Re: Security in a Spring & Wicket layered application

[Eduardo Nunes]

Are you using something else together with wicket-jsecurity? I saw the
example in the svn and there is no annotation based authorization or
something like this. How did you implement the authorization in your
(big) application?

Thanks,
Eduardo S. Nunes

On Tue, Mar 10, 2009 at 2:53 PM, Les Hazlewood  wrote:
> Hi Kent,
>
> Although it is early, I am using the wicket-jsecurity integration in one of
> my (big) projects.  It is working pretty well.  Feel free to ask questions -
> I'm happy to help along the way.
>
> Cheers,
>
> Les
> (JSecurity founder)
>
> On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson wrote:
>
>> Integrating with jSecurity instead is really a last resort. If it is
>> at all possible I wouldn't like to introduce more framework
>> dependencies. That integration project seems a bit early to use as
>> well, but it might be interesting in the future. Thanks for the link!
>>
>> Regarding Spring Security (SS). Is anyone integrating Wicket with SS
>> on their own? I've read lots about SS now but I still find it hard to
>> see what I need for a Wicket application.
>>
>> I got some tips at:
>> http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations
>>
>> But I still have lots of questions.
>> - In the above link they are using a link and passing the information
>> by GET. I would like to use POST, and I guess that shouldn't be a
>> problem. Tell me if you see some?
>> - I have to instruct SS to redirect a user to my own login page if
>> (s)he tries to access something which requires authentication. How is
>> that done?
>> - When a user registers an account I guess I should pass something on
>> to a servlet filter, similar to how authentication works?
>> - Which servlet filters do you think I'll need?
>>
>> If I can just get someone to register and authenticate. Then I'll just
>> use the instructions in SS documentation to get GrantedAuthority
>> objects. I'll use these to show/hide things in Wicket pages as well as
>> enable/disable other things. Does that sound like a good approach?
>>
>> If anyone has *any* tips I would be immensely greatful!! As I think
>> this is quite complex and I'm new to Spring Security.
>>
>> Best regards,
>> Kent
>>
>>
>> On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley  wrote:
>> > I have not used it (yet), but check:
>> > http://code.google.com/p/wicket-jsecurity/
>> >
>> >
>> >
>> > On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:
>> >
>> >> Hm, I had some problems. Are there any examples out there for this?
>> >>
>> >> On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson 
>> >> wrote:
>> >>>
>> >>> Hi,
>> >>>
>> >>> Great answer! :-) I'll try to do that today.
>> >>>
>> >>> Best regards, Kent
>> >>>
>> >>>
>> >>> On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten 
>> >>> wrote:
>> 
>>  Hi Kent,
>> 
>>  Go with something that enables authorization in the service layer
>> (e.g.
>>  Spring Security, jSecurity, ...).
>> 
>>  Next base your custom wicket authorization on the authentication store
>>  of
>>  the chosen base technology. Spring Security uses a thread local as
>>  authentication store and has a servlet filter to copy the
>> authenticated
>>  user
>>  to/from the session so that the authenticated user is handily
>> available
>>  during a request and properly stored afterwards.
>> 
>>  Authentication itself can be implemented from Wicket in a custom way
>>  (e.g. a
>>  username/password form). On success you just store the authenticated
>>  user in
>>  the authentication store.
>> 
>>  Regards,
>>   Erik.
>> 
>> 
>>  Kent Larsson wrote:
>> >
>> > Hi,
>> >
>> > I know there has been some discussion on this. But I've had a hard
>> > time deciding how this project should use security anyway.
>> >
>> > The application in question is layered into three layers for
>> > presentation, services and persistence using Wicket, Spring and
>> > Hibernate.
>> >
>> > What we need:
>> > - Authentication
>> > - Authorization on pages, components
>> > - Authorization before being able to run methods in the service layer
>> > - Authorization for viewing/editing some domain objects using Access
>> > Control List's (ACL's)
>> >
>> > I have read Wicket in Action and it's custom security solution has
>> some
>> > pros:
>> > - It's quite easy to understand
>> > - We have a lot of freedom in how to do authentication and
>> > authorization
>> >
>> > And some cons:
>> > - I don't know how to authorize calls of specific methods, and thus
>> > - All security will be in the presentation layer
>> > - It won't be usable if we want security on web services later (which
>> > we do not need now, so maybe this can be disregarded)
>> >
>> > It would be nice if we could have a common solution to our security
>> > needs that integrates well with Wicket and Spring. I know that the
>> > Auth Ro

Re: Security in a Spring & Wicket layered application

[Daniele Dellafiore]

we just finished (yesterday) to implement authorization in a wicket app.

basically, we end up with integration of WASP, Spring Security and a
little beat of SWARM with a home made User-Group-Permission mechanism
that is really simple and string based, and persisted on DB (via
hibernate)

We have an implementation of WaspAuthorizationStrategy with basicalle
login, logoff and this other method implemented:

   @Override
   public boolean isComponentAuthorized(Component component,
WaspAction action) {
  if (component instanceof SecureWebPage) {
 return isUserAuthenticated();
  }
  return checkPermission(component, action);
   }

in our app, authenticated user can see all pages (so the first if),
but some component can have further restrictions,  there is the
second method that goes into out custom permission check. In that
method, we ask spring the Authentication in the session, so we get the
User (a custom class) and from there we can check permissions.

If you are interested, I can write a more specific essay on our implementation.

