Is seems you have mixed my code with your code somehow. You must configure formLogin() and specify loginPage() pointing to your Wicket login page (maybe using @MountPath?). The .loginProcessingUrl() points to "/fake-url" because the authentication itself is called from Wicket login page via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism in your Wicket login page?
Zbynek On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael < [email protected]> wrote: > It sort of works, If I go to the actuator I get the http basic auth, if I > on the same session goto my pages.. I get an "ugly" access denied page and > not the configured wicket login page. So it sort of works.. > > If I just goto localhost:8080/ I get an default spring login page not the > wicket one.. Upon succesfull login it forwards me to the wicket login page, > where I can login again and then get to the real application.. > > Below my current code: > > > package dk.netdesign.ccadmin.frontend.security; > > import org.springframework.context.annotation.Bean; > import org.springframework.context.annotation.Configuration; > import org.springframework.core.annotation.Order; > import org.springframework.security.authentication.AuthenticationManager; > import > > org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; > import > org.springframework.security.config.annotation.web.builders.HttpSecurity; > import > > org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; > import org.springframework.security.config.http.SessionCreationPolicy; > import org.springframework.security.core.Authentication; > import org.springframework.security.core.context.SecurityContextHolder; > import org.springframework.security.core.userdetails.User; > import org.springframework.security.core.userdetails.UserDetailsService; > import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; > import > org.springframework.security.provisioning.InMemoryUserDetailsManager; > import org.springframework.stereotype.Component; > > @Configuration > public class WicketWebSecurityAdapterConfig extends > WebSecurityConfigurerAdapter { > > > @Configuration > @Order(1) > public static class RestSecurityConfig extends > WebSecurityConfigurerAdapter { > > @Override > protected void configure(HttpSecurity http) throws Exception { > > > > http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR") > .and().csrf().disable() > > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > .and().httpBasic(); > } > } > > @Configuration > @Order(2) > public static class WicketSecurityConfig extends > WebSecurityConfigurerAdapter { > @Override > protected void configure(HttpSecurity http) throws Exception { > http.antMatcher("/page/**").authorizeRequests() > .antMatchers("/page/login**").permitAll() > .antMatchers("/page/**").hasAnyAuthority("USER", > "ADMIN") > > > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > > .and().csrf().disable(); > } > } > > @Bean > public static BCryptPasswordEncoder passwordEncoder() { > return new BCryptPasswordEncoder(); > } > > @Bean(name = "authenticationManager") > @Override > public AuthenticationManager authenticationManagerBean() throws > Exception { > > return super.authenticationManagerBean(); > } > public interface IAuthenticationFacade { > Authentication getAuthentication(); > } > @Component > public class AuthenticationFacade implements IAuthenticationFacade { > > @Override > public Authentication getAuthentication() { > return SecurityContextHolder.getContext().getAuthentication(); > } > } > > @Bean > public UserDetailsService userDetailsService() { > InMemoryUserDetailsManager manager = new > InMemoryUserDetailsManager(); > manager.createUser( > User.withUsername("admin") > > .password(passwordEncoder().encode("admin")).authorities("USER", "ADMIN") > .build()); > > manager.createUser( > User.withUsername("actuator") > > .password(passwordEncoder().encode("actuator")).roles("ACTUATOR") > .build()); > > return manager; > } > } > > > On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael < > [email protected]> wrote: > > > Thanks will try it:) > > > > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros <[email protected]> > > wrote: > > > >> In my case it works something like this: > >> > >> @Configuration > >> @EnableWebSecurity > >> public class SecurityConfiguration { > >> > >> @Configuration > >> @Order(1) > >> public static class RestSecurityConfig extends > >> WebSecurityConfigurerAdapter { > >> > >> .. user details service, auth providers etc > >> > >> @Override > >> protected void configure(HttpSecurity http) throws Exception { > >> > >> > >> > http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated() > >> .and().csrf().disable() > >> > >> > >> > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > >> .and().httpBasic(); > >> } > >> } > >> > >> @Configuration > >> @Order(2) > >> public static class WicketSecurityConfig extends > >> WebSecurityConfigurerAdapter { > >> > >> .. user details service, auth providers etc > >> > >> @Override > >> protected void configure(AuthenticationManagerBuilder auth) > throws > >> Exception { > >> auth.authenticationProvider(wicketAuthenticationProvider); > >> } > >> > >> @Override > >> protected void configure(HttpSecurity http) throws Exception { > >> http.antMatcher("/page/**").authorizeRequests() > >> .antMatchers("/page/login**").permitAll() > >> .antMatchers("/page/**").hasRole("ROLE") > >> > >> > >> > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > >> .and().csrf().disable(); > >> } > >> > >> @Override > >> @Bean(name = "authenticationManager") > >> public AuthenticationManager authenticationManagerBean() throws > >> Exception { > >> return super.authenticationManagerBean(); > >> } > >> } > >> } > >> > >> The RestSecurityConfigwould be what you would do for actuators, for me > >> thats the REST API. > >> Not the order of "antMatcher", "authorizeRequests" and " antMatchers". > >> > >> Zbynek > >> > >> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael < > >> [email protected]> wrote: > >> > >> > do you have an example? OR is it just to cut them into two like: > >> > WebSecurityConfigurerAdapter A: > >> > > >> > > >> > http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > >> > > >> > WebSecurityConfigurerAdapter B: > >> > http > >> > .csrf().disable() > >> > .authorizeRequests().anyRequest().permitAll() > >> > .and() > >> > .logout() > >> > .permitAll(); > >> > http.headers().frameOptions().disable(); > >> > > >> > > >> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros <[email protected] > > > >> > wrote: > >> > > >> > > Hi, > >> > > > >> > > I did similar thing, the trick here is to use two > >> > > WebSecurityConfigurerAdaptes. > >> > > > >> > > Zbynek > >> > > > >> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael < > >> > > [email protected]> wrote: > >> > > > >> > > > Hope its okay to use the wicket user mailing list for this:) > >> > > > > >> > > > First of all thanks to MarcGiffing for making the project. But I > >> cannot > >> > > get > >> > > > actuator endpoints to work with spring security and wicket spring > >> > boot.. > >> > > > I've tried a lot of things.. > >> > > > > >> > > > IN my WebSecurityConfigurerAdapter: > >> > > > > >> > > > http > >> > > > > >> > > > > >> > > > > >> > > > >> > > >> > .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > >> > > > > >> > > > http > >> > > > .csrf().disable() > >> > > > .authorizeRequests().anyRequest().permitAll() > >> > > > .and() > >> > > > .logout() > >> > > > .permitAll(); > >> > > > http.headers().frameOptions().disable(); > >> > > > > >> > > > But that just disables actuator and messes with the Wicket side of > >> the > >> > > > security.. Any one have some clues= > >> > > > > >> > > > -- > >> > > > Best regards / Med venlig hilsen > >> > > > Nino Martinez > >> > > > > >> > > > >> > > >> > > >> > -- > >> > Best regards / Med venlig hilsen > >> > Nino Martinez > >> > > >> > > > > > > -- > > Best regards / Med venlig hilsen > > Nino Martinez > > > > > -- > Best regards / Med venlig hilsen > Nino Martinez >
