Hi Kent, Although it is early, I am using the wicket-jsecurity integration in one of my (big) projects. It is working pretty well. Feel free to ask questions - I'm happy to help along the way.
Cheers, Les (JSecurity founder) On Tue, Mar 10, 2009 at 1:42 PM, Kent Larsson <[email protected]>wrote: > Integrating with jSecurity instead is really a last resort. If it is > at all possible I wouldn't like to introduce more framework > dependencies. That integration project seems a bit early to use as > well, but it might be interesting in the future. Thanks for the link! > > Regarding Spring Security (SS). Is anyone integrating Wicket with SS > on their own? I've read lots about SS now but I still find it hard to > see what I need for a Wicket application. > > I got some tips at: > http://wiki.apache.org/tapestry/Tapestry5AcegiNoAnnotations > > But I still have lots of questions. > - In the above link they are using a link and passing the information > by GET. I would like to use POST, and I guess that shouldn't be a > problem. Tell me if you see some? > - I have to instruct SS to redirect a user to my own login page if > (s)he tries to access something which requires authentication. How is > that done? > - When a user registers an account I guess I should pass something on > to a servlet filter, similar to how authentication works? > - Which servlet filters do you think I'll need? > > If I can just get someone to register and authenticate. Then I'll just > use the instructions in SS documentation to get GrantedAuthority > objects. I'll use these to show/hide things in Wicket pages as well as > enable/disable other things. Does that sound like a good approach? > > If anyone has *any* tips I would be immensely greatful!! As I think > this is quite complex and I'm new to Spring Security. > > Best regards, > Kent > > > On Mon, Mar 9, 2009 at 7:16 PM, Ryan McKinley <[email protected]> wrote: > > I have not used it (yet), but check: > > http://code.google.com/p/wicket-jsecurity/ > > > > > > > > On Mar 9, 2009, at 1:46 PM, Kent Larsson wrote: > > > >> Hm, I had some problems. Are there any examples out there for this? > >> > >> On Mon, Mar 9, 2009 at 9:43 AM, Kent Larsson <[email protected]> > >> wrote: > >>> > >>> Hi, > >>> > >>> Great answer! :-) I'll try to do that today. > >>> > >>> Best regards, Kent > >>> > >>> > >>> On Sun, Mar 8, 2009 at 8:38 PM, Erik van Oosten <[email protected]> > >>> wrote: > >>>> > >>>> Hi Kent, > >>>> > >>>> Go with something that enables authorization in the service layer > (e.g. > >>>> Spring Security, jSecurity, ...). > >>>> > >>>> Next base your custom wicket authorization on the authentication store > >>>> of > >>>> the chosen base technology. Spring Security uses a thread local as > >>>> authentication store and has a servlet filter to copy the > authenticated > >>>> user > >>>> to/from the session so that the authenticated user is handily > available > >>>> during a request and properly stored afterwards. > >>>> > >>>> Authentication itself can be implemented from Wicket in a custom way > >>>> (e.g. a > >>>> username/password form). On success you just store the authenticated > >>>> user in > >>>> the authentication store. > >>>> > >>>> Regards, > >>>> Erik. > >>>> > >>>> > >>>> Kent Larsson wrote: > >>>>> > >>>>> Hi, > >>>>> > >>>>> I know there has been some discussion on this. But I've had a hard > >>>>> time deciding how this project should use security anyway. > >>>>> > >>>>> The application in question is layered into three layers for > >>>>> presentation, services and persistence using Wicket, Spring and > >>>>> Hibernate. > >>>>> > >>>>> What we need: > >>>>> - Authentication > >>>>> - Authorization on pages, components > >>>>> - Authorization before being able to run methods in the service layer > >>>>> - Authorization for viewing/editing some domain objects using Access > >>>>> Control List's (ACL's) > >>>>> > >>>>> I have read Wicket in Action and it's custom security solution has > some > >>>>> pros: > >>>>> - It's quite easy to understand > >>>>> - We have a lot of freedom in how to do authentication and > >>>>> authorization > >>>>> > >>>>> And some cons: > >>>>> - I don't know how to authorize calls of specific methods, and thus > >>>>> - All security will be in the presentation layer > >>>>> - It won't be usable if we want security on web services later (which > >>>>> we do not need now, so maybe this can be disregarded) > >>>>> > >>>>> It would be nice if we could have a common solution to our security > >>>>> needs that integrates well with Wicket and Spring. I know that the > >>>>> Auth Roles project is out there as well as Swarm. But I don't know > >>>>> which will meet our needs and which will most likely be an option to > >>>>> us when we later move to Wicket 1.4 or a higher version. > >>>>> > >>>>> Best regards, > >>>>> Kent > >>>>> > >>>>> > >>>> > >>>> > >>>> -- > >>>> Erik van Oosten > >>>> http://www.day-to-day-stuff.blogspot.com/ > >>>> > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: [email protected] > >>>> For additional commands, e-mail: [email protected] > >>>> > >>>> > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