I am happy with that becouse it integrates with wicket and spring
security using some of the  mechanism and facility but without being a
slave of the framework, so the granularity of authorization is
completely domain-side and so are the permission definitions.

In the end, define a permission on a button you now need just to
change a Button with a SecureButton (that has a very trivial
implementation). Then we create a Permission on the DB (a string) for
that button in some specific Page and assign the Permission to some
group. That's it.

We stayed away from SWARM and its hive replacing it with a  simpler
home made mechanism. We just use the SwarmAction to have the "access,
render, enable" granularity for components already built in.
Permission implemented the Spring Security interface called
GrantedAuthority, that is the way spring guys calls permissions. In
fact, both are just a string and we are perfectly integrated.

For the point:
. Authorization before being able to run methods in the service layer

I think that spring security is the way to go, it allows use AOP to
restrict a method call, with also filtering and so on. I had not the
change to experiment with it actually, but I know it can for sure :)

On Sun, Mar 8, 2009 at 5:20 PM, Kent Larsson  wrote:
> Hi,
>
> I know there has been some discussion on this. But I've had a hard
> time deciding how this project should use security anyway.
>
> The application in question is layered into three layers for
> presentation, services and persistence using Wicket, Spring and
> Hibernate.
>
> What we need:
> - Authentication
> - Authorization on pages, components
> - Authorization before being able to run methods in the service layer
> - Authorization for viewing/editing some domain objects using Access
> Control List's (ACL's)
>
> I have read Wicket in Action and it's custom security solution has some pros:
> - It's quite easy to understand
> - We have a lot of freedom in how to do authentication and authorization
>
> And some cons:
> - I don't know how to authorize calls of specific methods, and thus
> - All security will be in the presentation layer
> - It won't be usable if we want security on web services later (which
> we do not need now, so maybe this can be disregarded)
>
> It would be nice if we could have a common solution to our security
> needs that integrates well with Wicket and Spring. I know that the
> Auth Roles project is out there as well as Swarm. But I don't know
> which will meet our needs and which will most likely be an option to
> us when we later move to Wicket 1.4 or a higher version.
>
> Best regards,
> Kent
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>



-- 
Daniele Dellafiore
http://blog.ildella.net/

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Security in a Spring & Wicket layered application

[James Carman]

Mr. Larsson,

Thank you for your kind words and I'm sorry you had so much trouble
getting the project to run.  Those Sun licensing issues are annoying
to all of us maven users.  However, I would urge you to try running
the project with either mvn jetty:run or using the Start class that's
included in the test directory.  Those should both work (assuming your
classpaths get setup in eclipse properly).

James

On Thu, Mar 12, 2009 at 7:13 PM, Kent Larsson  wrote:
> By looking at the source code it looked very nice (and you're right
> about complex, but of course you are doing lots of important things so
> it's hard not to have something complex) to me. You seem to be very
> knowledgable.
>
> I didn't get it working in Eclipse though. I did a svn co  path you gave me>, and then I tried mvn eclipse:ecilpse. It complained
> about missing jta.jar and failed, I fixed it (I think it's a license
> problem so it doesn't get downloaded by Maven) and could run mvn
> eclipse:eclipse successfully.
>
> I imported the project into my workspace in Eclipse, added my Tomcat
> server under the Servers tab. But the project was of wrong type (I
> think), so I couldn't add the project to be deployed in my server from
> Eclipse. Then I tried creating the war-file by mvn war:war, it worked
> and I did a deploy by copy. But it wouldn't start.
>
> Best regards,
> Kent
>
> On Tue, Mar 10, 2009 at 7:25 PM, James Carman
>  wrote:
>> My wicket-advanced demo code integrates Spring Security and Wicket
>> using wicket-auth-roles:
>>
>> http://svn.carmanconsulting.com/public/wicket-advanced/trunk/
>>
>> The key is the SpringSecuritySession class:
>>
>> http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/session/SpringSecuritySession.java
>>
>>
>> On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson  wrote:
>>> Integrating with jSecurity instead is really a last resort. If it is
>>> at all possible I wouldn't like to introduce more framework
>>> dependencies. That integration project seems a bit early to use as
>>> well, but it might be interesting in the future. Thanks for the link!
>>>
>>> Regarding Spring Security (SS). Is anyone integrating Wicket with SS
>>> on their own? I've read lots about SS now but I still find it hard to
>>> see what I need for a Wicket application.
>>>
>>> I got some tips at: 
>>> http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations
>>>
>>> But I still have lots of questions.
>>> - In the above link they are using a link and passing the information
>>> by GET. I would like to use POST, and I guess that shouldn't be a
>>> problem. Tell me if you see some?
>>> - I have to instruct SS to redirect a user to my own login page if
>>> (s)he tries to access something which requires authentication. How is
>>> that done?
>>> - When a user registers an account I guess I should pass something on
>>> to a servlet filter, similar to how authentication works?
>>> - Which servlet filters do you think I'll need?
>>>
>>> If I can just get someone to register and authenticate. Then I'll just
>>> use the instructions in SS documentation to get GrantedAuthority
>>> objects. I'll use these to show/hide things in Wicket pages as well as
>>> enable/disable other things. Does that sound like a good approach?
>>>
>>> If anyone has *any* tips I would be immensely greatful!! As I think
>>> this is quite complex and I'm new to Spring Security.
>>>
>>> Best regards,
>>> Kent
>>>
>>>
>>> On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley  wrote:
 I have not used it (yet), but check:
 http://code.google.com/p/wicket-jsecurity/



