Les
 (JSecurity founder)

 On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson kent.lars...@gmail.comwrote:

 Integrating with jSecurity instead is really a last resort. If it is
 at all possible I wouldn't like to introduce more framework
 dependencies. That integration project seems a bit early to use as
 well, but it might be interesting in the future. Thanks for the link!

 Regarding Spring Security (SS). Is anyone integrating Wicket with SS
 on their own? I've read lots about SS now but I still find it hard to
 see what I need for a Wicket application.

 I got some tips at:
 http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations

 But I still have lots of questions.
 - In the above link they are using a link and passing the information
 by GET. I would like to use POST, and I guess that shouldn't be a
 problem. Tell me if you see some?
 - I have to instruct SS to redirect a user to my own login page if
 (s)he tries to access something which requires authentication. How is
 that done?
 - When a user registers an account I guess I should pass something on
 to a servlet filter, similar to how authentication works?
 - Which servlet filters do you think I'll need?

 If I can just get someone to register and authenticate. Then I'll just
 use the instructions in SS documentation to get GrantedAuthority
 objects. I'll use these to show/hide things in Wicket pages as well as
 enable/disable other things. Does that sound like a good approach?

 If anyone has *any* tips I would be immensely greatful!! As I think
 this is quite complex and I'm new to Spring Security.

 Best regards,
 Kent


 On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley ryan...@gmail.com wrote:
  I have not used it (yet), but check:
  http://code.google.com/p/wicket-jsecurity/
 
 
 
  On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:
 
  Hm, I had some problems. Are there any examples out there for this?
 
  On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson kent.lars...@gmail.com
  wrote:
 
  Hi,
 
  Great answer! :-) I'll try to do that today.
 
  Best regards, Kent
 
 
  On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten e.vanoos...@grons.nl
  wrote:
 
  Hi Kent,
 
  Go with something that enables authorization in the service layer
 (e.g.
  Spring Security, jSecurity, ...).
 
  Next base your custom wicket authorization on the authentication store
  of
  the chosen base technology. Spring Security uses a thread local as
  authentication store and has a servlet filter to copy the
 authenticated
  user
  to/from the session so that the authenticated user is handily
 available
  during a request and properly stored afterwards.
 
  Authentication itself can be implemented from Wicket in a custom way
  (e.g. a
  username/password form). On success you just store the authenticated
  user in
  the authentication store.
 
  Regards,
   Erik.
 
 
  Kent Larsson wrote:
 
  Hi,
 
  I know there has been some discussion on this. But I've had a hard
  time deciding how this project should use security anyway.
 
  The application in question is layered into three layers for
  presentation, services and persistence using Wicket, Spring and
  Hibernate.
 
  What we need:
  - Authentication
  - Authorization on pages, components
  - Authorization before being able to run methods in the service layer
  - Authorization for viewing/editing some domain objects using Access
  Control List's (ACL's)
 
  I have read Wicket in Action and it's custom security solution has
 some
  pros:
  - It's quite easy to understand
  - We have a lot of freedom in how to do authentication and
  authorization
 
  And some cons:
  - I don't know how to authorize calls of specific methods, and thus
  - All security will be in the presentation layer
  - It won't be usable if we want security on web services later (which
  we do not need now, so maybe this can be disregarded)
 
  It would be nice if we could have a common solution to our security
  needs that integrates well with Wicket and Spring. I know that the
  Auth Roles project is out there as well as Swarm. But I don't know
  which will meet our needs and which will most likely be an option to
  us when we later move to Wicket 1.4 or a higher version.
 
  Best regards,
  Kent
 
 
 
 
  --
  Erik van Oosten
  http://www.day-to-day-stuff.blogspot.com/
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
  For additional 

Re: Security in a Spring Wicket layered application

2009-03-13 Thread Daniele Dellafiore
we just finished (yesterday) to implement authorization in a wicket app.

basically, we end up with integration of WASP, Spring Security and a
little beat of SWARM with a home made User-Group-Permission mechanism
that is really simple and string based, and persisted on DB (via
hibernate)

We have an implementation of WaspAuthorizationStrategy with basicalle
login, logoff and this other method implemented:

   @Override
   public boolean isComponentAuthorized(Component component,
WaspAction action) {
  if (component instanceof SecureWebPage) {
 return isUserAuthenticated();
  }
  return checkPermission(component, action);
   }

in our app, authenticated user can see all pages (so the first if),
but some component can have further restrictions,  there is the
second method that goes into out custom permission check. In that
method, we ask spring the Authentication in the session, so we get the
User (a custom class) and from there we can check permissions.

If you are interested, I can write a more specific essay on our implementation.

I am happy with that becouse it integrates with wicket and spring
security using some of the  mechanism and facility but without being a
slave of the framework, so the granularity of authorization is
completely domain-side and so are the permission definitions.

In the end, define a permission on a button you now need just to
change a Button with a SecureButton (that has a very trivial
implementation). Then we create a Permission on the DB (a string) for
that button in some specific Page and assign the Permission to some
group. That's it.

We stayed away from SWARM and its hive replacing it with a  simpler
home made mechanism. We just use the SwarmAction to have the access,
render, enable granularity for components already built in.
Permission implemented the Spring Security interface called
GrantedAuthority, that is the way spring guys calls permissions. In
fact, both are just a string and we are perfectly integrated.

