On Fri, Dec 10, 2010 at 8:03 AM, Henrique Boregio <[email protected]>wrote:
> Just like many others, my website has parts that are “public” and
> parts where the user has to login to see it. Since I don’t need to
> manage user roles, I have this basic interface:
>
> public class SecureWebPage extends WebPage {
> public SecureWebPage() {
> if(!UserLoggedInSession.get().isLoggedIn()) {
> getRequestCycle().setRedirect(true);
> throw new RestartResponseException(Login.class);
> }
> }
> }
>
> So, if I have a webpage that is “private”, it just extends this
> interface instead of the normal wicket Page.
>
> My question is, just how safe is this approach to securing specific
> individual webpages?
> Could this security mechanism be easily broken and let non-loggedin users
> in?
>
It is secure. It is essentially what Wicket security frameworks do. You
should look at implementing IAuthorizationStrategy in your application to
centralize the security. If you need a simple example to get you going,
start with Wicket Auth Roles.
--
Jeremy Thomerson
http://wickettraining.com
*Need a CMS for Wicket? Use Brix! http://brixcms.org*
