Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
I did it using BundleStringResourceLoader in the end.
Well that's the point of having two WebSecurityConfigurerAdapters.
One takes care about your actuator using HTTP Basic
http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR_ROLE").and().httpBasic();
and the one one takes care about Wicket
http.antMatcher("/wicket/**").authorizeRequests()
.antMatchers("/wicket/page/login**").permitAll()
.antMatchers("/wicket/page/**").hasRole("WICKET")
.and().formLogin().loginPage("/wicket/page/login").loginProcessingUrl("/fake-url")
.and().csrf().disable();
this will redirect to login page in case you are not logged in.
Regarding lack of privileges (roles) that's another story and you should
probably read
Spring Security docs on how to properly handle those since it's not really
related (i.e.
user is already logged in, you sure you want to re-login?).
Zbynek
On Fri, Jan 25, 2019 at 11:05 AM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> Have you gone through this :
>
>
> https://ci.apache.org/projects/wicket/guide/8.x/single.html#_extending_the_default_lookup_algorithm
> (which seems you have, please show a little code)
>
> And could you tell med howto make Spring redirect to my wicket login page
> for all urls except /actuator (which is handled by basic auth)? Also every
> wicket page which requires authentication should redirect to /login page if
> you either lack permissions or arent logged in..
>
> -Nino
>
>
>
> On Fri, Jan 25, 2019 at 8:18 AM Zbynek Vavros
> wrote:
>
> > Took me some time to understand as well so I'm glad share :)
> >
> > I'm in process of tuning this setup so just out of curiosity how did you
> > set up the Wicket properties file(s)? I don't like the idea to having
> > properties in src/main/java and looking for proper way to load them from
> > custom location like
> > src/main/resources/properties/MyWicketApplication.properties.
> >
> > In out previous project we used I18n.init() method but I'm thinking more
> > Wicket-y way,
> > maybe using BundleStringResourceLoader ? But so far no luck making that
> > work...
> >
> > Zbynek
> >
> > On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael <
> > nino.martinez.w...@gmail.com> wrote:
> >
> > > Yes this is exactly how I've done it :) Thanks for taking time to
> help...
> > >
> > > @WicketSignInPage
> > > @MountPath("page/login")
> > > public class LoginPage extends BasePage {
> > >
> > > public LoginPage(PageParameters parameters) {
> > > super(parameters);
> > >
> > > if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
> > > continueToOriginalDestination();
> > > }
> > > add(new LoginForm("loginForm"));
> > > }
> > >
> > > private class LoginForm extends StatelessForm {
> > >
> > > private String username;
> > > private String password;
> > >
> > > public LoginForm(String id) {
> > > super(id);
> > > setModel(new CompoundPropertyModel<>(this));
> > > add(new FeedbackPanel("feedback"));
> > > add(new RequiredTextField("username"));
> > > add(new PasswordTextField("password"));
> > > }
> > >
> > > @Override
> > > protected void onSubmit() {
> > > AuthenticatedWebSession session = AuthenticatedWebSession.get();
> > > if (session.signIn(username, password)) {
> > > setResponsePage(HomePage.class);
> > > } else {
> > > error("Login failed");
> > > }
> > > }
> > > }
> > > }
> > >
> > >
> > > On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros
> > > wrote:
> > >
> > > > Is seems you have mixed my code with your code somehow.
> > > > You must configure formLogin() and specify loginPage() pointing to
> your
> > > > Wicket login page (maybe using @MountPath?).
> > > > The .loginProcessingUrl() points to "/fake-url" because the
> > > authentication
> > > > itself is called from Wicket login page
> > > > via AuthenticatedWebSession.get().signIn(). Or do you use other
> > mechanism
> > > > in your Wicket login page?
> > > >
> > > > Zbynek
> > > >
> > > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> > > > nino.martinez.w...@gmail.com> wrote:
> > > >
> > > > > It sort of works, If I go to the actuator I get the http basic
> auth,
> > > if I
> > > > > on the same session goto my pages.. I get an "ugly" access denied
> > page
> > > > and
> > > > > not the configured wicket login page. So it sort of works..
> > > > >
> > > > > If I just goto localhost:8080/ I get an default spring login page
> not
> > > the
> > > > > wicket one.. Upon succesfull login it forwards me to the wicket
> login
> > > > page,
> > > > > where I can login again and then get to the real application..