For the point:
. Authorization before being able to run methods in the service layer

I think that spring security is the way to go, it allows use AOP to
restrict a method call, with also filtering and so on. I had not the
change to experiment with it actually, but I know it can for sure :)

On Sun, Mar 8, 2009 at 5:20 PM, Kent Larsson kent.lars...@gmail.com wrote:
 Hi,

 I know there has been some discussion on this. But I've had a hard
 time deciding how this project should use security anyway.

 The application in question is layered into three layers for
 presentation, services and persistence using Wicket, Spring and
 Hibernate.

 What we need:
 - Authentication
 - Authorization on pages, components
 - Authorization before being able to run methods in the service layer
 - Authorization for viewing/editing some domain objects using Access
 Control List's (ACL's)

 I have read Wicket in Action and it's custom security solution has some pros:
 - It's quite easy to understand
 - We have a lot of freedom in how to do authentication and authorization

 And some cons:
 - I don't know how to authorize calls of specific methods, and thus
 - All security will be in the presentation layer
 - It won't be usable if we want security on web services later (which
 we do not need now, so maybe this can be disregarded)

 It would be nice if we could have a common solution to our security
 needs that integrates well with Wicket and Spring. I know that the
 Auth Roles project is out there as well as Swarm. But I don't know
 which will meet our needs and which will most likely be an option to
 us when we later move to Wicket 1.4 or a higher version.

 Best regards,
 Kent

 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org





-- 
Daniele Dellafiore
http://blog.ildella.net/

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Security in a Spring Wicket layered application

2009-03-12 Thread Kent Larsson
Hi Kai,

I'm setting up auth roles, it's going pretty well. Altough I've had
some problems when I followed
http://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html
to the letter, it might be a typo in there or else it was me doing
something wrong.

Is there a home page for the auth roles project? I Googles a bit
without finding any.

I would be very interested in a small example if you have some time to give one!

Best regards,
Kent



On Tue, Mar 10, 2009 at 7:33 PM, Kai Mütz kmu...@googlemail.com wrote:
 We are using Acegi and Wicket-auth-roles (1.3.5) similar to the WIKI
 description:

 http://cwiki.apache.org/WICKET/acegi-and-wicket-auth-roles.html

 Have you read it?

 But we do only:
 - Authentication
 - Authorization on pages, components

 No Authorization on service layer. Are you interested in a small sample?

 Cheers, Kai

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Security in a Spring Wicket layered application

2009-03-12 Thread Kent Larsson
By looking at the source code it looked very nice (and you're right
about complex, but of course you are doing lots of important things so
it's hard not to have something complex) to me. You seem to be very
knowledgable.

I didn't get it working in Eclipse though. I did a svn co the trunk
path you gave me, and then I tried mvn eclipse:ecilpse. It complained
about missing jta.jar and failed, I fixed it (I think it's a license
problem so it doesn't get downloaded by Maven) and could run mvn
eclipse:eclipse successfully.

I imported the project into my workspace in Eclipse, added my Tomcat
server under the Servers tab. But the project was of wrong type (I
think), so I couldn't add the project to be deployed in my server from
Eclipse. Then I tried creating the war-file by mvn war:war, it worked
and I did a deploy by copy. But it wouldn't start.

Best regards,
Kent

On Tue, Mar 10, 2009 at 7:25 PM, James Carman
jcar...@carmanconsulting.com wrote:
 My wicket-advanced demo code integrates Spring Security and Wicket
 using wicket-auth-roles:

 http://svn.carmanconsulting.com/public/wicket-advanced/trunk/

 The key is the SpringSecuritySession class:

 http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/session/SpringSecuritySession.java


 On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson kent.lars...@gmail.com wrote:
 Integrating with jSecurity instead is really a last resort. If it is
 at all possible I wouldn't like to introduce more framework
 dependencies. That integration project seems a bit early to use as
 well, but it might be interesting in the future. Thanks for the link!

 Regarding Spring Security (SS). Is anyone integrating Wicket with SS
 on their own? I've read lots about SS now but I still find it hard to
 see what I need for a Wicket application.

 I got some tips at: 
 http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations

 But I still have lots of questions.
 - In the above link they are using a link and passing the information
 by GET. I would like to use POST, and I guess that shouldn't be a
 problem. Tell me if you see some?
 - I have to instruct SS to redirect a user to my own login page if
 (s)he tries to access something which requires authentication. How is
 that done?
 - When a user registers an account I guess I should pass something on
 to a servlet filter, similar to how authentication works?
 - Which servlet filters do you think I'll need?

 If I can just get someone to register and authenticate. Then I'll just
 use the instructions in SS documentation to get GrantedAuthority
 objects. I'll use these to show/hide things in Wicket pages as well as
 enable/disable other things. Does that sound like a good approach?

 If anyone has *any* tips I would be immensely greatful!! As I think
 this is quite complex and I'm new to Spring Security.

 Best regards,
 Kent


 On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley ryan...@gmail.com wrote:
 I have not used it (yet), but check:
 http://code.google.com/p/wicket-jsecurity/



 On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:

 Hm, I had some problems. Are there any examples out there for this?

