Hi,
Tom Norton wrote:
> Let's say I have a page called: /order-details/${orderId}.
>
> Let's also say I want to ensure that some customer named Bob can only see
> the order-details pages for the orders he placed, but not any of the
> order-details pages for orders that John placed.
>
> I already know wicket has role-based security. Does wicket also have some
> form of parameter-based security? Am I barking up the wrong tree? Should
> this security check be inside a hibernate on-load event listener instead?
I'm not aware of a built-in mechanism. After all, wicket couldn't know
about the meaning of a parameter...
We check access in the page constructor, either explicity there (call a
DAO, or call a Service), or by using a behavior that does the check if
the check needs to be elsewhere. If violated, we throw an
AuthrozationException.
But I'd be interested on how you would pass the query parameter value to
a Hibernate event listener. Aren't they registered rather statically
with the SessionFactory?
>
> Thanks,
> Tom
>
Hope this helps, bye
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