 On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:

> Hm, I had some problems. Are there any examples out there for this?
>
> On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson 
> wrote:
>>
>> Hi,
>>
>> Great answer! :-) I'll try to do that today.
>>
>> Best regards, Kent
>>
>>
>> On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten 
>> wrote:
>>>
>>> Hi Kent,
>>>
>>> Go with something that enables authorization in the service layer (e.g.
>>> Spring Security, jSecurity, ...).
>>>
>>> Next base your custom wicket authorization on the authentication store
>>> of
>>> the chosen base technology. Spring Security uses a thread local as
>>> authentication store and has a servlet filter to copy the authenticated
>>> user
>>> to/from the session so that the authenticated user is handily available
>>> during a request and properly stored afterwards.
>>>
>>> Authentication itself can be implemented from Wicket in a custom way
>>> (e.g. a
>>> username/password form). On success you just store the authenticated
>>> user in
>>> the authentication store.
>>>
>>> Regards,
>>>  Erik.
>>>
>>>
>>> Kent Larsson wrote:

 Hi,

 I know there has been some discussion on this. But

Re: Security in a Spring & Wicket layered application

[Kent Larsson]

Hi Les,

After looking at the JUG JSecurity Presentation of jSecurity I'm
certainly interested in the project. For my next project I'll have to
look into jSecurity. Keep up the good work!

Best regards,
Kent

On Tue, Mar 10, 2009 at 6:53 PM, Les Hazlewood  wrote:
> Hi Kent,
>
> Although it is early, I am using the wicket-jsecurity integration in one of
> my (big) projects.  It is working pretty well.  Feel free to ask questions -
> I'm happy to help along the way.
>
> Cheers,
>
> Les
> (JSecurity founder)
>
> On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson wrote:
>
>> Integrating with jSecurity instead is really a last resort. If it is
>> at all possible I wouldn't like to introduce more framework
>> dependencies. That integration project seems a bit early to use as
>> well, but it might be interesting in the future. Thanks for the link!
>>
>> Regarding Spring Security (SS). Is anyone integrating Wicket with SS
>> on their own? I've read lots about SS now but I still find it hard to
>> see what I need for a Wicket application.
>>
>> I got some tips at:
>> http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations
>>
>> But I still have lots of questions.
>> - In the above link they are using a link and passing the information
>> by GET. I would like to use POST, and I guess that shouldn't be a
>> problem. Tell me if you see some?
>> - I have to instruct SS to redirect a user to my own login page if
>> (s)he tries to access something which requires authentication. How is
>> that done?
>> - When a user registers an account I guess I should pass something on
>> to a servlet filter, similar to how authentication works?
>> - Which servlet filters do you think I'll need?
>>
>> If I can just get someone to register and authenticate. Then I'll just
>> use the instructions in SS documentation to get GrantedAuthority
>> objects. I'll use these to show/hide things in Wicket pages as well as
>> enable/disable other things. Does that sound like a good approach?
>>
>> If anyone has *any* tips I would be immensely greatful!! As I think
>> this is quite complex and I'm new to Spring Security.
>>
>> Best regards,
>> Kent
>>
>>
>> On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley  wrote:
>> > I have not used it (yet), but check:
>> > http://code.google.com/p/wicket-jsecurity/
>> >
>> >
>> >
>> > On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:
>> >
>> >> Hm, I had some problems. Are there any examples out there for this?
>> >>
>> >> On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson 
>> >> wrote:
>> >>>
>> >>> Hi,
>> >>>
>> >>> Great answer! :-) I'll try to do that today.
>> >>>
>> >>> Best regards, Kent
>> >>>
>> >>>
>> >>> On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten 
>> >>> wrote:
>> 
>>  Hi Kent,
>> 
>>  Go with something that enables authorization in the service layer
>> (e.g.
>>  Spring Security, jSecurity, ...).
>> 
>>  Next base your custom wicket authorization on the authentication store
>>  of
>>  the chosen base technology. Spring Security uses a thread local as
>>  authentication store and has a servlet filter to copy the
>> authenticated
>>  user
>>  to/from the session so that the authenticated user is handily
>> available
>>  during a request and properly stored afterwards.
>> 
>>  Authentication itself can be implemented from Wicket in a custom way
>>  (e.g. a
>>  username/password form). On success you just store the authenticated
>>  user in
>>  the authentication store.
>> 
>>  Regards,
>>   Erik.
>> 
>> 
>>  Kent Larsson wrote:
>> >
>> > Hi,
>> >
>> > I know there has been some discussion on this. But I've had a hard
>> > time deciding how this project should use security anyway.
>> >
>> > The application in question is layered into three layers for
>> > presentation, services and persistence using Wicket, Spring and
>> > Hibernate.
>> >
>> > What we need:
>> > - Authentication
>> > - Authorization on pages, components
>> > - Authorization before being able to run methods in the service layer
>> > - Authorization for viewing/editing some domain objects using Access
>> > Control List's (ACL's)
>> >
>> > I have read Wicket in Action and it's custom security solution has
>> some
>> > pros:
>> > - It's quite easy to understand
>> > - We have a lot of freedom in how to do authentication and
>> > authorization
>> >
>> > And some cons:
>> > - I don't know how to authorize calls of specific methods, and thus
>> > - All security will be in the presentation layer
>> > - It won't be usable if we want security on web services later (which
>> > we do not need now, so maybe this can be disregarded)
>> >
>> > It would be nice if we could have a common solution to our security
>> > needs that integrates well with Wicket and Spring. I know that the
>> > Auth Roles project is out there as well as Swarm. But

Re: Security in a Spring & Wicket layered application

[Kent Larsson]

By looking at the source code it looked very nice (and you're right
about complex, but of course you are doing lots of important things so
it's hard not to have something complex) to me. You seem to be very
knowledgable.

