Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-05-11 Thread PDiefent

where can I find the wicket-shiro-example stuff?
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2173369.html
Sent from the Wicket - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-05-11 Thread Les Hazlewood
Just a quick note to Wicket and Wicket-Stuff Shiro users:

Shiro 1.0 is right around the corner.  We should be code-complete for
1.0 in a day or two and then we being the ASF voting process to
release the software.  A concrete (non snapshot) release is coming
very soon!

Best,

Les

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-05-11 Thread Martin Grigorov
On Mon, 2010-05-10 at 23:32 -0700, Les Hazlewood wrote:
 Just a quick note to Wicket and Wicket-Stuff Shiro users:
 
 Shiro 1.0 is right around the corner.  We should be code-complete for
 1.0 in a day or two and then we being the ASF voting process to
 release the software.  A concrete (non snapshot) release is coming
 very soon!
 
 Best,
 
 Les
You said the same 4 months ago ;-)
 
 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org
 
 



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-05-11 Thread Les Hazlewood
If it's any consolation, we only have a few remaining issues in Jira
that should be finished today and tomorrow.  4 months ago, there was
still over 50+ issues to resolve ;)  Security frameworks are hard to
get right - better to have a great 1.0 release than a crappy one :)

On Tue, May 11, 2010 at 12:59 AM, Martin Grigorov mcgreg...@e-card.bg wrote:
 On Mon, 2010-05-10 at 23:32 -0700, Les Hazlewood wrote:
 Just a quick note to Wicket and Wicket-Stuff Shiro users:

 Shiro 1.0 is right around the corner.  We should be code-complete for
 1.0 in a day or two and then we being the ASF voting process to
 release the software.  A concrete (non snapshot) release is coming
 very soon!

 Best,

 Les
 You said the same 4 months ago ;-)

 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org





 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-05-11 Thread James Carman
Martin, how many patches have you submitted? ;)

On Tue, May 11, 2010 at 3:59 AM, Martin Grigorov mcgreg...@e-card.bg wrote:
 On Mon, 2010-05-10 at 23:32 -0700, Les Hazlewood wrote:
 Just a quick note to Wicket and Wicket-Stuff Shiro users:

 Shiro 1.0 is right around the corner.  We should be code-complete for
 1.0 in a day or two and then we being the ASF voting process to
 release the software.  A concrete (non snapshot) release is coming
 very soon!

 Best,

 Les
 You said the same 4 months ago ;-)

 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org





 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-05-11 Thread Fernando Wermus
try

  dependency
   groupIdorg.wicketstuff/groupId
   artifactIdwicket-shiro/artifactId
   version1.4-SNAPSHOT/version
  /dependency

On Tue, May 11, 2010 at 3:15 AM, PDiefent pdief...@csc.com wrote:


 where can I find the wicket-shiro-example stuff?
 --
 View this message in context:
 http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2173369.html
 Sent from the Wicket - User mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org




-- 
Fernando Wermus.

www.linkedin.com/in/fernandowermus


Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-05-10 Thread PDiefent

Thanks for this fast respnse. I will have a deeper look at it.
Actually I hoped to find a much more simple solution, because I wanted to
avoid Spring in my application and only use it for authentication ...
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2165351.html
Sent from the Wicket - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-05-10 Thread Fernando Wermus
you can try shiro. There is a shiro-wicket-web-app example which could help
you.

On Mon, May 10, 2010 at 9:54 AM, PDiefent pdief...@csc.com wrote:


 Thanks for this fast respnse. I will have a deeper look at it.
 Actually I hoped to find a much more simple solution, because I wanted to
 avoid Spring in my application and only use it for authentication ...
 --
 View this message in context:
 http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2165351.html
 Sent from the Wicket - User mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org




-- 
Fernando Wermus.

www.linkedin.com/in/fernandowermus


Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-05-10 Thread Adrian Wiesmann

3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to
check out trunk and build yourself) and has three different SNAPSHOT
dependencies.


I can't talk for wicket-shiro, but using plain Shiro from your Wicket 
project is quite straightforward. Use the integration from wicket-shiro 
as a pointer and integrate everything directly into your project. I did 
it this way and am very happy with it so far.