 On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson kent.lars...@gmail.com
 wrote:

 Hi,

 Great answer! :-) I'll try to do that today.

 Best regards, Kent


 On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten e.vanoos...@grons.nl
 wrote:

 Hi Kent,

 Go with something that enables authorization in the service layer (e.g.
 Spring Security, jSecurity, ...).

 Next base your custom wicket authorization on the authentication store
 of
 the chosen base technology. Spring Security uses a thread local as
 authentication store and has a servlet filter to copy the authenticated
 user
 to/from the session so that the authenticated user is handily available
 during a request and properly stored afterwards.

 Authentication itself can be implemented from Wicket in a custom way
 (e.g. a
 username/password form). On success you just store the authenticated
 user in
 the authentication store.

 Regards,
  Erik.


 Kent Larsson wrote:

 Hi,

 I know there has been some discussion on this. But I've had a hard
 time deciding how this project should use security anyway.

 The application in question is layered into three layers for
 presentation, services and persistence using Wicket, Spring and
 Hibernate.

 What we need:
 - Authentication
 - Authorization on pages, components
 - Authorization before being able to run methods in the service layer
 - Authorization for viewing/editing some domain objects using Access
 Control List's (ACL's)

 I have read Wicket in Action and it's custom security solution has some
 pros:
 - It's quite easy to understand
 - We have a lot of freedom in how to do authentication and
 authorization

 And some cons:
 - I don't know how to authorize calls of specific methods, and thus
 - All security will be in the presentation layer
 - It won't be usable if we want security on web 

Re: Security in a Spring Wicket layered application

2009-03-12 Thread Kent Larsson
Hi Les,

After looking at the JUG JSecurity Presentation of jSecurity I'm
certainly interested in the project. For my next project I'll have to
look into jSecurity. Keep up the good work!

Best regards,
Kent

On Tue, Mar 10, 2009 at 6:53 PM, Les Hazlewood lhazlew...@apache.org wrote:
 Hi Kent,

 Although it is early, I am using the wicket-jsecurity integration in one of
 my (big) projects.  It is working pretty well.  Feel free to ask questions -
 I'm happy to help along the way.

 Cheers,

 Les
 (JSecurity founder)

 On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson kent.lars...@gmail.comwrote:

 Integrating with jSecurity instead is really a last resort. If it is
 at all possible I wouldn't like to introduce more framework
 dependencies. That integration project seems a bit early to use as
 well, but it might be interesting in the future. Thanks for the link!

 Regarding Spring Security (SS). Is anyone integrating Wicket with SS
 on their own? I've read lots about SS now but I still find it hard to
 see what I need for a Wicket application.

 I got some tips at:
 http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations

 But I still have lots of questions.
 - In the above link they are using a link and passing the information
 by GET. I would like to use POST, and I guess that shouldn't be a
 problem. Tell me if you see some?
 - I have to instruct SS to redirect a user to my own login page if
 (s)he tries to access something which requires authentication. How is
 that done?
 - When a user registers an account I guess I should pass something on
 to a servlet filter, similar to how authentication works?
 - Which servlet filters do you think I'll need?

 If I can just get someone to register and authenticate. Then I'll just
 use the instructions in SS documentation to get GrantedAuthority
 objects. I'll use these to show/hide things in Wicket pages as well as
 enable/disable other things. Does that sound like a good approach?

 If anyone has *any* tips I would be immensely greatful!! As I think
 this is quite complex and I'm new to Spring Security.

 Best regards,
 Kent


 On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley ryan...@gmail.com wrote:
  I have not used it (yet), but check:
  http://code.google.com/p/wicket-jsecurity/
 
 
 
  On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:
 
  Hm, I had some problems. Are there any examples out there for this?
 
  On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson kent.lars...@gmail.com
  wrote:
 
  Hi,
 
  Great answer! :-) I'll try to do that today.
 
  Best regards, Kent
 
 
  On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten e.vanoos...@grons.nl
  wrote:
 
  Hi Kent,
 
  Go with something that enables authorization in the service layer
 (e.g.
  Spring Security, jSecurity, ...).
 
  Next base your custom wicket authorization on the authentication store
  of
  the chosen base technology. Spring Security uses a thread local as
  authentication store and has a servlet filter to copy the
 authenticated
  user
  to/from the session so that the authenticated user is handily
 available
  during a request and properly stored afterwards.
 
  Authentication itself can be implemented from Wicket in a custom way
  (e.g. a
  username/password form). On success you just store the authenticated
  user in
  the authentication store.
 
  Regards,
   Erik.
 
 
  Kent Larsson wrote:
 
  Hi,
 
  I know there has been some discussion on this. But I've had a hard
  time deciding how this project should use security anyway.
 
  The application in question is layered into three layers for
  presentation, services and persistence using Wicket, Spring and
  Hibernate.
 
  What we need:
  - Authentication
  - Authorization on pages, components
  - Authorization before being able to run methods in the service layer
  - Authorization for viewing/editing some domain objects using Access
  Control List's (ACL's)
 
  I have read Wicket in Action and it's custom security solution has
 some
  pros:
  - It's quite easy to understand
  - We have a lot of freedom in how to do authentication and
  authorization
 
  And some cons:
  - I don't know how to authorize calls of specific methods, and thus
  - All security will be in the presentation layer
  - It won't be usable if we want security on web services later (which
  we do not need now, so maybe this can be disregarded)
 
  It would be nice if we could have a common solution to our security
  needs that integrates well with Wicket and Spring. I know that the
  Auth Roles project is out there as well as Swarm. But I don't know
  which will meet our needs and which will most likely be an option to
  us when we later move to Wicket 1.4 or a higher version.
 