> > > > >
> > > > > Below my current code:
> > > > >
> > > > >
> > > > > package dk.netdesign.ccadmin.frontend.security;
> > > > >
> > > > > import org.springframework.context.annotation.Bean;
> > > > > import org.springframework.context.annotation.Configuration;
> > > > > import org.springframework.core.annotation.Order;
> > > > > import
> > >
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Have you gone through this :
https://ci.apache.org/projects/wicket/guide/8.x/single.html#_extending_the_default_lookup_algorithm
(which seems you have, please show a little code)
And could you tell med howto make Spring redirect to my wicket login page
for all urls except /actuator (which is handled by basic auth)? Also every
wicket page which requires authentication should redirect to /login page if
you either lack permissions or arent logged in..
-Nino
On Fri, Jan 25, 2019 at 8:18 AM Zbynek Vavros
wrote:
> Took me some time to understand as well so I'm glad share :)
>
> I'm in process of tuning this setup so just out of curiosity how did you
> set up the Wicket properties file(s)? I don't like the idea to having
> properties in src/main/java and looking for proper way to load them from
> custom location like
> src/main/resources/properties/MyWicketApplication.properties.
>
> In out previous project we used I18n.init() method but I'm thinking more
> Wicket-y way,
> maybe using BundleStringResourceLoader ? But so far no luck making that
> work...
>
> Zbynek
>
> On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > Yes this is exactly how I've done it :) Thanks for taking time to help...
> >
> > @WicketSignInPage
> > @MountPath("page/login")
> > public class LoginPage extends BasePage {
> >
> > public LoginPage(PageParameters parameters) {
> > super(parameters);
> >
> > if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
> > continueToOriginalDestination();
> > }
> > add(new LoginForm("loginForm"));
> > }
> >
> > private class LoginForm extends StatelessForm {
> >
> > private String username;
> > private String password;
> >
> > public LoginForm(String id) {
> > super(id);
> > setModel(new CompoundPropertyModel<>(this));
> > add(new FeedbackPanel("feedback"));
> > add(new RequiredTextField("username"));
> > add(new PasswordTextField("password"));
> > }
> >
> > @Override
> > protected void onSubmit() {
> > AuthenticatedWebSession session = AuthenticatedWebSession.get();
> > if (session.signIn(username, password)) {
> > setResponsePage(HomePage.class);
> > } else {
> > error("Login failed");
> > }
> > }
> > }
> > }
> >
> >
> > On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros
> > wrote:
> >
> > > Is seems you have mixed my code with your code somehow.
> > > You must configure formLogin() and specify loginPage() pointing to your
> > > Wicket login page (maybe using @MountPath?).
> > > The .loginProcessingUrl() points to "/fake-url" because the
> > authentication
> > > itself is called from Wicket login page
> > > via AuthenticatedWebSession.get().signIn(). Or do you use other
> mechanism
> > > in your Wicket login page?
> > >
> > > Zbynek
> > >
> > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> > > nino.martinez.w...@gmail.com> wrote:
> > >
> > > > It sort of works, If I go to the actuator I get the http basic auth,
> > if I
> > > > on the same session goto my pages.. I get an "ugly" access denied
> page
> > > and
> > > > not the configured wicket login page. So it sort of works..
> > > >
> > > > If I just goto localhost:8080/ I get an default spring login page not
> > the
> > > > wicket one.. Upon succesfull login it forwards me to the wicket login
> > > page,
> > > > where I can login again and then get to the real application..
> > > >
> > > > Below my current code:
> > > >
> > > >
> > > > package dk.netdesign.ccadmin.frontend.security;
> > > >
> > > > import org.springframework.context.annotation.Bean;
> > > > import org.springframework.context.annotation.Configuration;
> > > > import org.springframework.core.annotation.Order;
> > > > import
> > org.springframework.security.authentication.AuthenticationManager;
> > > > import
> > > >
> > > >
> > >
> >
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> > > > import
> > > >
> > org.springframework.security.config.annotation.web.builders.HttpSecurity;
> > > > import
> > > >
> > > >
> > >
> >
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> > > > import
> org.springframework.security.config.http.SessionCreationPolicy;
> > > > import org.springframework.security.core.Authentication;
> > > > import
> org.springframework.security.core.context.SecurityContextHolder;
> > > > import org.springframework.security.core.userdetails.User;
> > > > import
> > org.springframework.security.core.userdetails.UserDetailsService;
> > > > import
> > org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> > > > import
> > > > org.springframework.security.provisioning.InMemoryUserDetailsManager;
> > > > import org.springframework.stereotype.Component;
> > > >
> > > > @Configuration
> > > > public class WicketWebSecurityAdapterConfig extends
> > > > WebSecurityConfigurerAdapter {
> > > >
> > > >
> > > > @Configuration
> > > > @Order(1)
> > > > public static class RestSecurityConfig
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Took me some time to understand as well so I'm glad share :)
I'm in process of tuning this setup so just out of curiosity how did you
set up the Wicket properties file(s)? I don't like the idea to having
properties in src/main/java and looking for proper way to load them from
custom location like
src/main/resources/properties/MyWicketApplication.properties.