Cheers,
Adrian

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-05-07 Thread PDiefent

I have also problems integrating security into my Wicket project. I wanted to
use simple authentication form the application server as I used many times
before with JSF applications, but it didn't work.

Spring security sounds very good, but since I don't use spring in my Wicket
application I didn't manage to get the examples form above to work.

It would be nice, if anyone could post a little example application as a
kick start especially with Wicket 1.4.x

Thanks, Peter
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2134111.html
Sent from the Wicket - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-05-07 Thread Brian Topping
I recently updated the spring-security module for Brix to SS 3.0.1.  There's 
probably some nibbles in there for some of the more advanced kinds of security 
situations (like component-based authorizations against SS 3).  

http://code.google.com/p/brix-cms-plugins/source/browse/#svn/trunk/examples/example-springsecurity
 is the browsable source for the example project.

Check out Brix while you are there!

:B

On May 7, 2010, at 8:48 AM, PDiefent wrote:

 
 I have also problems integrating security into my Wicket project. I wanted to
 use simple authentication form the application server as I used many times
 before with JSF applications, but it didn't work.
 
 Spring security sounds very good, but since I don't use spring in my Wicket
 application I didn't manage to get the examples form above to work.
 
 It would be nice, if anyone could post a little example application as a
 kick start especially with Wicket 1.4.x
 
 Thanks, Peter
 -- 
 View this message in context: 
 http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2134111.html
 Sent from the Wicket - User mailing list archive at Nabble.com.
 
 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org
 
 


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-28 Thread Jimi

Thanks for the link. I've already looked at that page and besides the fact
that alot of the xml/code is missing in the beginning (like web.xml) I was
shocked by the amount of boilerplate code needed to get the wicket side
working.

That tells me that either 
1) people actually copy-paste all this boilerplate code and maybe do minor
modifications for their project
2) people use this code as a guide, and write a lot of the implementation
them selfs
3) there is some easier (but undocumented) way to use wicket auth-roles (or
WASP/SWARM or wicket-shiro), with way less boilerplate code needed. Maybe .
4) people use some other framework

1 and 2 seems just plain wrong, the way I see it. If 3 or 4 is the case I
would love to hear about it from someone.

/Jimi

 You can use Spring security with wicket auth-roles, I works out pretty
 nice
 compared to the alternatives.  iirc You need do your normal Spring
 setup, extend AuthenticatedWicketApplication, and AuthenticatedSession
  which has an authenticate method you'll call your UserDetails bean from.
 
 Outdated Link
 https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5

-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068908.html
Sent from the Wicket - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-28 Thread Giovanni
James, can you share your SpringSecurityWebApplication and 
SpringSecurityWebSession
classes?

If you also write a  small tutorial on how to use them, it will be great.

Best regards,
giovanni






From: James Carman jcar...@carmanconsulting.com
To: users@wicket.apache.org
Sent: Wed, April 28, 2010 1:51:57 AM
Subject: Re: Wicket + security, what are the best options? Spring Security  
reached almost all the way...

I have a SpringSecurityWebApplication and SpringSecurityWebSession
class you can use if you want.

On Tue, Apr 27, 2010 at 7:49 PM, Ben Tilford bentilf...@gmail.com wrote:
 You can use Spring security with wicket auth-roles, I works out pretty nice
 compared to the alternatives.  iirc You need do your normal Spring
 setup, extend AuthenticatedWicketApplication, and AuthenticatedSession
  which has an authenticate method you'll call your UserDetails bean from.

 Outdated Link
 https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5


 On Tue, Apr 27, 2010 at 7:20 PM, Jimi jimi.hulleg...@mogul.com wrote:


 Hi,

 I'm curious to know what security frameworks you guys are using.

 The reason I'm asking is because I recently tried out Spring Security
 together with a simple wicket web application, and was amazed on how easy
 it
 was. I applied the steps mentioned in their Pet Clinic tutorial
 (
 http://static.springsource.org/spring-security/site/petclinic-tutorial.html
 )
 more or less exactly as they are, and I didn't have to write a single line
 of code. All was done using configuration. And even when I replaced the
 hard
 coded list of users (with their passwords and groups) with my custom
 authentication provider (or actually custom UserDetailsService) I only had
 two write two simple classes that implemented two very simple and logical
 interfaces respectively, that used my pre existing hibernate configuration
 and POJOs.