I didn't get it working in Eclipse though. I did a svn co , and then I tried mvn eclipse:ecilpse. It complained
about missing jta.jar and failed, I fixed it (I think it's a license
problem so it doesn't get downloaded by Maven) and could run mvn
eclipse:eclipse successfully.

I imported the project into my workspace in Eclipse, added my Tomcat
server under the Servers tab. But the project was of wrong type (I
think), so I couldn't add the project to be deployed in my server from
Eclipse. Then I tried creating the war-file by mvn war:war, it worked
and I did a deploy by copy. But it wouldn't start.

Best regards,
Kent

On Tue, Mar 10, 2009 at 7:25 PM, James Carman
 wrote:
> My wicket-advanced demo code integrates Spring Security and Wicket
> using wicket-auth-roles:
>
> http://svn.carmanconsulting.com/public/wicket-advanced/trunk/
>
> The key is the SpringSecuritySession class:
>
> http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/session/SpringSecuritySession.java
>
>
> On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson  wrote:
>> Integrating with jSecurity instead is really a last resort. If it is
>> at all possible I wouldn't like to introduce more framework
>> dependencies. That integration project seems a bit early to use as
>> well, but it might be interesting in the future. Thanks for the link!
>>
>> Regarding Spring Security (SS). Is anyone integrating Wicket with SS
>> on their own? I've read lots about SS now but I still find it hard to
>> see what I need for a Wicket application.
>>
>> I got some tips at: 
>> http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations
>>
>> But I still have lots of questions.
>> - In the above link they are using a link and passing the information
>> by GET. I would like to use POST, and I guess that shouldn't be a
>> problem. Tell me if you see some?
>> - I have to instruct SS to redirect a user to my own login page if
>> (s)he tries to access something which requires authentication. How is
>> that done?
>> - When a user registers an account I guess I should pass something on
>> to a servlet filter, similar to how authentication works?
>> - Which servlet filters do you think I'll need?
>>
>> If I can just get someone to register and authenticate. Then I'll just
>> use the instructions in SS documentation to get GrantedAuthority
>> objects. I'll use these to show/hide things in Wicket pages as well as
>> enable/disable other things. Does that sound like a good approach?
>>
>> If anyone has *any* tips I would be immensely greatful!! As I think
>> this is quite complex and I'm new to Spring Security.
>>
>> Best regards,
>> Kent
>>
>>
>> On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley  wrote:
>>> I have not used it (yet), but check:
>>> http://code.google.com/p/wicket-jsecurity/
>>>
>>>
>>>
>>> On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:
>>>
 Hm, I had some problems. Are there any examples out there for this?

 On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson 
 wrote:
>
> Hi,
>
> Great answer! :-) I'll try to do that today.
>
> Best regards, Kent
>
>
> On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten 
> wrote:
>>
>> Hi Kent,
>>
>> Go with something that enables authorization in the service layer (e.g.
>> Spring Security, jSecurity, ...).
>>
>> Next base your custom wicket authorization on the authentication store
>> of
>> the chosen base technology. Spring Security uses a thread local as
>> authentication store and has a servlet filter to copy the authenticated
>> user
>> to/from the session so that the authenticated user is handily available
>> during a request and properly stored afterwards.
>>
>> Authentication itself can be implemented from Wicket in a custom way
>> (e.g. a
>> username/password form). On success you just store the authenticated
>> user in
>> the authentication store.
>>
>> Regards,
>>  Erik.
>>
>>
>> Kent Larsson wrote:
>>>
>>> Hi,
>>>
>>> I know there has been some discussion on this. But I've had a hard
>>> time deciding how this project should use security anyway.
>>>
>>> The application in question is layered into three layers for
>>> presentation, services and persistence using Wicket, Spring and
>>> Hibernate.
>>>
>>> What we need:
>>> - Authentication
>>> - Authorization on pages, components
>>> - Authorization before being able to run methods in the service layer
>>> - Authorization for viewing/editing some domain objects using Access
>>> Control List's (ACL's)
>>>
>>> I have read Wicket in Action and it's custom security solution h

Re: Security in a Spring & Wicket layered application

[Kent Larsson]

Hi Kai,

I'm setting up auth roles, it's going pretty well. Altough I've had
some problems when I followed
http://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html
to the letter, it might be a typo in there or else it was me doing
something wrong.

Is there a home page for the auth roles project? I Googles a bit
without finding any.

I would be very interested in a small example if you have some time to give one!

Best regards,
Kent



On Tue, Mar 10, 2009 at 7:33 PM, Kai Mütz  wrote:
> We are using Acegi and Wicket-auth-roles (1.3.5) similar to the WIKI
> description:
>
> http://cwiki.apache.org/WICKET/acegi-and-wicket-auth-roles.html
>
> Have you read it?
>
> But we do only:
> - Authentication
> - Authorization on pages, components
>
> No Authorization on service layer. Are you interested in a small sample?
>
> Cheers, Kai

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

RE: Security in a Spring & Wicket layered application

[Kai Mütz]

Kent Larsson  wrote:
> Integrating with jSecurity instead is really a last resort. If it is
> at all possible I wouldn't like to introduce more framework
> dependencies. That integration project seems a bit early to use as
> well, but it might be interesting in the future. Thanks for the link!
>
> Regarding Spring Security (SS). Is anyone integrating Wicket with SS
> on their own? I've read lots about SS now but I still find it hard to
> see what I need for a Wicket application.