  Best regards,
  Kent
 
 
 
 
  --
  Erik van Oosten
  http://www.day-to-day-stuff.blogspot.com/
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
  For additional commands, e-mail: users-h...@wicket.apache.org
 
 
 

Re: Security in a Spring Wicket layered application

2009-03-12 Thread James Carman
Mr. Larsson,

Thank you for your kind words and I'm sorry you had so much trouble
getting the project to run.  Those Sun licensing issues are annoying
to all of us maven users.  However, I would urge you to try running
the project with either mvn jetty:run or using the Start class that's
included in the test directory.  Those should both work (assuming your
classpaths get setup in eclipse properly).

James

On Thu, Mar 12, 2009 at 7:13 PM, Kent Larsson kent.lars...@gmail.com wrote:
 By looking at the source code it looked very nice (and you're right
 about complex, but of course you are doing lots of important things so
 it's hard not to have something complex) to me. You seem to be very
 knowledgable.

 I didn't get it working in Eclipse though. I did a svn co the trunk
 path you gave me, and then I tried mvn eclipse:ecilpse. It complained
 about missing jta.jar and failed, I fixed it (I think it's a license
 problem so it doesn't get downloaded by Maven) and could run mvn
 eclipse:eclipse successfully.

 I imported the project into my workspace in Eclipse, added my Tomcat
 server under the Servers tab. But the project was of wrong type (I
 think), so I couldn't add the project to be deployed in my server from
 Eclipse. Then I tried creating the war-file by mvn war:war, it worked
 and I did a deploy by copy. But it wouldn't start.

 Best regards,
 Kent

 On Tue, Mar 10, 2009 at 7:25 PM, James Carman
 jcar...@carmanconsulting.com wrote:
 My wicket-advanced demo code integrates Spring Security and Wicket
 using wicket-auth-roles:

 http://svn.carmanconsulting.com/public/wicket-advanced/trunk/

 The key is the SpringSecuritySession class:

 http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/session/SpringSecuritySession.java


 On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson kent.lars...@gmail.com wrote:
 Integrating with jSecurity instead is really a last resort. If it is
 at all possible I wouldn't like to introduce more framework
 dependencies. That integration project seems a bit early to use as
 well, but it might be interesting in the future. Thanks for the link!

 Regarding Spring Security (SS). Is anyone integrating Wicket with SS
 on their own? I've read lots about SS now but I still find it hard to
 see what I need for a Wicket application.

 I got some tips at: 
 http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations

 But I still have lots of questions.
 - In the above link they are using a link and passing the information
 by GET. I would like to use POST, and I guess that shouldn't be a
 problem. Tell me if you see some?
 - I have to instruct SS to redirect a user to my own login page if
 (s)he tries to access something which requires authentication. How is
 that done?
 - When a user registers an account I guess I should pass something on
 to a servlet filter, similar to how authentication works?
 - Which servlet filters do you think I'll need?

 If I can just get someone to register and authenticate. Then I'll just
 use the instructions in SS documentation to get GrantedAuthority
 objects. I'll use these to show/hide things in Wicket pages as well as
 enable/disable other things. Does that sound like a good approach?

 If anyone has *any* tips I would be immensely greatful!! As I think
 this is quite complex and I'm new to Spring Security.

 Best regards,
 Kent


 On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley ryan...@gmail.com wrote:
 I have not used it (yet), but check:
 http://code.google.com/p/wicket-jsecurity/



 On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:

 Hm, I had some problems. Are there any examples out there for this?

 On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson kent.lars...@gmail.com
 wrote:

 Hi,

 Great answer! :-) I'll try to do that today.

 Best regards, Kent


 On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten e.vanoos...@grons.nl
 wrote:

 Hi Kent,

 Go with something that enables authorization in the service layer (e.g.
 Spring Security, jSecurity, ...).

 Next base your custom wicket authorization on the authentication store
 of
 the chosen base technology. Spring Security uses a thread local as
 authentication store and has a servlet filter to copy the authenticated
 user
 to/from the session so that the authenticated user is handily available
 during a request and properly stored afterwards.

 Authentication itself can be implemented from Wicket in a custom way
 (e.g. a
 username/password form). On success you just store the authenticated
 user in
 the authentication store.

 Regards,
  Erik.


 Kent Larsson wrote:

 Hi,

 I know there has been some discussion on this. But I've had a hard
 time deciding how this project should use security anyway.

 The application in question is layered into three layers for
 presentation, services and persistence using Wicket, Spring and
 Hibernate.

 What we need:
 - Authentication
 - Authorization on pages, components
 - Authorization before being able 

Re: Security in a Spring Wicket layered application

2009-03-10 Thread Kent Larsson
Integrating with jSecurity instead is really a last resort. If it is
at all possible I wouldn't like to introduce more framework
dependencies. That integration project seems a bit early to use as
well, but it might be interesting in the future. Thanks for the link!

