I'm building a Wicket-based project that uses Wasp/Swarm for authorization. I've connected it to Spring Security to use it as an authentication backend, and I've also used Spring Security to perform authentication and authorization on my middle tier Spring beans.
I have a secured web page with three panels in them (ListPanelA, ListPanelB, ListPanelC), but I only want some of them to display for different roles. Each panel inherits from SecurePanel and the page inherits from SecureWebPage. The panels have repeater components in them (DataView, which has inheritance hierarchy Component->WebMarkupContainer->AbstractRepeater ... ->AbstractPageableView->DataViewBase->DataView). i.e. OverviewPage -->ListPanelA ---->DataView -->ListPanelB ---->DataView -->ListPanelC ---->DataView The problem I am having is with setting component permissions on panels. For the basic ROLE_STAFF there is no permissions on these panels, but I have added a RENDER permission for certain users. When the page renders, each panel still calls onBeforeRender() on each component in its hierarchy even though the panel has no Component.RENDER authorization. This is a problem because onBeforeRender() in AbstractRepeater still calls AbstractRepeater.onPopulate(), which causes the pre-rendering value loading to take place, even though later on the component is not even rendered. In my case, I'm relying on onPopulate() not being called so that it doesn't try to call the (secured) middle tier methods. The relevant parts of my Swarm configuration is as follows: grant principal org.forge.smartdata.server.ui.security.SpringSecurityPrincipal "ROLE_STAFF" { permission ${ComponentPermission} "org.forge.smartdata.server.ui.management.OverviewPage", "render"; permission ${ComponentPermission} "org.forge.smartdata.server.ui.management.OverviewPage", "enable"; ... }; grant principal org.forge.smartdata.server.ui.security.SpringSecurityPrincipal "ROLE_RESEARCHER" { ... permission ${ComponentPermission} "org.forge.smartdata.server.ui.management.ListPanelA", "enable"; permission ${ComponentPermission} "org.forge.smartdata.server.ui.management.ListPanelB", "enable"; }; grant principal org.forge.smartdata.server.ui.security.SpringSecurityPrincipal "ROLE_REGISTRAR" { ... permission ${ComponentPermission} "org.forge.smartdata.server.ui.management.ListPanelB", "enable"; }; grant principal org.forge.smartdata.server.ui.security.SpringSecurityPrincipal "ROLE_DEPLOYER" { ... permission ${ComponentPermission} "org.forge.smartdata.server.ui.management.ListPanelC", "enable"; }; In the case above, ROLE_DEPLOYER, ROLE_RESEARCHER and ROLE_REGISTRAR all imply permission ROLE_STAFF. If I were, for example, to login as ROLE_RESEARCHER, it should render ListPanelA and ListPanelB but not ListPanelC. However, I am still getting the onPopulate() actions for the ListPanelC solution. I dug around and found out that Component.prepareRender() doesn't check if rendering is authorized until after the beforeRender() process has finished. However, this still seems to cause repeater components to try and prepare themselves for rendering by populating their internal hierarchies. Is there a way to circumvent this cleanly without having to put security checking code into my page or create a different page for each user? Thanks Chris -- Christopher Armstrong carmstrong ^^AT^ fastmail dOT com /Dot/ au --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org