In out previous project we used I18n.init() method but I'm thinking more
Wicket-y way,
maybe using BundleStringResourceLoader ? But so far no luck making that
work...
Zbynek
On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> Yes this is exactly how I've done it :) Thanks for taking time to help...
>
> @WicketSignInPage
> @MountPath("page/login")
> public class LoginPage extends BasePage {
>
> public LoginPage(PageParameters parameters) {
> super(parameters);
>
> if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
> continueToOriginalDestination();
> }
> add(new LoginForm("loginForm"));
> }
>
> private class LoginForm extends StatelessForm {
>
> private String username;
> private String password;
>
> public LoginForm(String id) {
> super(id);
> setModel(new CompoundPropertyModel<>(this));
> add(new FeedbackPanel("feedback"));
> add(new RequiredTextField("username"));
> add(new PasswordTextField("password"));
> }
>
> @Override
> protected void onSubmit() {
> AuthenticatedWebSession session = AuthenticatedWebSession.get();
> if (session.signIn(username, password)) {
> setResponsePage(HomePage.class);
> } else {
> error("Login failed");
> }
> }
> }
> }
>
>
> On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros
> wrote:
>
> > Is seems you have mixed my code with your code somehow.
> > You must configure formLogin() and specify loginPage() pointing to your
> > Wicket login page (maybe using @MountPath?).
> > The .loginProcessingUrl() points to "/fake-url" because the
> authentication
> > itself is called from Wicket login page
> > via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism
> > in your Wicket login page?
> >
> > Zbynek
> >
> > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> > nino.martinez.w...@gmail.com> wrote:
> >
> > > It sort of works, If I go to the actuator I get the http basic auth,
> if I
> > > on the same session goto my pages.. I get an "ugly" access denied page
> > and
> > > not the configured wicket login page. So it sort of works..
> > >
> > > If I just goto localhost:8080/ I get an default spring login page not
> the
> > > wicket one.. Upon succesfull login it forwards me to the wicket login
> > page,
> > > where I can login again and then get to the real application..
> > >
> > > Below my current code:
> > >
> > >
> > > package dk.netdesign.ccadmin.frontend.security;
> > >
> > > import org.springframework.context.annotation.Bean;
> > > import org.springframework.context.annotation.Configuration;
> > > import org.springframework.core.annotation.Order;
> > > import
> org.springframework.security.authentication.AuthenticationManager;
> > > import
> > >
> > >
> >
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> > > import
> > >
> org.springframework.security.config.annotation.web.builders.HttpSecurity;
> > > import
> > >
> > >
> >
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> > > import org.springframework.security.config.http.SessionCreationPolicy;
> > > import org.springframework.security.core.Authentication;
> > > import org.springframework.security.core.context.SecurityContextHolder;
> > > import org.springframework.security.core.userdetails.User;
> > > import
> org.springframework.security.core.userdetails.UserDetailsService;
> > > import
> org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> > > import
> > > org.springframework.security.provisioning.InMemoryUserDetailsManager;
> > > import org.springframework.stereotype.Component;
> > >
> > > @Configuration
> > > public class WicketWebSecurityAdapterConfig extends
> > > WebSecurityConfigurerAdapter {
> > >
> > >
> > > @Configuration
> > > @Order(1)
> > > public static class RestSecurityConfig extends
> > > WebSecurityConfigurerAdapter {
> > >
> > > @Override
> > > protected void configure(HttpSecurity http) throws Exception {
> > >
> > >
> > >
> > >
> >
> http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
> > > .and().csrf().disable()
> > >
> > >
> > >
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > > .and().httpBasic();
> > > }
> > > }
> > >
> > > @Configuration
> > > @Order(2)
> > > public static class WicketSecurityConfig extends
> > > WebSecurityConfigurerAdapter {
> > > @Override
> > > protected void configure(HttpSecurity http) throws Exception {
> > >
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Yes this is exactly how I've done it :) Thanks for taking time to help...
