Ok, things become more complex :) Guys, here is the trivial task I'm trying to resolve: provide authentication against datasource (using custom AuthenticationProvider) + authorization based on a set of criteria (user role - one of them) + secure specific pages.
I try to solve it using old-school approach with Spring + Spring Security + web framework (Wicket in this case). However looks like not so many people go this way. Can someone who has Wicket experience describe Wicket-friendly solution for that? Do you really use Wicket security for all levels of you app? Or you're using Apache Shiro every time when you choose Wicket as a web framework? P.S. There is not much information about Wicket security strategy on the site and most of it is outdated. I believe some rough design pattern for the task I described will be really useful for other people. On Fri, Dec 24, 2010 at 6:04 PM, Jeremy Thomerson <[email protected] > wrote: > On Fri, Dec 24, 2010 at 1:39 PM, James Carman > <[email protected]> wrote: > >> Doing it with intercept URLs might work for a few pages that you have > mounted in Wicket, but in the end, every new page is going to have to be set > up perfectly. It's not worth it go go that route. > >> > > > > It will work fine for "mounted" bookmarkable pages, but it will get a > > little crazy once you start getting into listeners and stuff. You > > could use AspectJ to weave your classes so that they have the security > > stuff baked in. Then, they'll throw the proper exceptions and if you > > use the request cycle trick I showed you, it will forward to the login > > page. > > This is the key that most people miss. You can *only* secure the > *initial view* of a bookmarkable / mounted page through URL-based > security. As soon as I submit a form, click a link, or use an AJAX > behavior, I go to a non-bookmarkable URL that is session dependent and > you *can not* use URL based security for this. Even with the hybrid > strategy. See [1] for more information about how URLs work. > > [1] > http://apache-wicket.1842946.n4.nabble.com/urls-after-a-form-submission-tp2965981p2966109.html > > -- > Jeremy Thomerson > http://wickettraining.com > Need a CMS for Wicket? Use Brix! http://brixcms.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Best regards, Dmytro Seredenko