Regarding Spring Security (SS). Is anyone integrating Wicket with SS
on their own? I've read lots about SS now but I still find it hard to
see what I need for a Wicket application.

I got some tips at: http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations

But I still have lots of questions.
- In the above link they are using a link and passing the information
by GET. I would like to use POST, and I guess that shouldn't be a
problem. Tell me if you see some?
- I have to instruct SS to redirect a user to my own login page if
(s)he tries to access something which requires authentication. How is
that done?
- When a user registers an account I guess I should pass something on
to a servlet filter, similar to how authentication works?
- Which servlet filters do you think I'll need?

If I can just get someone to register and authenticate. Then I'll just
use the instructions in SS documentation to get GrantedAuthority
objects. I'll use these to show/hide things in Wicket pages as well as
enable/disable other things. Does that sound like a good approach?

If anyone has *any* tips I would be immensely greatful!! As I think
this is quite complex and I'm new to Spring Security.

Best regards,
Kent


On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley ryan...@gmail.com wrote:
 I have not used it (yet), but check:
 http://code.google.com/p/wicket-jsecurity/



 On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:

 Hm, I had some problems. Are there any examples out there for this?

 On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson kent.lars...@gmail.com
 wrote:

 Hi,

 Great answer! :-) I'll try to do that today.

 Best regards, Kent


 On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten e.vanoos...@grons.nl
 wrote:

 Hi Kent,

 Go with something that enables authorization in the service layer (e.g.
 Spring Security, jSecurity, ...).

 Next base your custom wicket authorization on the authentication store
 of
 the chosen base technology. Spring Security uses a thread local as
 authentication store and has a servlet filter to copy the authenticated
 user
 to/from the session so that the authenticated user is handily available
 during a request and properly stored afterwards.

 Authentication itself can be implemented from Wicket in a custom way
 (e.g. a
 username/password form). On success you just store the authenticated
 user in
 the authentication store.

 Regards,
  Erik.


 Kent Larsson wrote:

 Hi,

 I know there has been some discussion on this. But I've had a hard
 time deciding how this project should use security anyway.

 The application in question is layered into three layers for
 presentation, services and persistence using Wicket, Spring and
 Hibernate.

 What we need:
 - Authentication
 - Authorization on pages, components
 - Authorization before being able to run methods in the service layer
 - Authorization for viewing/editing some domain objects using Access
 Control List's (ACL's)

 I have read Wicket in Action and it's custom security solution has some
 pros:
 - It's quite easy to understand
 - We have a lot of freedom in how to do authentication and
 authorization

 And some cons:
 - I don't know how to authorize calls of specific methods, and thus
 - All security will be in the presentation layer
 - It won't be usable if we want security on web services later (which
 we do not need now, so maybe this can be disregarded)

 It would be nice if we could have a common solution to our security
 needs that integrates well with Wicket and Spring. I know that the
 Auth Roles project is out there as well as Swarm. But I don't know
 which will meet our needs and which will most likely be an option to
 us when we later move to Wicket 1.4 or a higher version.

 Best regards,
 Kent




 --
 Erik van Oosten
 http://www.day-to-day-stuff.blogspot.com/


 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org




 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org



 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Security in a Spring Wicket layered application

2009-03-10 Thread Les Hazlewood
Hi Kent,

Although it is early, I am using the wicket-jsecurity integration in one of
my (big) projects.  It is working pretty well.  Feel free to ask questions -
I'm happy to help along the way.

Cheers,

Les
(JSecurity founder)

On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson kent.lars...@gmail.comwrote:

 Integrating with jSecurity instead is really a last resort. If it is
 at all possible I wouldn't like to introduce more framework
 dependencies. That integration project seems a bit early to use as
 well, but it might be interesting in the future. Thanks for the link!

 Regarding Spring Security (SS). Is anyone integrating Wicket with SS
 on their own? I've read lots about SS now but I still find it hard to
 see what I need for a Wicket application.

 I got some tips at:
 http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations

 But I still have lots of questions.
 - In the above link they are using a link and passing the information
 by GET. I would like to use POST, and I guess that shouldn't be a
 problem. Tell me if you see some?
 - I have to instruct SS to redirect a user to my own login page if
 (s)he tries to access something which requires authentication. How is
 that done?
 - When a user registers an account I guess I should pass something on
 to a servlet filter, similar to how authentication works?
 - Which servlet filters do you think I'll need?

 If I can just get someone to register and authenticate. Then I'll just
 use the instructions in SS documentation to get GrantedAuthority
 objects. I'll use these to show/hide things in Wicket pages as well as
 enable/disable other things. Does that sound like a good approach?

 If anyone has *any* tips I would be immensely greatful!! As I think
 this is quite complex and I'm new to Spring Security.

 Best regards,
 Kent


 On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley ryan...@gmail.com wrote:
  I have not used it (yet), but check:
  http://code.google.com/p/wicket-jsecurity/
 
 
 
  On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:
 
  Hm, I had some problems. Are there any examples out there for this?
 
  On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson kent.lars...@gmail.com
  wrote:
 
  Hi,
 
  Great answer! :-) I'll try to do that today.
 