@WicketSignInPage
@MountPath("page/login")
public class LoginPage extends BasePage {
public LoginPage(PageParameters parameters) {
super(parameters);
if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
continueToOriginalDestination();
}
add(new LoginForm("loginForm"));
}
private class LoginForm extends StatelessForm {
private String username;
private String password;
public LoginForm(String id) {
super(id);
setModel(new CompoundPropertyModel<>(this));
add(new FeedbackPanel("feedback"));
add(new RequiredTextField("username"));
add(new PasswordTextField("password"));
}
@Override
protected void onSubmit() {
AuthenticatedWebSession session = AuthenticatedWebSession.get();
if (session.signIn(username, password)) {
setResponsePage(HomePage.class);
} else {
error("Login failed");
}
}
}
}
On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros
wrote:
> Is seems you have mixed my code with your code somehow.
> You must configure formLogin() and specify loginPage() pointing to your
> Wicket login page (maybe using @MountPath?).
> The .loginProcessingUrl() points to "/fake-url" because the authentication
> itself is called from Wicket login page
> via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism
> in your Wicket login page?
>
> Zbynek
>
> On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > It sort of works, If I go to the actuator I get the http basic auth, if I
> > on the same session goto my pages.. I get an "ugly" access denied page
> and
> > not the configured wicket login page. So it sort of works..
> >
> > If I just goto localhost:8080/ I get an default spring login page not the
> > wicket one.. Upon succesfull login it forwards me to the wicket login
> page,
> > where I can login again and then get to the real application..
> >
> > Below my current code:
> >
> >
> > package dk.netdesign.ccadmin.frontend.security;
> >
> > import org.springframework.context.annotation.Bean;
> > import org.springframework.context.annotation.Configuration;
> > import org.springframework.core.annotation.Order;
> > import org.springframework.security.authentication.AuthenticationManager;
> > import
> >
> >
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> > import
> > org.springframework.security.config.annotation.web.builders.HttpSecurity;
> > import
> >
> >
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> > import org.springframework.security.config.http.SessionCreationPolicy;
> > import org.springframework.security.core.Authentication;
> > import org.springframework.security.core.context.SecurityContextHolder;
> > import org.springframework.security.core.userdetails.User;
> > import org.springframework.security.core.userdetails.UserDetailsService;
> > import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> > import
> > org.springframework.security.provisioning.InMemoryUserDetailsManager;
> > import org.springframework.stereotype.Component;
> >
> > @Configuration
> > public class WicketWebSecurityAdapterConfig extends
> > WebSecurityConfigurerAdapter {
> >
> >
> > @Configuration
> > @Order(1)
> > public static class RestSecurityConfig extends
> > WebSecurityConfigurerAdapter {
> >
> > @Override
> > protected void configure(HttpSecurity http) throws Exception {
> >
> >
> >
> >
> http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
> > .and().csrf().disable()
> >
> >
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > .and().httpBasic();
> > }
> > }
> >
> > @Configuration
> > @Order(2)
> > public static class WicketSecurityConfig extends
> > WebSecurityConfigurerAdapter {
> > @Override
> > protected void configure(HttpSecurity http) throws Exception {
> > http.antMatcher("/page/**").authorizeRequests()
> > .antMatchers("/page/login**").permitAll()
> > .antMatchers("/page/**").hasAnyAuthority("USER",
> > "ADMIN")
> >
> >
> >
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> >
> > .and().csrf().disable();
> > }
> > }
> >
> > @Bean
> > public static BCryptPasswordEncoder passwordEncoder() {
> > return new BCryptPasswordEncoder();
> > }
> >
> > @Bean(name = "authenticationManager")
> > @Override
> > public AuthenticationManager authenticationManagerBean() throws
> > Exception {
> >
> > return super.authenticationManagerBean();
> > }
> > public interface IAuthenticationFacade {
> > Authentication getAuthentication();
> > }
> > @Component
> > public class AuthenticationFacade
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Is seems you have mixed my code with your code somehow.
You must configure formLogin() and specify loginPage() pointing to your
Wicket login page (maybe using @MountPath?).