We are using Acegi and Wicket-auth-roles (1.3.5) similar to the WIKI
description:

http://cwiki.apache.org/WICKET/acegi-and-wicket-auth-roles.html

Have you read it?

But we do only:
- Authentication
- Authorization on pages, components

No Authorization on service layer. Are you interested in a small sample?

Cheers, Kai



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Security in a Spring & Wicket layered application

[James Carman]

My wicket-advanced demo code integrates Spring Security and Wicket
using wicket-auth-roles:

http://svn.carmanconsulting.com/public/wicket-advanced/trunk/

The key is the SpringSecuritySession class:

http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/session/SpringSecuritySession.java


On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson  wrote:
> Integrating with jSecurity instead is really a last resort. If it is
> at all possible I wouldn't like to introduce more framework
> dependencies. That integration project seems a bit early to use as
> well, but it might be interesting in the future. Thanks for the link!
>
> Regarding Spring Security (SS). Is anyone integrating Wicket with SS
> on their own? I've read lots about SS now but I still find it hard to
> see what I need for a Wicket application.
>
> I got some tips at: 
> http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations
>
> But I still have lots of questions.
> - In the above link they are using a link and passing the information
> by GET. I would like to use POST, and I guess that shouldn't be a
> problem. Tell me if you see some?
> - I have to instruct SS to redirect a user to my own login page if
> (s)he tries to access something which requires authentication. How is
> that done?
> - When a user registers an account I guess I should pass something on
> to a servlet filter, similar to how authentication works?
> - Which servlet filters do you think I'll need?
>
> If I can just get someone to register and authenticate. Then I'll just
> use the instructions in SS documentation to get GrantedAuthority
> objects. I'll use these to show/hide things in Wicket pages as well as
> enable/disable other things. Does that sound like a good approach?
>
> If anyone has *any* tips I would be immensely greatful!! As I think
> this is quite complex and I'm new to Spring Security.
>
> Best regards,
> Kent
>
>
> On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley  wrote:
>> I have not used it (yet), but check:
>> http://code.google.com/p/wicket-jsecurity/
>>
>>
>>
>> On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:
>>
>>> Hm, I had some problems. Are there any examples out there for this?
>>>
>>> On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson 
>>> wrote:

 Hi,

 Great answer! :-) I'll try to do that today.

 Best regards, Kent


 On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten 
 wrote:
>
> Hi Kent,
>
> Go with something that enables authorization in the service layer (e.g.
> Spring Security, jSecurity, ...).
>
> Next base your custom wicket authorization on the authentication store
> of
> the chosen base technology. Spring Security uses a thread local as
> authentication store and has a servlet filter to copy the authenticated
> user
> to/from the session so that the authenticated user is handily available
> during a request and properly stored afterwards.
>
> Authentication itself can be implemented from Wicket in a custom way
> (e.g. a
> username/password form). On success you just store the authenticated
> user in
> the authentication store.
>
> Regards,
>  Erik.
>
>
> Kent Larsson wrote:
>>
>> Hi,
>>
>> I know there has been some discussion on this. But I've had a hard
>> time deciding how this project should use security anyway.
>>
>> The application in question is layered into three layers for
>> presentation, services and persistence using Wicket, Spring and
>> Hibernate.
>>
>> What we need:
>> - Authentication
>> - Authorization on pages, components
>> - Authorization before being able to run methods in the service layer
>> - Authorization for viewing/editing some domain objects using Access
>> Control List's (ACL's)
>>
>> I have read Wicket in Action and it's custom security solution has some
>> pros:
>> - It's quite easy to understand
>> - We have a lot of freedom in how to do authentication and
>> authorization
>>
>> And some cons:
>> - I don't know how to authorize calls of specific methods, and thus
>> - All security will be in the presentation layer
>> - It won't be usable if we want security on web services later (which
>> we do not need now, so maybe this can be disregarded)
>>
>> It would be nice if we could have a common solution to our security
>> needs that integrates well with Wicket and Spring. I know that the
>> Auth Roles project is out there as well as Swarm. But I don't know
>> which will meet our needs and which will most likely be an option to
>> us when we later move to Wicket 1.4 or a higher version.
>>
>> Best regards,
>> Kent
>>
>>
>
>
> --
> Erik van Oosten
> http://www.day-to-day-stuff.blogspot.com/
>
>
> -

Re: Security in a Spring & Wicket layered application

[Les Hazlewood]

Hi Kent,

Although it is early, I am using the wicket-jsecurity integration in one of
my (big) projects.  It is working pretty well.  Feel free to ask questions -
I'm happy to help along the way.