 BUT... when I wanted to replace the auto generated login screen (which
 worked great, but just didn't look very appealing) with a custom login page
 I quickly ran into trouble. If the login was successful then all was fine.
 But for the cases when the login failed for some reason (like incorrect
 username/password or database being down) I was having problems accessing
 the error cause. Because as far as I could tell this message (actually an
 Exception subclass) was only available as a http session attribute. And it
 seems that Wicket does everything to hide those from the user, discourages
 the use of the getHttpServletRequest() and the session attributes of the
 wicket session object only seems to include attributes with a specific
 wicket-prefix (like wicket:wicket.myProject:) which of course caused my
 precious Spring Security session attributes to be unavailable.

 It was then I started thinking that Spring Security maybe isn't the best
 security framework together with Wicket. So I started looking around for
 other alternatives. Wicket-security/WASP/SWARM (still not sure what is
 what)
 and wicket auth roles where the first two, and some time later I also
 heard about wicket-shiro.

 But all these three seemed to have one or more of the following down sides
 that irritated me when I evaluated them:

 1. Missing official site. [wicket auth roles] At least I can't find it.

 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old
 discussion labeled is wicket-auth-roles discontinued?. And the comments
 on
 the Getting started with Swarm wiki page is from 2007 and 2008, plus that
 they talk about Acegi (the old name for Spring Security) and the project
 has
 dependencies to Wicket 1.3 and Spring 2.0.

 3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to
 check out trunk and build yourself) and has three different SNAPSHOT
 dependencies.

 4. Seems to require a lot of different project specific java classes. [all
 three].


 The last point, number 4, is a really big down side if you ask me. Keep in
 mind that I was able to integrate Spring Security almost completely in my
 wicket web application with very little new java code needed. And that is a
 good thing, because project specific code is of course much less tested and
 tried compared to official stable code of reputable frameworks. Plus that I
 don't have to reinvent the wheel, considering the simple authentication and
 authorization demands of my project. The only thing stopping me was this
 stupid error message in the unavailable http session attribute.

 I actually started converting my project into a WASP/SWARM project, using
 the example project from

 http://out-println.blogspot.com/2009/02/wicket-swarm-spring-security-how-to.html
 ,
 but after creating class after class after class of in-my-eyes boilerplate
 code I got the overwhelming feeling that I was making my project more and
 more dirty. And, more importantly, I got the feeling that this shouldn't be
 so complicated

Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-28 Thread Jimi

Thanks for that kind suggestion, but I already have working
SecurityWebApplication and SecurityWebSession implementations. And my
problem was never a lack of code examples, but instead my problem was the
need for so much boilerplate code in the first place. I get the feeling most
of this code can be exactly the same for a lot of projects, and then it
would be logical to have a shared base for all these projects, maybe as a
part of SWARM/WASP, or wicket auth roles or wicket-shiro.

Regards
/Jimi

 I have a SpringSecurityWebApplication and SpringSecurityWebSession
 class you can use if you want.
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068916.html
Sent from the Wicket - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-28 Thread Reinout van Schouwen
Op dinsdag 27-04-2010 om 16:20 uur [tijdzone -0700], schreef Jimi:

 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old
 discussion labeled is wicket-auth-roles discontinued?. And the comments on
 the Getting started with Swarm wiki page is from 2007 and 2008, plus that
 they talk about Acegi (the old name for Spring Security) and the project has
 dependencies to Wicket 1.3 and Spring 2.0.

This lives on as a wicket-stuff subproject. 
Just yesterday a new version, 1.4rc1 was announced on this list:

http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-rc1-released-tt2067350.html#a2067350

regards,

-- 
Reinout van Schouwen


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-28 Thread James Carman
Those two classes are here:

http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/security/

They're part of my advanced wicket demo code.  The project already
has them set up and working, so you can look there for a tutorial.