The .loginProcessingUrl() points to "/fake-url" because the authentication
itself is called from Wicket login page
via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism
in your Wicket login page?
Zbynek
On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> It sort of works, If I go to the actuator I get the http basic auth, if I
> on the same session goto my pages.. I get an "ugly" access denied page and
> not the configured wicket login page. So it sort of works..
>
> If I just goto localhost:8080/ I get an default spring login page not the
> wicket one.. Upon succesfull login it forwards me to the wicket login page,
> where I can login again and then get to the real application..
>
> Below my current code:
>
>
> package dk.netdesign.ccadmin.frontend.security;
>
> import org.springframework.context.annotation.Bean;
> import org.springframework.context.annotation.Configuration;
> import org.springframework.core.annotation.Order;
> import org.springframework.security.authentication.AuthenticationManager;
> import
>
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> import
> org.springframework.security.config.annotation.web.builders.HttpSecurity;
> import
>
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> import org.springframework.security.config.http.SessionCreationPolicy;
> import org.springframework.security.core.Authentication;
> import org.springframework.security.core.context.SecurityContextHolder;
> import org.springframework.security.core.userdetails.User;
> import org.springframework.security.core.userdetails.UserDetailsService;
> import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> import
> org.springframework.security.provisioning.InMemoryUserDetailsManager;
> import org.springframework.stereotype.Component;
>
> @Configuration
> public class WicketWebSecurityAdapterConfig extends
> WebSecurityConfigurerAdapter {
>
>
> @Configuration
> @Order(1)
> public static class RestSecurityConfig extends
> WebSecurityConfigurerAdapter {
>
> @Override
> protected void configure(HttpSecurity http) throws Exception {
>
>
>
> http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
> .and().csrf().disable()
>
>
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> .and().httpBasic();
> }
> }
>
> @Configuration
> @Order(2)
> public static class WicketSecurityConfig extends
> WebSecurityConfigurerAdapter {
> @Override
> protected void configure(HttpSecurity http) throws Exception {
> http.antMatcher("/page/**").authorizeRequests()
> .antMatchers("/page/login**").permitAll()
> .antMatchers("/page/**").hasAnyAuthority("USER",
> "ADMIN")
>
>
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
>
> .and().csrf().disable();
> }
> }
>
> @Bean
> public static BCryptPasswordEncoder passwordEncoder() {
> return new BCryptPasswordEncoder();
> }
>
> @Bean(name = "authenticationManager")
> @Override
> public AuthenticationManager authenticationManagerBean() throws
> Exception {
>
> return super.authenticationManagerBean();
> }
> public interface IAuthenticationFacade {
> Authentication getAuthentication();
> }
> @Component
> public class AuthenticationFacade implements IAuthenticationFacade {
>
> @Override
> public Authentication getAuthentication() {
> return SecurityContextHolder.getContext().getAuthentication();
> }
> }
>
> @Bean
> public UserDetailsService userDetailsService() {
> InMemoryUserDetailsManager manager = new
> InMemoryUserDetailsManager();
> manager.createUser(
> User.withUsername("admin")
>
> .password(passwordEncoder().encode("admin")).authorities("USER", "ADMIN")
> .build());
>
> manager.createUser(
> User.withUsername("actuator")
>
> .password(passwordEncoder().encode("actuator")).roles("ACTUATOR")
> .build());
>
> return manager;
> }
> }
>
>
> On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > Thanks will try it:)
> >
> > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros
> > wrote:
> >
> >> In my case it works something like this:
> >>
> >> @Configuration
> >> @EnableWebSecurity
> >> public class SecurityConfiguration {
> >>
> >> @Configuration
> >> @Order(1)
> >> public static
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
It sort of works, If I go to the actuator I get the http basic auth, if I
on the same session goto my pages.. I get an "ugly" access denied page and
not the configured wicket login page. So it sort of works..
If I just goto localhost:8080/ I get an default spring login page not the
wicket one.. Upon succesfull login it forwards me to the wicket login page,
where I can login again and then get to the real application..