Cheers,

Les
(JSecurity founder)

On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson wrote:

> Integrating with jSecurity instead is really a last resort. If it is
> at all possible I wouldn't like to introduce more framework
> dependencies. That integration project seems a bit early to use as
> well, but it might be interesting in the future. Thanks for the link!
>
> Regarding Spring Security (SS). Is anyone integrating Wicket with SS
> on their own? I've read lots about SS now but I still find it hard to
> see what I need for a Wicket application.
>
> I got some tips at:
> http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations
>
> But I still have lots of questions.
> - In the above link they are using a link and passing the information
> by GET. I would like to use POST, and I guess that shouldn't be a
> problem. Tell me if you see some?
> - I have to instruct SS to redirect a user to my own login page if
> (s)he tries to access something which requires authentication. How is
> that done?
> - When a user registers an account I guess I should pass something on
> to a servlet filter, similar to how authentication works?
> - Which servlet filters do you think I'll need?
>
> If I can just get someone to register and authenticate. Then I'll just
> use the instructions in SS documentation to get GrantedAuthority
> objects. I'll use these to show/hide things in Wicket pages as well as
> enable/disable other things. Does that sound like a good approach?
>
> If anyone has *any* tips I would be immensely greatful!! As I think
> this is quite complex and I'm new to Spring Security.
>
> Best regards,
> Kent
>
>
> On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley  wrote:
> > I have not used it (yet), but check:
> > http://code.google.com/p/wicket-jsecurity/
> >
> >
> >
> > On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:
> >
> >> Hm, I had some problems. Are there any examples out there for this?
> >>
> >> On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson 
> >> wrote:
> >>>
> >>> Hi,
> >>>
> >>> Great answer! :-) I'll try to do that today.
> >>>
> >>> Best regards, Kent
> >>>
> >>>
> >>> On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten 
> >>> wrote:
> 
>  Hi Kent,
> 
>  Go with something that enables authorization in the service layer
> (e.g.
>  Spring Security, jSecurity, ...).
> 
>  Next base your custom wicket authorization on the authentication store
>  of
>  the chosen base technology. Spring Security uses a thread local as
>  authentication store and has a servlet filter to copy the
> authenticated
>  user
>  to/from the session so that the authenticated user is handily
> available
>  during a request and properly stored afterwards.
> 
>  Authentication itself can be implemented from Wicket in a custom way
>  (e.g. a
>  username/password form). On success you just store the authenticated
>  user in
>  the authentication store.
> 
>  Regards,
>   Erik.
> 
> 
>  Kent Larsson wrote:
> >
> > Hi,
> >
> > I know there has been some discussion on this. But I've had a hard
> > time deciding how this project should use security anyway.
> >
> > The application in question is layered into three layers for
> > presentation, services and persistence using Wicket, Spring and
> > Hibernate.
> >
> > What we need:
> > - Authentication
> > - Authorization on pages, components
> > - Authorization before being able to run methods in the service layer
> > - Authorization for viewing/editing some domain objects using Access
> > Control List's (ACL's)
> >
> > I have read Wicket in Action and it's custom security solution has
> some
> > pros:
> > - It's quite easy to understand
> > - We have a lot of freedom in how to do authentication and
> > authorization
> >
> > And some cons:
> > - I don't know how to authorize calls of specific methods, and thus
> > - All security will be in the presentation layer
> > - It won't be usable if we want security on web services later (which
> > we do not need now, so maybe this can be disregarded)
> >
> > It would be nice if we could have a common solution to our security
> > needs that integrates well with Wicket and Spring. I know that the
> > Auth Roles project is out there as well as Swarm. But I don't know
> > which will meet our needs and which will most likely be an option to
> > us when we later move to Wicket 1.4 or a higher version.
> >
> > Best regards,
> > Kent
> >
> >
> 
> 
>  --
>  Erik van Oosten
>  http://www.day-to-day-stuff.blogspot.com/
> 
> 
>  -
>

Re: Security in a Spring & Wicket layered application

[Kent Larsson]

Integrating with jSecurity instead is really a last resort. If it is
at all possible I wouldn't like to introduce more framework
dependencies. That integration project seems a bit early to use as
well, but it might be interesting in the future. Thanks for the link!

Regarding Spring Security (SS). Is anyone integrating Wicket with SS
on their own? I've read lots about SS now but I still find it hard to
see what I need for a Wicket application.

I got some tips at: http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations

But I still have lots of questions.
- In the above link they are using a link and passing the information
by GET. I would like to use POST, and I guess that shouldn't be a
problem. Tell me if you see some?
- I have to instruct SS to redirect a user to my own login page if
(s)he tries to access something which requires authentication. How is
that done?
- When a user registers an account I guess I should pass something on
to a servlet filter, similar to how authentication works?
- Which servlet filters do you think I'll need?

If I can just get someone to register and authenticate. Then I'll just
use the instructions in SS documentation to get GrantedAuthority
objects. I'll use these to show/hide things in Wicket pages as well as
enable/disable other things. Does that sound like a good approach?

If anyone has *any* tips I would be immensely greatful!! As I think
this is quite complex and I'm new to Spring Security.

Best regards,
Kent


On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley  wrote:
> I have not used it (yet), but check:
> http://code.google.com/p/wicket-jsecurity/
>
>
>
> On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:
>
>> Hm, I had some problems. Are there any examples out there for this?
>>
>> On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson 
>> wrote:
>>>
>>> Hi,
>>>
>>> Great answer! :-) I'll try to do that today.
>>>
>>> Best regards, Kent
>>>
>>>
>>> On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten 
>>> wrote:

 Hi Kent,

 Go with something that enables authorization in the service layer (e.g.
 Spring Security, jSecurity, ...).

 Next base your custom wicket authorization on the authentication store
 of
 the chosen base technology. Spring Security uses a thread local as
 authentication store and has a servlet filter to copy the authenticated
 user
 to/from the session so that the authenticated user is handily available
 during a request and properly stored afterwards.