On Wed, Apr 28, 2010 at 6:18 AM, Giovanni pino_o...@yahoo.com wrote:
 James, can you share your SpringSecurityWebApplication and 
 SpringSecurityWebSession
 classes?

 If you also write a  small tutorial on how to use them, it will be great.

 Best regards,
 giovanni





 
 From: James Carman jcar...@carmanconsulting.com
 To: users@wicket.apache.org
 Sent: Wed, April 28, 2010 1:51:57 AM
 Subject: Re: Wicket + security, what are the best options? Spring Security  
 reached almost all the way...

 I have a SpringSecurityWebApplication and SpringSecurityWebSession
 class you can use if you want.

 On Tue, Apr 27, 2010 at 7:49 PM, Ben Tilford bentilf...@gmail.com wrote:
 You can use Spring security with wicket auth-roles, I works out pretty nice
 compared to the alternatives.  iirc You need do your normal Spring
 setup, extend AuthenticatedWicketApplication, and AuthenticatedSession
  which has an authenticate method you'll call your UserDetails bean from.

 Outdated Link
 https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5


 On Tue, Apr 27, 2010 at 7:20 PM, Jimi jimi.hulleg...@mogul.com wrote:


 Hi,

 I'm curious to know what security frameworks you guys are using.

 The reason I'm asking is because I recently tried out Spring Security
 together with a simple wicket web application, and was amazed on how easy
 it
 was. I applied the steps mentioned in their Pet Clinic tutorial
 (
 http://static.springsource.org/spring-security/site/petclinic-tutorial.html
 )
 more or less exactly as they are, and I didn't have to write a single line
 of code. All was done using configuration. And even when I replaced the
 hard
 coded list of users (with their passwords and groups) with my custom
 authentication provider (or actually custom UserDetailsService) I only had
 two write two simple classes that implemented two very simple and logical
 interfaces respectively, that used my pre existing hibernate configuration
 and POJOs.

 BUT... when I wanted to replace the auto generated login screen (which
 worked great, but just didn't look very appealing) with a custom login page
 I quickly ran into trouble. If the login was successful then all was fine.
 But for the cases when the login failed for some reason (like incorrect
 username/password or database being down) I was having problems accessing
 the error cause. Because as far as I could tell this message (actually an
 Exception subclass) was only available as a http session attribute. And it
 seems that Wicket does everything to hide those from the user, discourages
 the use of the getHttpServletRequest() and the session attributes of the
 wicket session object only seems to include attributes with a specific
 wicket-prefix (like wicket:wicket.myProject:) which of course caused my
 precious Spring Security session attributes to be unavailable.

 It was then I started thinking that Spring Security maybe isn't the best
 security framework together with Wicket. So I started looking around for
 other alternatives. Wicket-security/WASP/SWARM (still not sure what is
 what)
 and wicket auth roles where the first two, and some time later I also
 heard about wicket-shiro.

 But all these three seemed to have one or more of the following down sides
 that irritated me when I evaluated them:

 1. Missing official site. [wicket auth roles] At least I can't find it.

 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old
 discussion labeled is wicket-auth-roles discontinued?. And the comments
 on
 the Getting started with Swarm wiki page is from 2007 and 2008, plus that
 they talk about Acegi (the old name for Spring Security) and the project
 has
 dependencies to Wicket 1.3 and Spring 2.0.

 3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to
 check out trunk and build yourself) and has three different SNAPSHOT
 dependencies.

 4. Seems to require a lot of different project specific java classes. [all
 three].


 The last point, number 4, is a really big down side if you ask me. Keep in
 mind that I was able to integrate Spring Security almost completely in my
 wicket web application with very little new java code needed. And that is a
 good thing, because project specific code is of course much less tested and
 tried compared to official stable code of reputable frameworks. Plus that I
 don't have to reinvent the wheel, considering the simple authentication and
 authorization demands of my project. The only thing stopping me was this
 stupid error message in the unavailable http session attribute.

 I actually started converting my project

Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-28 Thread James Carman
Those two classes are here:

http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/security/

They're part of my advanced wicket demo code.  The project already h

On Wed, Apr 28, 2010 at 6:18 AM, Giovanni pino_o...@yahoo.com wrote:
 James, can you share your SpringSecurityWebApplication and 
 SpringSecurityWebSession
 classes?