  Best regards, Kent
 
 
  On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten e.vanoos...@grons.nl
  wrote:
 
  Hi Kent,
 
  Go with something that enables authorization in the service layer
 (e.g.
  Spring Security, jSecurity, ...).
 
  Next base your custom wicket authorization on the authentication store
  of
  the chosen base technology. Spring Security uses a thread local as
  authentication store and has a servlet filter to copy the
 authenticated
  user
  to/from the session so that the authenticated user is handily
 available
  during a request and properly stored afterwards.
 
  Authentication itself can be implemented from Wicket in a custom way
  (e.g. a
  username/password form). On success you just store the authenticated
  user in
  the authentication store.
 
  Regards,
   Erik.
 
 
  Kent Larsson wrote:
 
  Hi,
 
  I know there has been some discussion on this. But I've had a hard
  time deciding how this project should use security anyway.
 
  The application in question is layered into three layers for
  presentation, services and persistence using Wicket, Spring and
  Hibernate.
 
  What we need:
  - Authentication
  - Authorization on pages, components
  - Authorization before being able to run methods in the service layer
  - Authorization for viewing/editing some domain objects using Access
  Control List's (ACL's)
 
  I have read Wicket in Action and it's custom security solution has
 some
  pros:
  - It's quite easy to understand
  - We have a lot of freedom in how to do authentication and
  authorization
 
  And some cons:
  - I don't know how to authorize calls of specific methods, and thus
  - All security will be in the presentation layer
  - It won't be usable if we want security on web services later (which
  we do not need now, so maybe this can be disregarded)
 
  It would be nice if we could have a common solution to our security
  needs that integrates well with Wicket and Spring. I know that the
  Auth Roles project is out there as well as Swarm. But I don't know
  which will meet our needs and which will most likely be an option to
  us when we later move to Wicket 1.4 or a higher version.
 
  Best regards,
  Kent
 
 
 
 
  --
  Erik van Oosten
  http://www.day-to-day-stuff.blogspot.com/
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
  For additional commands, e-mail: users-h...@wicket.apache.org
 
 
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
  For additional commands, e-mail: users-h...@wicket.apache.org
 
 
 
  -
  To 

Re: Security in a Spring Wicket layered application

2009-03-10 Thread James Carman
My wicket-advanced demo code integrates Spring Security and Wicket
using wicket-auth-roles:

http://svn.carmanconsulting.com/public/wicket-advanced/trunk/

The key is the SpringSecuritySession class:

http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/session/SpringSecuritySession.java


On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson kent.lars...@gmail.com wrote:
 Integrating with jSecurity instead is really a last resort. If it is
 at all possible I wouldn't like to introduce more framework
 dependencies. That integration project seems a bit early to use as
 well, but it might be interesting in the future. Thanks for the link!

 Regarding Spring Security (SS). Is anyone integrating Wicket with SS
 on their own? I've read lots about SS now but I still find it hard to
 see what I need for a Wicket application.

 I got some tips at: 
 http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations

 But I still have lots of questions.
 - In the above link they are using a link and passing the information
 by GET. I would like to use POST, and I guess that shouldn't be a
 problem. Tell me if you see some?
 - I have to instruct SS to redirect a user to my own login page if
 (s)he tries to access something which requires authentication. How is
 that done?
 - When a user registers an account I guess I should pass something on
 to a servlet filter, similar to how authentication works?
 - Which servlet filters do you think I'll need?

 If I can just get someone to register and authenticate. Then I'll just
 use the instructions in SS documentation to get GrantedAuthority
 objects. I'll use these to show/hide things in Wicket pages as well as
 enable/disable other things. Does that sound like a good approach?

 If anyone has *any* tips I would be immensely greatful!! As I think
 this is quite complex and I'm new to Spring Security.

 Best regards,
 Kent


 On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley ryan...@gmail.com wrote:
 I have not used it (yet), but check:
 http://code.google.com/p/wicket-jsecurity/



 On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:

 Hm, I had some problems. Are there any examples out there for this?

 On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson kent.lars...@gmail.com
 wrote:

 Hi,

 Great answer! :-) I'll try to do that today.

 Best regards, Kent


 On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten e.vanoos...@grons.nl
 wrote:

 Hi Kent,

 Go with something that enables authorization in the service layer (e.g.
 Spring Security, jSecurity, ...).

 Next base your custom wicket authorization on the authentication store
 of
 the chosen base technology. Spring Security uses a thread local as
 authentication store and has a servlet filter to copy the authenticated
 user
 to/from the session so that the authenticated user is handily available
 during a request and properly stored afterwards.

 Authentication itself can be implemented from Wicket in a custom way
 (e.g. a
 username/password form). On success you just store the authenticated
 user in
 the authentication store.

 Regards,
  Erik.


 Kent Larsson wrote:

 Hi,

 I know there has been some discussion on this. But I've had a hard
 time deciding how this project should use security anyway.

 The application in question is layered into three layers for
 presentation, services and persistence using Wicket, Spring and
 Hibernate.