 Authentication itself can be implemented from Wicket in a custom way
 (e.g. a
 username/password form). On success you just store the authenticated
 user in
 the authentication store.

 Regards,
  Erik.


 Kent Larsson wrote:
>
> Hi,
>
> I know there has been some discussion on this. But I've had a hard
> time deciding how this project should use security anyway.
>
> The application in question is layered into three layers for
> presentation, services and persistence using Wicket, Spring and
> Hibernate.
>
> What we need:
> - Authentication
> - Authorization on pages, components
> - Authorization before being able to run methods in the service layer
> - Authorization for viewing/editing some domain objects using Access
> Control List's (ACL's)
>
> I have read Wicket in Action and it's custom security solution has some
> pros:
> - It's quite easy to understand
> - We have a lot of freedom in how to do authentication and
> authorization
>
> And some cons:
> - I don't know how to authorize calls of specific methods, and thus
> - All security will be in the presentation layer
> - It won't be usable if we want security on web services later (which
> we do not need now, so maybe this can be disregarded)
>
> It would be nice if we could have a common solution to our security
> needs that integrates well with Wicket and Spring. I know that the
> Auth Roles project is out there as well as Swarm. But I don't know
> which will meet our needs and which will most likely be an option to
> us when we later move to Wicket 1.4 or a higher version.
>
> Best regards,
> Kent
>
>


 --
 Erik van Oosten
 http://www.day-to-day-stuff.blogspot.com/


 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org


>>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> For additional commands, e-mail: users-h...@wicket.apache.org
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.

Re: Security in a Spring & Wicket layered application

[Ryan McKinley]

I have not used it (yet), but check:
http://code.google.com/p/wicket-jsecurity/



On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote:


Hm, I had some problems. Are there any examples out there for this?

On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson  
 wrote:

Hi,

Great answer! :-) I'll try to do that today.

Best regards, Kent


On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten  
 wrote:

Hi Kent,

Go with something that enables authorization in the service layer  
(e.g.

Spring Security, jSecurity, ...).

Next base your custom wicket authorization on the authentication  
store of

the chosen base technology. Spring Security uses a thread local as
authentication store and has a servlet filter to copy the  
authenticated user
to/from the session so that the authenticated user is handily  
available

during a request and properly stored afterwards.

Authentication itself can be implemented from Wicket in a custom  
way (e.g. a
username/password form). On success you just store the  
authenticated user in

the authentication store.

Regards,
  Erik.


Kent Larsson wrote:


Hi,

I know there has been some discussion on this. But I've had a hard
time deciding how this project should use security anyway.

The application in question is layered into three layers for
presentation, services and persistence using Wicket, Spring and
Hibernate.

What we need:
- Authentication
- Authorization on pages, components
- Authorization before being able to run methods in the service  
layer
- Authorization for viewing/editing some domain objects using  
Access

Control List's (ACL's)

I have read Wicket in Action and it's custom security solution  
has some

pros:
- It's quite easy to understand
- We have a lot of freedom in how to do authentication and  
authorization


And some cons:
- I don't know how to authorize calls of specific methods, and thus
- All security will be in the presentation layer
- It won't be usable if we want security on web services later  
(which

we do not need now, so maybe this can be disregarded)

It would be nice if we could have a common solution to our security
needs that integrates well with Wicket and Spring. I know that the
Auth Roles project is out there as well as Swarm. But I don't know
which will meet our needs and which will most likely be an option  
to

us when we later move to Wicket 1.4 or a higher version.

Best regards,
Kent





--
Erik van Oosten
http://www.day-to-day-stuff.blogspot.com/


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Security in a Spring & Wicket layered application

[Kent Larsson]

Hm, I had some problems. Are there any examples out there for this?

On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson  wrote:
> Hi,
>
> Great answer! :-) I'll try to do that today.
>
> Best regards, Kent
>
>
> On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten  wrote:
>> Hi Kent,
>>
>> Go with something that enables authorization in the service layer (e.g.
>> Spring Security, jSecurity, ...).
>>
>> Next base your custom wicket authorization on the authentication store of
>> the chosen base technology. Spring Security uses a thread local as
>> authentication store and has a servlet filter to copy the authenticated user
>> to/from the session so that the authenticated user is handily available
>> during a request and properly stored afterwards.
>>
>> Authentication itself can be implemented from Wicket in a custom way (e.g. a
>> username/password form). On success you just store the authenticated user in
>> the authentication store.
>>
>> Regards,
>>   Erik.
>>
>>
>> Kent Larsson wrote:
>>>
>>> Hi,
>>>
>>> I know there has been some discussion on this. But I've had a hard
>>> time deciding how this project should use security anyway.
>>>
>>> The application in question is layered into three layers for
>>> presentation, services and persistence using Wicket, Spring and
>>> Hibernate.
>>>
>>> What we need:
>>> - Authentication
>>> - Authorization on pages, components
>>> - Authorization before being able to run methods in the service layer
>>> - Authorization for viewing/editing some domain objects using Access
>>> Control List's (ACL's)
>>>
>>> I have read Wicket in Action and it's custom security solution has some
>>> pros:
>>> - It's quite easy to understand
>>> - We have a lot of freedom in how to do authentication and authorization
>>>
>>> And some cons:
>>> - I don't know how to authorize calls of specific methods, and thus
>>> - All security will be in the presentation layer
>>> - It won't be usable if we want security on web services later (which
>>> we do not need now, so maybe this can be disregarded)
>>>
>>> It would be nice if we could have a common solution to our security
>>> needs that integrates well with Wicket and Spring. I know that the
>>> Auth Roles project is out there as well as Swarm. But I don't know
>>> which will meet our needs and which will most likely be an option to
>>> us when we later move to Wicket 1.4 or a higher version.
>>>
>>> Best regards,
>>> Kent
>>>
>>>
>>
>>
>> --
>> Erik van Oosten
>> http://www.day-to-day-stuff.blogspot.com/
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> For additional commands, e-mail: users-h...@wicket.apache.org
>>
>>
>

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Security in a Spring & Wicket layered application

[Kent Larsson]

Hi,

Great answer! :-) I'll try to do that today.