Below my current code:
package dk.netdesign.ccadmin.frontend.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import
org.springframework.security.config.annotation.web.builders.HttpSecurity;
import
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.stereotype.Component;
@Configuration
public class WicketWebSecurityAdapterConfig extends
WebSecurityConfigurerAdapter {
@Configuration
@Order(1)
public static class RestSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
.and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().httpBasic();
}
}
@Configuration
@Order(2)
public static class WicketSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/page/**").authorizeRequests()
.antMatchers("/page/login**").permitAll()
.antMatchers("/page/**").hasAnyAuthority("USER",
"ADMIN")
.and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
.and().csrf().disable();
}
}
@Bean
public static BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean(name = "authenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws
Exception {
return super.authenticationManagerBean();
}
public interface IAuthenticationFacade {
Authentication getAuthentication();
}
@Component
public class AuthenticationFacade implements IAuthenticationFacade {
@Override
public Authentication getAuthentication() {
return SecurityContextHolder.getContext().getAuthentication();
}
}
@Bean
public UserDetailsService userDetailsService() {
InMemoryUserDetailsManager manager = new
InMemoryUserDetailsManager();
manager.createUser(
User.withUsername("admin")
.password(passwordEncoder().encode("admin")).authorities("USER", "ADMIN")
.build());
manager.createUser(
User.withUsername("actuator")
.password(passwordEncoder().encode("actuator")).roles("ACTUATOR")
.build());
return manager;
}
}
On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> Thanks will try it:)
>
> On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros
> wrote:
>
>> In my case it works something like this:
>>
>> @Configuration
>> @EnableWebSecurity
>> public class SecurityConfiguration {
>>
>> @Configuration
>> @Order(1)
>> public static class RestSecurityConfig extends
>> WebSecurityConfigurerAdapter {
>>
>> .. user details service, auth providers etc
>>
>> @Override
>> protected void configure(HttpSecurity http) throws Exception {
>>
>>
>> http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
>> .and().csrf().disable()
>>
>>
>> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
>> .and().httpBasic();
>> }
>> }
>>
>> @Configuration
>> @Order(2)
>> public static class WicketSecurityConfig extends
>> WebSecurityConfigurerAdapter {
>>
>> .. user details service, auth providers etc
>>
>> @Override
>>
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Thanks will try it:)
On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros
wrote:
> In my case it works something like this:
>
> @Configuration
> @EnableWebSecurity
> public class SecurityConfiguration {
>
> @Configuration
> @Order(1)
> public static class RestSecurityConfig extends
> WebSecurityConfigurerAdapter {
>
> .. user details service, auth providers etc
>
> @Override
> protected void configure(HttpSecurity http) throws Exception {
>
> http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
> .and().csrf().disable()
>
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> .and().httpBasic();
> }
> }
>
> @Configuration
> @Order(2)
> public static class WicketSecurityConfig extends
> WebSecurityConfigurerAdapter {
>
> .. user details service, auth providers etc
>
> @Override
> protected void configure(AuthenticationManagerBuilder auth) throws
> Exception {
> auth.authenticationProvider(wicketAuthenticationProvider);
> }
>
> @Override
> protected void configure(HttpSecurity http) throws Exception {
> http.antMatcher("/page/**").authorizeRequests()
> .antMatchers("/page/login**").permitAll()
> .antMatchers("/page/**").hasRole("ROLE")
>
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> .and().csrf().disable();
> }
>
> @Override
> @Bean(name = "authenticationManager")
> public AuthenticationManager authenticationManagerBean() throws
> Exception {
> return super.authenticationManagerBean();
> }
> }
> }
>
> The RestSecurityConfigwould be what you would do for actuators, for me
> thats the REST API.
> Not the order of "antMatcher", "authorizeRequests" and " antMatchers".
>
> Zbynek
>
> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > do you have an example? OR is it just to cut them into two like:
> > WebSecurityConfigurerAdapter A:
> >
> >
> http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> >
> > WebSecurityConfigurerAdapter B:
> > http
> > .csrf().disable()
> > .authorizeRequests().anyRequest().permitAll()
> > .and()
> > .logout()
> > .permitAll();
> > http.headers().frameOptions().disable();
> >
> >
> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros
> > wrote:
> >
> > > Hi,
> > >
> > > I did similar thing, the trick here is to use two
> > > WebSecurityConfigurerAdaptes.
> > >
> > > Zbynek
> > >
> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> > > nino.martinez.w...@gmail.com> wrote:
> > >
> > > > Hope its okay to use the wicket user mailing list for this:)
> > > >
> > > > First of all thanks to MarcGiffing for making the project. But I
> cannot
> > > get
> > > > actuator endpoints to work with spring security and wicket spring
> > boot..
> > > > I've tried a lot of things..