 What we need:
 - Authentication
 - Authorization on pages, components
 - Authorization before being able to run methods in the service layer
 - Authorization for viewing/editing some domain objects using Access
 Control List's (ACL's)

 I have read Wicket in Action and it's custom security solution has some
 pros:
 - It's quite easy to understand
 - We have a lot of freedom in how to do authentication and
 authorization

 And some cons:
 - I don't know how to authorize calls of specific methods, and thus
 - All security will be in the presentation layer
 - It won't be usable if we want security on web services later (which
 we do not need now, so maybe this can be disregarded)

 It would be nice if we could have a common solution to our security
 needs that integrates well with Wicket and Spring. I know that the
 Auth Roles project is out there as well as Swarm. But I don't know
 which will meet our needs and which will most likely be an option to
 us when we later move to Wicket 1.4 or a higher version.

 Best regards,
 Kent




 --
 Erik van Oosten
 http://www.day-to-day-stuff.blogspot.com/


 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org




 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org



 

RE: Security in a Spring Wicket layered application

2009-03-10 Thread Kai Mütz
Kent Larsson mailto:kent.lars...@gmail.com wrote:
 Integrating with jSecurity instead is really a last resort. If it is
 at all possible I wouldn't like to introduce more framework
 dependencies. That integration project seems a bit early to use as
 well, but it might be interesting in the future. Thanks for the link!

 Regarding Spring Security (SS). Is anyone integrating Wicket with SS
 on their own? I've read lots about SS now but I still find it hard to
 see what I need for a Wicket application.

We are using Acegi and Wicket-auth-roles (1.3.5) similar to the WIKI
description:

http://cwiki.apache.org/WICKET/acegi-and-wicket-auth-roles.html

Have you read it?

But we do only:
- Authentication
- Authorization on pages, components

No Authorization on service layer. Are you interested in a small sample?

Cheers, Kai



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Security in a Spring Wicket layered application

2009-03-09 Thread Kent Larsson
Hi,

Great answer! :-) I'll try to do that today.

Best regards, Kent


On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten e.vanoos...@grons.nl wrote:
 Hi Kent,

 Go with something that enables authorization in the service layer (e.g.
 Spring Security, jSecurity, ...).

 Next base your custom wicket authorization on the authentication store of
 the chosen base technology. Spring Security uses a thread local as
 authentication store and has a servlet filter to copy the authenticated user
 to/from the session so that the authenticated user is handily available
 during a request and properly stored afterwards.

 Authentication itself can be implemented from Wicket in a custom way (e.g. a
 username/password form). On success you just store the authenticated user in
 the authentication store.

 Regards,
   Erik.


 Kent Larsson wrote:

 Hi,

 I know there has been some discussion on this. But I've had a hard
 time deciding how this project should use security anyway.

 The application in question is layered into three layers for
 presentation, services and persistence using Wicket, Spring and
 Hibernate.

 What we need:
 - Authentication
 - Authorization on pages, components
 - Authorization before being able to run methods in the service layer
 - Authorization for viewing/editing some domain objects using Access
 Control List's (ACL's)

 I have read Wicket in Action and it's custom security solution has some
 pros:
 - It's quite easy to understand
 - We have a lot of freedom in how to do authentication and authorization

 And some cons:
 - I don't know how to authorize calls of specific methods, and thus
 - All security will be in the presentation layer
 - It won't be usable if we want security on web services later (which
 we do not need now, so maybe this can be disregarded)

 It would be nice if we could have a common solution to our security
 needs that integrates well with Wicket and Spring. I know that the
 Auth Roles project is out there as well as Swarm. But I don't know
 which will meet our needs and which will most likely be an option to
 us when we later move to Wicket 1.4 or a higher version.

 Best regards,
 Kent




 --
 Erik van Oosten
 http://www.day-to-day-stuff.blogspot.com/


 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Security in a Spring Wicket layered application

2009-03-09 Thread Kent Larsson
Hm, I had some problems. Are there any examples out there for this?

On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson kent.lars...@gmail.com wrote:
 Hi,

 Great answer! :-) I'll try to do that today.

 Best regards, Kent


 On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten e.vanoos...@grons.nl wrote:
 Hi Kent,

 Go with something that enables authorization in the service layer (e.g.
 Spring Security, jSecurity, ...).

 Next base your custom wicket authorization on the authentication store of
 the chosen base technology. Spring Security uses a thread local as
 authentication store and has a servlet filter to copy the authenticated user
 to/from the session so that the authenticated user is handily available
 during a request and properly stored afterwards.

 Authentication itself can be implemented from Wicket in a custom way (e.g. a
 username/password form). On success you just store the authenticated user in
 the authentication store.

 Regards,
   Erik.


 Kent Larsson wrote:

 Hi,

 I know there has been some discussion on this. But I've had a hard
 time deciding how this project should use security anyway.

 The application in question is layered into three layers for
 presentation, services and persistence using Wicket, Spring and
 Hibernate.

 What we need:
 - Authentication
 - Authorization on pages, components
 - Authorization before being able to run methods in the service layer
 - Authorization for viewing/editing some domain objects using Access
 Control List's (ACL's)

 I have read Wicket in Action and it's custom security solution has some
 pros:
 - It's quite easy to understand
 - We have a lot of freedom in how to do authentication and authorization

 And some cons:
 - I don't know how to authorize calls of specific methods, and thus
 - All security will be in the presentation layer
 - It won't be usable if we want security on web services later (which
 we do not need now, so maybe this can be disregarded)

 It would be nice if we could have a common solution to our security
 needs that integrates well with Wicket and Spring. I know that the
 Auth Roles project is out there as well as Swarm. But I don't know
 which will meet our needs and which will most likely be an option to
 us when we later move to Wicket 1.4 or a higher version.