Best regards, Kent


On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten  wrote:
> Hi Kent,
>
> Go with something that enables authorization in the service layer (e.g.
> Spring Security, jSecurity, ...).
>
> Next base your custom wicket authorization on the authentication store of
> the chosen base technology. Spring Security uses a thread local as
> authentication store and has a servlet filter to copy the authenticated user
> to/from the session so that the authenticated user is handily available
> during a request and properly stored afterwards.
>
> Authentication itself can be implemented from Wicket in a custom way (e.g. a
> username/password form). On success you just store the authenticated user in
> the authentication store.
>
> Regards,
>   Erik.
>
>
> Kent Larsson wrote:
>>
>> Hi,
>>
>> I know there has been some discussion on this. But I've had a hard
>> time deciding how this project should use security anyway.
>>
>> The application in question is layered into three layers for
>> presentation, services and persistence using Wicket, Spring and
>> Hibernate.
>>
>> What we need:
>> - Authentication
>> - Authorization on pages, components
>> - Authorization before being able to run methods in the service layer
>> - Authorization for viewing/editing some domain objects using Access
>> Control List's (ACL's)
>>
>> I have read Wicket in Action and it's custom security solution has some
>> pros:
>> - It's quite easy to understand
>> - We have a lot of freedom in how to do authentication and authorization
>>
>> And some cons:
>> - I don't know how to authorize calls of specific methods, and thus
>> - All security will be in the presentation layer
>> - It won't be usable if we want security on web services later (which
>> we do not need now, so maybe this can be disregarded)
>>
>> It would be nice if we could have a common solution to our security
>> needs that integrates well with Wicket and Spring. I know that the
>> Auth Roles project is out there as well as Swarm. But I don't know
>> which will meet our needs and which will most likely be an option to
>> us when we later move to Wicket 1.4 or a higher version.
>>
>> Best regards,
>> Kent
>>
>>
>
>
> --
> Erik van Oosten
> http://www.day-to-day-stuff.blogspot.com/
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Security in a Spring & Wicket layered application

[Erik van Oosten]

Hi Kent,

Go with something that enables authorization in the service layer (e.g. 
Spring Security, jSecurity, ...).


Next base your custom wicket authorization on the authentication store 
of the chosen base technology. Spring Security uses a thread local as 
authentication store and has a servlet filter to copy the authenticated 
user to/from the session so that the authenticated user is handily 
available during a request and properly stored afterwards.


Authentication itself can be implemented from Wicket in a custom way 
(e.g. a username/password form). On success you just store the 
authenticated user in the authentication store.


Regards,
   Erik.


Kent Larsson wrote:

Hi,

I know there has been some discussion on this. But I've had a hard
time deciding how this project should use security anyway.

The application in question is layered into three layers for
presentation, services and persistence using Wicket, Spring and
Hibernate.

What we need:
- Authentication
- Authorization on pages, components
- Authorization before being able to run methods in the service layer
- Authorization for viewing/editing some domain objects using Access
Control List's (ACL's)

I have read Wicket in Action and it's custom security solution has some pros:
- It's quite easy to understand
- We have a lot of freedom in how to do authentication and authorization

And some cons:
- I don't know how to authorize calls of specific methods, and thus
- All security will be in the presentation layer
- It won't be usable if we want security on web services later (which
we do not need now, so maybe this can be disregarded)

It would be nice if we could have a common solution to our security
needs that integrates well with Wicket and Spring. I know that the
Auth Roles project is out there as well as Swarm. But I don't know
which will meet our needs and which will most likely be an option to
us when we later move to Wicket 1.4 or a higher version.

Best regards,
Kent

  



--
Erik van Oosten
http://www.day-to-day-stuff.blogspot.com/


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Security in a Spring & Wicket layered application

[Kent Larsson]

Hi,

I know there has been some discussion on this. But I've had a hard
time deciding how this project should use security anyway.

The application in question is layered into three layers for
presentation, services and persistence using Wicket, Spring and
Hibernate.

What we need:
- Authentication
- Authorization on pages, components
- Authorization before being able to run methods in the service layer
- Authorization for viewing/editing some domain objects using Access
Control List's (ACL's)

I have read Wicket in Action and it's custom security solution has some pros:
- It's quite easy to understand
- We have a lot of freedom in how to do authentication and authorization

And some cons:
- I don't know how to authorize calls of specific methods, and thus
- All security will be in the presentation layer
- It won't be usable if we want security on web services later (which
we do not need now, so maybe this can be disregarded)

It would be nice if we could have a common solution to our security
needs that integrates well with Wicket and Spring. I know that the
Auth Roles project is out there as well as Swarm. But I don't know
which will meet our needs and which will most likely be an option to
us when we later move to Wicket 1.4 or a higher version.

Best regards,
Kent

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org