> > > >
> > > > IN my WebSecurityConfigurerAdapter:
> > > >
> > > > http
> > > >
> > > >
> > > >
> > >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > > >
> > > > http
> > > > .csrf().disable()
> > > > .authorizeRequests().anyRequest().permitAll()
> > > > .and()
> > > > .logout()
> > > > .permitAll();
> > > > http.headers().frameOptions().disable();
> > > >
> > > > But that just disables actuator and messes with the Wicket side of
> the
> > > > security.. Any one have some clues=
> > > >
> > > > --
> > > > Best regards / Med venlig hilsen
> > > > Nino Martinez
> > > >
> > >
> >
> >
> > --
> > Best regards / Med venlig hilsen
> > Nino Martinez
> >
>
--
Best regards / Med venlig hilsen
Nino Martinez
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
In my case it works something like this:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
@Configuration
@Order(1)
public static class RestSecurityConfig extends
WebSecurityConfigurerAdapter {
.. user details service, auth providers etc
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
.and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().httpBasic();
}
}
@Configuration
@Order(2)
public static class WicketSecurityConfig extends
WebSecurityConfigurerAdapter {
.. user details service, auth providers etc
@Override
protected void configure(AuthenticationManagerBuilder auth) throws
Exception {
auth.authenticationProvider(wicketAuthenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/page/**").authorizeRequests()
.antMatchers("/page/login**").permitAll()
.antMatchers("/page/**").hasRole("ROLE")
.and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
.and().csrf().disable();
}
@Override
@Bean(name = "authenticationManager")
public AuthenticationManager authenticationManagerBean() throws
Exception {
return super.authenticationManagerBean();
}
}
}
The RestSecurityConfigwould be what you would do for actuators, for me
thats the REST API.
Not the order of "antMatcher", "authorizeRequests" and " antMatchers".
Zbynek
On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> do you have an example? OR is it just to cut them into two like:
> WebSecurityConfigurerAdapter A:
>
>
> http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
>
> WebSecurityConfigurerAdapter B:
> http
> .csrf().disable()
> .authorizeRequests().anyRequest().permitAll()
> .and()
> .logout()
> .permitAll();
> http.headers().frameOptions().disable();
>
>
> On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros
> wrote:
>
> > Hi,
> >
> > I did similar thing, the trick here is to use two
> > WebSecurityConfigurerAdaptes.
> >
> > Zbynek
> >
> > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> > nino.martinez.w...@gmail.com> wrote:
> >
> > > Hope its okay to use the wicket user mailing list for this:)
> > >
> > > First of all thanks to MarcGiffing for making the project. But I cannot
> > get
> > > actuator endpoints to work with spring security and wicket spring
> boot..
> > > I've tried a lot of things..
> > >
> > > IN my WebSecurityConfigurerAdapter:
> > >
> > > http
> > >
> > >
> > >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > >
> > > http
> > > .csrf().disable()
> > > .authorizeRequests().anyRequest().permitAll()
> > > .and()
> > > .logout()
> > > .permitAll();
> > > http.headers().frameOptions().disable();
> > >
> > > But that just disables actuator and messes with the Wicket side of the
> > > security.. Any one have some clues=
> > >
> > > --
> > > Best regards / Med venlig hilsen
> > > Nino Martinez
> > >
> >
>
>
> --
> Best regards / Med venlig hilsen
> Nino Martinez
>
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Hi,
I did similar thing, the trick here is to use two
WebSecurityConfigurerAdaptes.
Zbynek
On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> Hope its okay to use the wicket user mailing list for this:)
>
> First of all thanks to MarcGiffing for making the project. But I cannot get
> actuator endpoints to work with spring security and wicket spring boot..
> I've tried a lot of things..
>
> IN my WebSecurityConfigurerAdapter:
>
> http
>
>
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
>
> http
> .csrf().disable()
> .authorizeRequests().anyRequest().permitAll()
> .and()
> .logout()
> .permitAll();
> http.headers().frameOptions().disable();
>
> But that just disables actuator and messes with the Wicket side of the
> security.. Any one have some clues=
>
> --
> Best regards / Med venlig hilsen
> Nino Martinez
>
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
do you have an example? OR is it just to cut them into two like:
WebSecurityConfigurerAdapter A:
http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
WebSecurityConfigurerAdapter B:
http
.csrf().disable()
.authorizeRequests().anyRequest().permitAll()
.and()
.logout()
.permitAll();
http.headers().frameOptions().disable();
On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros
wrote:
> Hi,
>
> I did similar thing, the trick here is to use two
> WebSecurityConfigurerAdaptes.
