Indeed this check looks wrong.
Please file a ticket in our Jira to fix it.
On Wed, Aug 17, 2011 at 4:11 PM, mathieu.marcotte-gag...@bell.ca
mathieu.marcotte-gag...@bell.ca wrote:
Hi wicket developers and users,
I am developing a web application that uses the wicket-auth framework 1.4.17,
more specifically the following class :
org.apache.wicket.authorization.strategies.role.annotations.AnnotationsRoleAuthorizationStrategy
and I am experiencing an issue that I think might be a bug (but I'm not sure,
it might be
that I'm doing something wrong). I am using an annotation like below :
@AuthorizeAction(action = ..., roles = ...)
However I have found that I am always denied access to the page. I have
traced the reason
of the access to the following code, in method check of the above class :
if (hasAny(new Roles(authorizeActionAnnotation.deny(
{
return false;
}
The deny list returned by authorizeActionAnnotation.deny() is empty,
therefore hasAny
always returns true, which means that when the deny list is empty you are
always denied
access to the page!
Maybe it's a feature but it sounds like counter-intuitive to me :) Using the
following
annotation did fix the issue :
@AuthorizeAction(action = ..., deny=dummyRoleToDeny, roles = ...)
Am I doing something wrong, or is it really intended that if you don't
specify a deny list
then you are always denied access?
Thanks
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org