Hi Brian, thanks for your response, I'll definitely try proposed approach. The reasons to manage Sprimg Security 3 authorization are:
- to have one security framework for authentication and authorization (which is more naturally than having two) - to have https configuration based on intercept urls (I'm not sure Wicket can offer this) - to use Spring expressions for authorization I don't see a way how to achieve the mentioned goals using Wicket auth-roles. Thanks, Dmytro. On Fri, Dec 24, 2010 at 8:40 AM, Brian Topping <[email protected]> wrote: > The key for using Wicket authorization annotations is to implement > IAuthorizationStrategy and IUnauthorizedComponentInstantiationListener. > When you get called in those methods, you can call out to Spring Security > to check how to proceed. Just implement the methods with stubs, set > breakpoints there, and look at what you are passed. All will be clear, it's > really easy to use. > > Doing it with intercept URLs might work for a few pages that you have > mounted in Wicket, but in the end, every new page is going to have to be set > up perfectly. It's not worth it go go that route. > > Brian > > On Dec 24, 2010, at 2:38 AM, Dmytro Seredenko wrote: > > > Guys, > > > > did anyone use Spring Security <intercept-url> for managing authorization > > for Wicket-driven webapp? > > > > It's still unclear to me: can I use SS 3 as an authorization tool with > > configuration like: > > > > <security:http create-session="never" auto-config="true"> > > <security:intercept-url pattern="/admin" access="ROLE_ADMIN"/> > > <security:intercept-url pattern="/**"/> > > </security:http> > > > > or there is no way to omit wicket-auth-roles? > > > > P.S. Although Wicket 'auth' annotations work, I couldn't make it work > with > > Spring Security only. > > > > Thanks, > > Dmytro. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Best regards, Dmytro Seredenko
