You can integrate Shiro with auth-roles very easily. Just create
ShiroAuthenticatedWebSession.
package com.wicketized.extension.security;
import java.util.LinkedList;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import
org.apache.wicket.authroles.authentication.AuthenticatedWebSession;
import org.apache.wicket.authroles.authorization.strategies.role.Roles;
import org.apache.wicket.request.Request;
public class ShiroWebSession extends AuthenticatedWebSession {
private static final Roles NO_ROLES = new Roles();
public ShiroWebSession (Request request) {
super(request);
}
@Override
public boolean authenticate (String username, String password) {
Subject currentUser;
if (!(currentUser = SecurityUtils.getSubject()).isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken(username,
password);
token.setRememberMe(true);
try {
currentUser.login(token);
}
catch (Exception exception) {
return false;
}
}
return true;
}
@Override
public Roles getRoles () {
Subject subject;
if (((subject = SecurityUtils.getSubject()) != null) &&
subject.isAuthenticated()) {
LinkedList<String> codeList;
String[] codes;
codeList = new LinkedList<String>();
for (RoleType roleType : RoleType.values()) {
if (subject.hasRole(roleType.getCode())) {
codeList.add(roleType.getCode());
}
}
codes = new String[codeList.size()];
codeList.toArray(codes);
return new Roles(codes);
}
return NO_ROLES;
}
@Override
public void signOut () {
SecurityUtils.getSubject().logout();
super.signOut();
}
}
-----Original Message-----
From: Thomas Heigl [mailto:[email protected]]
Sent: Tuesday, November 15, 2011 11:06 AM
To: [email protected]
Subject: Re: Creating a Wicket Session outside of a Wicket request
Hey David,
Thanks for your reply! I have thought about using Spring Security or
Shire, but at the moment the minimal wicket-auth-roles is enough for my
requirements. I'd prefer to just create the session myself when I need
it.
Any other ideas?
Cheers,
THomas
On Tue, Nov 15, 2011 at 8:02 PM, David Berkman
<[email protected]>wrote:
> Apache Shiro, and create a shiro version of WebSession. Then wicket
> can ask for the Shio Session from the Http context, and you can get it
> outside the context.
>
> David
>
> -----Original Message-----
> From: Thomas Heigl [mailto:[email protected]]
> Sent: Tuesday, November 15, 2011 10:57 AM
> To: [email protected]
> Subject: Creating a Wicket Session outside of a Wicket request
>
> Hey all,
>
> I have a requirement where I'd like to create a Wicket Session outside
> of a Wicket request:
>
> My application runs stand-alone (no problem here) and as a Facebook
> application. Facebook calls my REST authentication service with a
> user's credentials if they open my application in facebook. At this
> point I don't have a Wicket session, but want to signin the user in my
> AuthenticatedWebSession from wicket-auth-roles. I'm using the
> WicketSessionFilter in front of my REST service to get access to the
> session, which works fine if the session already exists. If there is
> no session, as in this case, the filter throws an
IllegalArgumentException.
>
> Since I have access to the Wicket Application I thought about calling
> Application.get().newSession(), but this method only accepts Wicket's
> WebRequest and WebResponse objects. Is it somehow possible to bind a
> new session in a non-wicket request?
>
> Kind regards,
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