 If you also write a  small tutorial on how to use them, it will be great.

 Best regards,
 giovanni





 
 From: James Carman jcar...@carmanconsulting.com
 To: users@wicket.apache.org
 Sent: Wed, April 28, 2010 1:51:57 AM
 Subject: Re: Wicket + security, what are the best options? Spring Security  
 reached almost all the way...

 I have a SpringSecurityWebApplication and SpringSecurityWebSession
 class you can use if you want.

 On Tue, Apr 27, 2010 at 7:49 PM, Ben Tilford bentilf...@gmail.com wrote:
 You can use Spring security with wicket auth-roles, I works out pretty nice
 compared to the alternatives.  iirc You need do your normal Spring
 setup, extend AuthenticatedWicketApplication, and AuthenticatedSession
  which has an authenticate method you'll call your UserDetails bean from.

 Outdated Link
 https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5


 On Tue, Apr 27, 2010 at 7:20 PM, Jimi jimi.hulleg...@mogul.com wrote:


 Hi,

 I'm curious to know what security frameworks you guys are using.

 The reason I'm asking is because I recently tried out Spring Security
 together with a simple wicket web application, and was amazed on how easy
 it
 was. I applied the steps mentioned in their Pet Clinic tutorial
 (
 http://static.springsource.org/spring-security/site/petclinic-tutorial.html
 )
 more or less exactly as they are, and I didn't have to write a single line
 of code. All was done using configuration. And even when I replaced the
 hard
 coded list of users (with their passwords and groups) with my custom
 authentication provider (or actually custom UserDetailsService) I only had
 two write two simple classes that implemented two very simple and logical
 interfaces respectively, that used my pre existing hibernate configuration
 and POJOs.

 BUT... when I wanted to replace the auto generated login screen (which
 worked great, but just didn't look very appealing) with a custom login page
 I quickly ran into trouble. If the login was successful then all was fine.
 But for the cases when the login failed for some reason (like incorrect
 username/password or database being down) I was having problems accessing
 the error cause. Because as far as I could tell this message (actually an
 Exception subclass) was only available as a http session attribute. And it
 seems that Wicket does everything to hide those from the user, discourages
 the use of the getHttpServletRequest() and the session attributes of the
 wicket session object only seems to include attributes with a specific
 wicket-prefix (like wicket:wicket.myProject:) which of course caused my
 precious Spring Security session attributes to be unavailable.

 It was then I started thinking that Spring Security maybe isn't the best
 security framework together with Wicket. So I started looking around for
 other alternatives. Wicket-security/WASP/SWARM (still not sure what is
 what)
 and wicket auth roles where the first two, and some time later I also
 heard about wicket-shiro.

 But all these three seemed to have one or more of the following down sides
 that irritated me when I evaluated them:

 1. Missing official site. [wicket auth roles] At least I can't find it.

 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old
 discussion labeled is wicket-auth-roles discontinued?. And the comments
 on
 the Getting started with Swarm wiki page is from 2007 and 2008, plus that
 they talk about Acegi (the old name for Spring Security) and the project
 has
 dependencies to Wicket 1.3 and Spring 2.0.

 3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to
 check out trunk and build yourself) and has three different SNAPSHOT
 dependencies.

 4. Seems to require a lot of different project specific java classes. [all
 three].


 The last point, number 4, is a really big down side if you ask me. Keep in
 mind that I was able to integrate Spring Security almost completely in my
 wicket web application with very little new java code needed. And that is a
 good thing, because project specific code is of course much less tested and
 tried compared to official stable code of reputable frameworks. Plus that I
 don't have to reinvent the wheel, considering the simple authentication and
 authorization demands of my project. The only thing stopping me was this
 stupid error message in the unavailable http session attribute.

 I actually started converting my project into a WASP/SWARM project, using
 the example project from

 http://out

Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-28 Thread Jimi

Reinout wrote:
 Op dinsdag 27-04-2010 om 16:20 uur [tijdzone -0700], schreef Jimi:
 
  2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old
  discussion labeled is wicket-auth-roles discontinued?. And the
 comments on
  the Getting started with Swarm wiki page is from 2007 and 2008, plus
 that
  they talk about Acegi (the old name for Spring Security) and the project
 has
  dependencies to Wicket 1.3 and Spring 2.0.
 