 Best regards,
 Kent




 --
 Erik van Oosten
 http://www.day-to-day-stuff.blogspot.com/


 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Security in a Spring Wicket layered application

2009-03-09 Thread Ryan McKinley

I have not used it (yet), but check:
http://code.google.com/p/wicket-jsecurity/



On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:


Hm, I had some problems. Are there any examples out there for this?

On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson  
kent.lars...@gmail.com wrote:

Hi,

Great answer! :-) I'll try to do that today.

Best regards, Kent


On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten  
e.vanoos...@grons.nl wrote:

Hi Kent,

Go with something that enables authorization in the service layer  
(e.g.

Spring Security, jSecurity, ...).

Next base your custom wicket authorization on the authentication  
store of

the chosen base technology. Spring Security uses a thread local as
authentication store and has a servlet filter to copy the  
authenticated user
to/from the session so that the authenticated user is handily  
available

during a request and properly stored afterwards.

Authentication itself can be implemented from Wicket in a custom  
way (e.g. a
username/password form). On success you just store the  
authenticated user in

the authentication store.

Regards,
  Erik.


Kent Larsson wrote:


Hi,

I know there has been some discussion on this. But I've had a hard
time deciding how this project should use security anyway.

The application in question is layered into three layers for
presentation, services and persistence using Wicket, Spring and
Hibernate.

What we need:
- Authentication
- Authorization on pages, components
- Authorization before being able to run methods in the service  
layer
- Authorization for viewing/editing some domain objects using  
Access

Control List's (ACL's)

I have read Wicket in Action and it's custom security solution  
has some

pros:
- It's quite easy to understand
- We have a lot of freedom in how to do authentication and  
authorization


And some cons:
- I don't know how to authorize calls of specific methods, and thus
- All security will be in the presentation layer
- It won't be usable if we want security on web services later  
(which

we do not need now, so maybe this can be disregarded)

It would be nice if we could have a common solution to our security
needs that integrates well with Wicket and Spring. I know that the
Auth Roles project is out there as well as Swarm. But I don't know
which will meet our needs and which will most likely be an option  
to

us when we later move to Wicket 1.4 or a higher version.

Best regards,
Kent





--
Erik van Oosten
http://www.day-to-day-stuff.blogspot.com/


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Security in a Spring Wicket layered application

2009-03-08 Thread Kent Larsson
Hi,

I know there has been some discussion on this. But I've had a hard
time deciding how this project should use security anyway.

The application in question is layered into three layers for
presentation, services and persistence using Wicket, Spring and
Hibernate.

What we need:
- Authentication
- Authorization on pages, components
- Authorization before being able to run methods in the service layer
- Authorization for viewing/editing some domain objects using Access
Control List's (ACL's)

I have read Wicket in Action and it's custom security solution has some pros:
- It's quite easy to understand
- We have a lot of freedom in how to do authentication and authorization

And some cons:
- I don't know how to authorize calls of specific methods, and thus
- All security will be in the presentation layer
- It won't be usable if we want security on web services later (which
we do not need now, so maybe this can be disregarded)

It would be nice if we could have a common solution to our security
needs that integrates well with Wicket and Spring. I know that the
Auth Roles project is out there as well as Swarm. But I don't know
which will meet our needs and which will most likely be an option to
us when we later move to Wicket 1.4 or a higher version.

Best regards,
Kent

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Security in a Spring Wicket layered application

2009-03-08 Thread Erik van Oosten

Hi Kent,

Go with something that enables authorization in the service layer (e.g. 
Spring Security, jSecurity, ...).


Next base your custom wicket authorization on the authentication store 
of the chosen base technology. Spring Security uses a thread local as 
authentication store and has a servlet filter to copy the authenticated 
user to/from the session so that the authenticated user is handily 
available during a request and properly stored afterwards.


Authentication itself can be implemented from Wicket in a custom way 
(e.g. a username/password form). On success you just store the 
authenticated user in the authentication store.


Regards,
   Erik.


Kent Larsson wrote:

Hi,

I know there has been some discussion on this. But I've had a hard
time deciding how this project should use security anyway.

The application in question is layered into three layers for
presentation, services and persistence using Wicket, Spring and
Hibernate.

What we need:
- Authentication
- Authorization on pages, components
- Authorization before being able to run methods in the service layer
- Authorization for viewing/editing some domain objects using Access
Control List's (ACL's)

I have read Wicket in Action and it's custom security solution has some pros:
- It's quite easy to understand
- We have a lot of freedom in how to do authentication and authorization

And some cons:
- I don't know how to authorize calls of specific methods, and thus
- All security will be in the presentation layer
- It won't be usable if we want security on web services later (which
we do not need now, so maybe this can be disregarded)

It would be nice if we could have a common solution to our security
needs that integrates well with Wicket and Spring. I know that the
Auth Roles project is out there as well as Swarm. But I don't know
which will meet our needs and which will most likely be an option to
us when we later move to Wicket 1.4 or a higher version.

Best regards,
Kent

  



--
Erik van Oosten
http://www.day-to-day-stuff.blogspot.com/


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org