Hi Tom Is my assumption correct that authentication is not managed by the servlet container but my wicket? If yes, this is a similar use case like spring security where the servlet container runs insecurely (no security constraints defined in web.xml) and authentication/authorization is enforced by the application framework.
This sounds like an additional plugin for fediz which could be implemented in the same way like tomcat, jetty, spring security, etc. Therefore, you can have a look at the implementation for one of this. You might have to extend AuthenticatedWebApplication or AuthenticatedWebSession, but I'm not too familiar with wicket. To validate a sign in Response (SAML Assertion enveloped within RSTR of the STS and posted in wresult Parameter) you can have a look at the unit tests here (test method validateSAML2Token): https://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java?view=markup You can also raise a jira for wicket support for fediz and attach a patch file. Someone can look into it and provide feedback thus we can add it to the project finally. Such a contribution would be great. What do you think? Thanks Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ From: Burton, Tom F (DOR) [[email protected]] Sent: 03 July 2013 01:12 To: [email protected] Subject: Programmatic Fediz Authentication I got my test application working for a simple page. Now I'm trying to integrate with the in place authentication strategy currently in use for my applications. Background: Wicket Framework 1.5 (http://wicket.apache.org/ ) implementing IAuthorizationStrategy (http://ci.apache.org/projects/wicket/apidocs/1.5.x/org/apache/wicket/authorization/IAuthorizationStrategy.html) The IAuthorizationStrategy#isInstantiationAuthorized() method fires before any component is created. All pages are secured(requires the user be logged in, not necessarily to ADFS.) I have added Custom Annotations so I can add @Validate(myAlaska = MyAKChek.Check) to my page class to force a check of any particular page whether or not the page has a friendly URL(for example to copied into a Spring-Security config). In my current Implementation when if it detects that a MyAlaska Login is required, how can I programmatically initiate the ADFS login process? I hope that makes sense. Thank you again, Tom Burton Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