 This lives on as a wicket-stuff subproject. 
 Just yesterday a new version, 1.4rc1 was announced on this list:
 
 http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-rc1-released-tt2067350.html#a2067350

Interesting... I looked for postings about wicket security in this mailing
list before that posting, during Monday, and when I wrote my posting
yesterday I didn't think to look again to see if any more security related
postings had come in. But apparently it had... =)

Now I also found this posting about Wicket Security:

http://apache-wicket.1842946.n4.nabble.com/Future-of-Wicket-Security-WASP-SWARM-tt1908153.html#a1908153

And I tend to agree with the last post, by Antoine. Wicketstuff feels a bit
like a playground, with production ready projects mixed with crude
copy-paste-example projects.

By the way, isn't
http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security the
official web site for it? Because it doesn't mention 1.4rc1

Regards
/Jimi
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2069145.html
Sent from the Wicket - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-28 Thread Martijn Dashorst
Confluence and JIRA for Wicket Stuff have been down since the JIRA
attacks. I've enabled service to Confluence as I didn't see any files
that were tampered with, nor was there any indication that it had been
compromised in other installations.

Confluence hasn't been updated with the release status because of this.

That said, we (the current Wicket Security maintainers) are 90% sure
that we'll move Wicket Security over to github, and host the
documentation there.

Martijn

On Wed, Apr 28, 2010 at 3:11 PM, Jimi jimi.hulleg...@mogul.com wrote:

 Reinout wrote:
 Op dinsdag 27-04-2010 om 16:20 uur [tijdzone -0700], schreef Jimi:

  2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old
  discussion labeled is wicket-auth-roles discontinued?. And the
 comments on
  the Getting started with Swarm wiki page is from 2007 and 2008, plus
 that
  they talk about Acegi (the old name for Spring Security) and the project
 has
  dependencies to Wicket 1.3 and Spring 2.0.

 This lives on as a wicket-stuff subproject.
 Just yesterday a new version, 1.4rc1 was announced on this list:

 http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-rc1-released-tt2067350.html#a2067350

 Interesting... I looked for postings about wicket security in this mailing
 list before that posting, during Monday, and when I wrote my posting
 yesterday I didn't think to look again to see if any more security related
 postings had come in. But apparently it had... =)

 Now I also found this posting about Wicket Security:

 http://apache-wicket.1842946.n4.nabble.com/Future-of-Wicket-Security-WASP-SWARM-tt1908153.html#a1908153

 And I tend to agree with the last post, by Antoine. Wicketstuff feels a bit
 like a playground, with production ready projects mixed with crude
 copy-paste-example projects.

 By the way, isn't
 http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security the
 official web site for it? Because it doesn't mention 1.4rc1

 Regards
 /Jimi
 --
 View this message in context: 
 http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2069145.html
 Sent from the Wicket - User mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org





-- 
Become a Wicket expert, learn from the best: http://wicketinaction.com
Apache Wicket 1.4 increases type safety for web applications
Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.7

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-28 Thread Jimi

Martijn wrote:
 
 Confluence and JIRA for Wicket Stuff have been down since the JIRA
 attacks. I've enabled service to Confluence as I didn't see any files
 that were tampered with, nor was there any indication that it had been
 compromised in other installations.
 
 Confluence hasn't been updated with the release status because of this.

I had no idea there was a JIRA attack. That explains a lot.

 That said, we (the current Wicket Security maintainers) are 90% sure
 that we'll move Wicket Security over to github, and host the
 documentation there.

ok, sounds like a good move.
Thanks for a great project, by the way. I'm starting to like it more and
more now. :)

/Jimi
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2075000.html
Sent from the Wicket - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-27 Thread Jimi

Hi,

I'm curious to know what security frameworks you guys are using.

