Hi,

We use Spring Security for Artifact Listener but I think the general
principle should be the same:
https://github.com/openwide-java/artifact-listener/
and you might find it interesting to see how we did it.

Martin already mentioned it earlier but we use pac4j for OpenId/OAuth/whatever.

-- 
Guillaume


On Tue, Sep 2, 2014 at 12:11 PM, Martin Grigorov <mgrigo...@apache.org> wrote:
> Hi Sebastien,
>
> The button is just a UI. But the idea is the same.
>
> The difference is that the OAuth provider is rather an authentication
> service than an authorization one.
> Usually the user of some social network doesn't want to share his details
> with random apps (like yours and mine).
> So when you create an application at Twitter, Facebook, ... you have to
> specify what kind of details you want to be sent to the callback url. When
> an user authenticates (s)he is asked whether (s)he is willing to share
> these details (e.g. username, email, gender, ...). In my experience users
> use OAuth for authentication:
> 1) to reduce the number of accounts they have
> 2) to reduce the information they provide to random apps
>
> So (usually) the OAuth provider doesn't send much info about the
> authenticated user when calling your callback. I haven't seen anything like
> roles and privileges in the OAuth responses. It could be that I don't have
> enough experience with OAuth but I think the authorization part is left to
> the application.
>
> About your use case:
> - the user tries to load some protected resource/page
> - the application should:
> -- store the details about the requested resource (url + post data)
> -- redirect to the authentication url of the OAuth provider by passing the
> callback url
> - if the user agrees to share the required data then your callback url is
> called with the data. You should use it like normal authentication token,
> create a User in the session, etc.
>
> P.S. I have used a popup window for the authentication because if the user
> is not willing to share all the required info then the oauth provider may
> not call the callback url and your user may not return to your app and make
> a normal account
>
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
>
> On Tue, Sep 2, 2014 at 12:46 PM, Sebastien <seb...@gmail.com> wrote:
>
>> Hi Martin,
>>
>> The question is not much about having a signin button to authenticate the
>> user but more how to make it work with AuthenticatedWebApplication (or a
>> custom OAuthWebApplication for instance). The final goal is to keep
>> IRoleCheckingStrategy working
>> ie: the user access an @AuthorizeInstantiation annotated page,
>> #restartResponseAtSignInPage (for instance) redirect to the OAuth url, the
>> OAuth service redirect to a callback, which callback is a wicket
>> IRequestHandler, the handler sets isSigninedIn to true, sets the roles and
>> then call #redirectToOriginalDestination.
>>
>> That's how I see things, but I don't see any existing wicket solutions...
>> Is the usecase more clear?
>>
>> Thanks again,
>> Sebastien.
>>
>>
>>
>> On Tue, Sep 2, 2014 at 9:06 AM, Martin Grigorov <mgrigo...@apache.org>
>> wrote:
>>
>> > Hi Sebastien,
>> >
>> > What exactly do you need ?
>> >
>> > I have used https://github.com/fernandezpablo85/scribe-java to create
>> > "Authenticate with Xyz" buttons for signing in (e.g. with Facebook,
>> Twitter
>> > and LinkedIn).
>> >
>> > The developer of Scribe doesn't like OAuth2 (as many other developers)
>> and
>> > at some point he stated that he will not merge any new PRs for OAuth2
>> > impls. I don't see this statement in the README now, so he may have
>> changed
>> > his mind.
>> >
>> > Another auth client provider is https://github.com/leleuj/pac4j. I don't
>> > have experience with it but it looks like well maintained.
>> >
>> > Martin Grigorov
>> > Wicket Training and Consulting
>> > https://twitter.com/mtgrigorov
>> >
>> >
>> > On Mon, Sep 1, 2014 at 6:58 PM, Sebastien <seb...@gmail.com> wrote:
>> >
>> > > Hi all,
>> > >
>> > > AFAIS, there is nothing about a OAuth2 client in Wicket out-of-the-box
>> or
>> > > through a satellite project...
>> > >
>> > > Does somebody knows a *simple* solution for integrating OAuth2 into
>> > Wicket
>> > > (like a OAuthWebApplication, or maybe a ready-to-use Filter, just
>> giving
>> > > Consumer Key, Consumer Secret & URLs), without using spring-security
>> and
>> > > still keeping advantage of the role-based @AuthorizeInstantiation
>> > > annotation for instance?
>> > >
>> > > Thanks a lot in advance,
>> > > Sebastien.
>> > >
>> >
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to