If I understand correctly, Marc wants to build a contact details page
which can either be public (unprotected), private or semi-private (think
Facebook privacy settings) based on a user preference, most likely
stored in a database.
I am also trying to implement a similar mechanism and I am having
trouble finding how to achieve this with the IAuthorizationStrategy. A
pre-condition to achieving such an authorization check is to have access
to the Page constructor parameters (PageParameters or otherwise).
Without them, I can't see how it is possible to retrieve the privacy
settings of a user's detail page.
IAuthorizationStrategy#isInstantiationAuthorized(Class<T>
componentClass) is called in the constructor of Component. At that time,
Page#getPageParameters() cannot be used because its constructor has not
been executed. Is there another way to access the PageParameters for the
current Page instanciation? What about if the page is created with
another constructor which receives model objects?
Marc, if you find an appropriate way to deal with this, could you please
provide some hints? Also, please correct me if I misunderstood your purpose.
Regards,
Bertrand
On 29/03/2011 5:27 PM, [email protected] wrote:
I think you could do it by using a "base role" that all users receive,
then add additional roles to tighten it down. You would then need to fake
authentication of the "base" users by calling session.authenticate("user",
"pass") and assigning the "BASE" role, even though the user won't
explicitly log in. Users who do log in will receive the correct role such
as "ADMIN"
Some users secure (ADMIN), some users wide-open (BASE)
@AuthorizeInstantiation({"ADMIN", "BASE"})
All users secure
@AuthorizeInstantiation("ADMIN")
You might also consider subclassing the page and marking that with the
annotation, then handle the response to the secured or unsecured version
by checking if the user is signed in. I'm not sure where you are going
with this because I'm not sure why you have the requirement of being
secure for some users but not secure for others.
From: hrbaer<[email protected]>
To: [email protected]
Date: 03/29/2011 12:37 PM
Subject: flexible authentication
Hi all,
my web application is using the wicket authentication approach
(AuthenticatedWebSession) and all my "secure" java files are marked with
"@AuthorizeInstantiation("ADMIN")"
So once I added this annotation there is no chance to bypass the
authentication.
But what if there is the need to be flixible? What if for some users the
page A should be secure and for others don't?
Let's assume there is is page with e.g. contact informations and a user
can
decide for his own if the page should be accessible with or without
authentication. How can I achieve that without using the wicket approach?
At
the moment it don't think that the wicket approach is the right one?!
Thanks in advance.
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/flexible-authentication-tp3415413p3415413.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Notice: This communication, including any attachments, is intended solely
for the use of the individual or entity to which it is addressed. This
communication may contain information that is protected from disclosure
under State and/or Federal law. Please notify the sender immediately if
you have received this communication in error and delete this email from
your system. If you are not the intended recipient, you are requested not
to disclose, copy, distribute or take any action in reliance on the
contents of this information.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