The reason I'm asking is because I recently tried out Spring Security
together with a simple wicket web application, and was amazed on how easy it
was. I applied the steps mentioned in their Pet Clinic tutorial
(http://static.springsource.org/spring-security/site/petclinic-tutorial.html)
more or less exactly as they are, and I didn't have to write a single line
of code. All was done using configuration. And even when I replaced the hard
coded list of users (with their passwords and groups) with my custom
authentication provider (or actually custom UserDetailsService) I only had
two write two simple classes that implemented two very simple and logical
interfaces respectively, that used my pre existing hibernate configuration
and POJOs.

BUT... when I wanted to replace the auto generated login screen (which
worked great, but just didn't look very appealing) with a custom login page
I quickly ran into trouble. If the login was successful then all was fine.
But for the cases when the login failed for some reason (like incorrect
username/password or database being down) I was having problems accessing
the error cause. Because as far as I could tell this message (actually an
Exception subclass) was only available as a http session attribute. And it
seems that Wicket does everything to hide those from the user, discourages
the use of the getHttpServletRequest() and the session attributes of the
wicket session object only seems to include attributes with a specific
wicket-prefix (like wicket:wicket.myProject:) which of course caused my
precious Spring Security session attributes to be unavailable.

It was then I started thinking that Spring Security maybe isn't the best
security framework together with Wicket. So I started looking around for
other alternatives. Wicket-security/WASP/SWARM (still not sure what is what)
and wicket auth roles where the first two, and some time later I also
heard about wicket-shiro.

But all these three seemed to have one or more of the following down sides
that irritated me when I evaluated them:

1. Missing official site. [wicket auth roles] At least I can't find it.

2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old
discussion labeled is wicket-auth-roles discontinued?. And the comments on
the Getting started with Swarm wiki page is from 2007 and 2008, plus that
they talk about Acegi (the old name for Spring Security) and the project has
dependencies to Wicket 1.3 and Spring 2.0.

3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to
check out trunk and build yourself) and has three different SNAPSHOT
dependencies.

4. Seems to require a lot of different project specific java classes. [all
three]. 


The last point, number 4, is a really big down side if you ask me. Keep in
mind that I was able to integrate Spring Security almost completely in my
wicket web application with very little new java code needed. And that is a
good thing, because project specific code is of course much less tested and
tried compared to official stable code of reputable frameworks. Plus that I
don't have to reinvent the wheel, considering the simple authentication and
authorization demands of my project. The only thing stopping me was this
stupid error message in the unavailable http session attribute.

I actually started converting my project into a WASP/SWARM project, using
the example project from
http://out-println.blogspot.com/2009/02/wicket-swarm-spring-security-how-to.html,
but after creating class after class after class of in-my-eyes boilerplate
code I got the overwhelming feeling that I was making my project more and
more dirty. And, more importantly, I got the feeling that this shouldn't be
so complicated. Other people surely have done this before, and maybe there
is a good, stable and official framework/plugin/whatever that makes Spring
Security and Wicket integration into a breeze. Which it really was when I
followed the Pet Clinic tutorial (see URL above), since that used the auto
generated login form.

So, any input from you guys? What do you use to secure your wicket web
sites? Or maybe someone can explain how to best solve my Wicket+Spring
Security problem with the hidden http session attributes?

Also, I hope I didn't step on anybody's toes with my list of down sides.
Maybe I just haven't found the right web pages that document these
frameworks(?) and how easy it can be to use them. Tips more then welcome!

Regards
/Jimi Hullegård
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068415.html
Sent from the Wicket - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-27 Thread Ben Tilford
 pages that document these
 frameworks(?) and how easy it can be to use them. Tips more then welcome!

 Regards
 /Jimi Hullegård
 --
 View this message in context:
 http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068415.html
 Sent from the Wicket - User mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org




Re: Wicket + security, what are the best options? Spring Security reached almost all the way...

2010-04-27 Thread James Carman
+Spring
 Security problem with the hidden http session attributes?

 Also, I hope I didn't step on anybody's toes with my list of down sides.
 Maybe I just haven't found the right web pages that document these
 frameworks(?) and how easy it can be to use them. Tips more then welcome!

 Regards
 /Jimi Hullegård
 --
 View this message in context:
 http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068415.html
 Sent from the Wicket - User mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org