>
> Zbynek
>
> On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > Hope its okay to use the wicket user mailing list for this:)
> >
> > First of all thanks to MarcGiffing for making the project. But I cannot
> get
> > actuator endpoints to work with spring security and wicket spring boot..
> > I've tried a lot of things..
> >
> > IN my WebSecurityConfigurerAdapter:
> >
> > http
> >
> >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> >
> > http
> > .csrf().disable()
> > .authorizeRequests().anyRequest().permitAll()
> > .and()
> > .logout()
> > .permitAll();
> > http.headers().frameOptions().disable();
> >
> > But that just disables actuator and messes with the Wicket side of the
> > security.. Any one have some clues=
> >
> > --
> > Best regards / Med venlig hilsen
> > Nino Martinez
> >
>
--
Best regards / Med venlig hilsen
Nino Martinez
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Already done that.. Thanks for the idea.. On my webservice project I am
doing this:
http
.authorizeRequests()
.antMatchers("/services/**").hasRole("USER").and().httpBasic().and().
csrf().disable();
http
.authorizeRequests()
.antMatchers("/actuator/**").hasRole("ACTUATOR").and().httpBasic().and().
csrf().disable();
And its working fine, I am wondering if its because my mountpoints for
wicket all are mapped to root like /home /login .. Which could conflict
with /actuator?
On Thu, Jan 24, 2019 at 3:01 PM Andrea Del Bene
wrote:
> I had a problem with Spring Boot 2 and actuator as many of them are
> disabled by default in the new version. I don't know if this is the case
> for you, but I would try enabling all of them via config file. For example
> with yml is something like:
>
> management:
> endpoints:
> web:
> exposure:
> include: "*"
>
> On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > Hope its okay to use the wicket user mailing list for this:)
> >
> > First of all thanks to MarcGiffing for making the project. But I cannot
> get
> > actuator endpoints to work with spring security and wicket spring boot..
> > I've tried a lot of things..
> >
> > IN my WebSecurityConfigurerAdapter:
> >
> > http
> >
> >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> >
> > http
> > .csrf().disable()
> > .authorizeRequests().anyRequest().permitAll()
> > .and()
> > .logout()
> > .permitAll();
> > http.headers().frameOptions().disable();
> >
> > But that just disables actuator and messes with the Wicket side of the
> > security.. Any one have some clues=
> >
> > --
> > Best regards / Med venlig hilsen
> > Nino Martinez
> >
>
>
> --
> Andrea Del Bene.
> Apache Wicket committer.
>
--
Best regards / Med venlig hilsen
Nino Martinez
Re: Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
I had a problem with Spring Boot 2 and actuator as many of them are
disabled by default in the new version. I don't know if this is the case
for you, but I would try enabling all of them via config file. For example
with yml is something like:
management:
endpoints:
web:
exposure:
include: "*"
On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> Hope its okay to use the wicket user mailing list for this:)
>
> First of all thanks to MarcGiffing for making the project. But I cannot get
> actuator endpoints to work with spring security and wicket spring boot..
> I've tried a lot of things..
>
> IN my WebSecurityConfigurerAdapter:
>
> http
>
>
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
>
> http
> .csrf().disable()
> .authorizeRequests().anyRequest().permitAll()
> .and()
> .logout()
> .permitAll();
> http.headers().frameOptions().disable();
>
> But that just disables actuator and messes with the Wicket side of the
> security.. Any one have some clues=
>
> --
> Best regards / Med venlig hilsen
> Nino Martinez
>
--
Andrea Del Bene.
Apache Wicket committer.
Wicket Spring boot versus actuator (wicket 8.2.0) + spring security (boot 2.1.2)
Hope its okay to use the wicket user mailing list for this:)
First of all thanks to MarcGiffing for making the project. But I cannot get
actuator endpoints to work with spring security and wicket spring boot..
I've tried a lot of things..
IN my WebSecurityConfigurerAdapter:
http
.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
http
.csrf().disable()
.authorizeRequests().anyRequest().permitAll()
.and()
.logout()
.permitAll();
http.headers().frameOptions().disable();
But that just disables actuator and messes with the Wicket side of the
security.. Any one have some clues=
--
Best regards / Med venlig hilsen
Nino Martinez
