Yes this is exactly how I've done it :) Thanks for taking time to help... @WicketSignInPage @MountPath("page/login") public class LoginPage extends BasePage {
public LoginPage(PageParameters parameters) { super(parameters); if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) { continueToOriginalDestination(); } add(new LoginForm("loginForm")); } private class LoginForm extends StatelessForm<LoginForm> { private String username; private String password; public LoginForm(String id) { super(id); setModel(new CompoundPropertyModel<>(this)); add(new FeedbackPanel("feedback")); add(new RequiredTextField<String>("username")); add(new PasswordTextField("password")); } @Override protected void onSubmit() { AuthenticatedWebSession session = AuthenticatedWebSession.get(); if (session.signIn(username, password)) { setResponsePage(HomePage.class); } else { error("Login failed"); } } } } On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros <zbynekvav...@gmail.com> wrote: > Is seems you have mixed my code with your code somehow. > You must configure formLogin() and specify loginPage() pointing to your > Wicket login page (maybe using @MountPath?). > The .loginProcessingUrl() points to "/fake-url" because the authentication > itself is called from Wicket login page > via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism > in your Wicket login page? > > Zbynek > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael < > nino.martinez.w...@gmail.com> wrote: > > > It sort of works, If I go to the actuator I get the http basic auth, if I > > on the same session goto my pages.. I get an "ugly" access denied page > and > > not the configured wicket login page. So it sort of works.. > > > > If I just goto localhost:8080/ I get an default spring login page not the > > wicket one.. Upon succesfull login it forwards me to the wicket login > page, > > where I can login again and then get to the real application.. > > > > Below my current code: > > > > > > package dk.netdesign.ccadmin.frontend.security; > > > > import org.springframework.context.annotation.Bean; > > import org.springframework.context.annotation.Configuration; > > import org.springframework.core.annotation.Order; > > import org.springframework.security.authentication.AuthenticationManager; > > import > > > > > org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; > > import > > org.springframework.security.config.annotation.web.builders.HttpSecurity; > > import > > > > > org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; > > import org.springframework.security.config.http.SessionCreationPolicy; > > import org.springframework.security.core.Authentication; > > import org.springframework.security.core.context.SecurityContextHolder; > > import org.springframework.security.core.userdetails.User; > > import org.springframework.security.core.userdetails.UserDetailsService; > > import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; > > import > > org.springframework.security.provisioning.InMemoryUserDetailsManager; > > import org.springframework.stereotype.Component; > > > > @Configuration > > public class WicketWebSecurityAdapterConfig extends > > WebSecurityConfigurerAdapter { > > > > > > @Configuration > > @Order(1) > > public static class RestSecurityConfig extends > > WebSecurityConfigurerAdapter { > > > > @Override > > protected void configure(HttpSecurity http) throws Exception { > > > > > > > > > http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR") > > .and().csrf().disable() > > > > > > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > > .and().httpBasic(); > > } > > } > > > > @Configuration > > @Order(2) > > public static class WicketSecurityConfig extends > > WebSecurityConfigurerAdapter { > > @Override > > protected void configure(HttpSecurity http) throws Exception { > > http.antMatcher("/page/**").authorizeRequests() > > .antMatchers("/page/login**").permitAll() > > .antMatchers("/page/**").hasAnyAuthority("USER", > > "ADMIN") > > > > > > > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > > > > .and().csrf().disable(); > > } > > } > > > > @Bean > > public static BCryptPasswordEncoder passwordEncoder() { > > return new BCryptPasswordEncoder(); > > } > > > > @Bean(name = "authenticationManager") > > @Override > > public AuthenticationManager authenticationManagerBean() throws > > Exception { > > > > return super.authenticationManagerBean(); > > } > > public interface IAuthenticationFacade { > > Authentication getAuthentication(); > > } > > @Component > > public class AuthenticationFacade implements IAuthenticationFacade { > > > > @Override > > public Authentication getAuthentication() { > > return > SecurityContextHolder.getContext().getAuthentication(); > > } > > } > > > > @Bean > > public UserDetailsService userDetailsService() { > > InMemoryUserDetailsManager manager = new > > InMemoryUserDetailsManager(); > > manager.createUser( > > User.withUsername("admin") > > > > .password(passwordEncoder().encode("admin")).authorities("USER", "ADMIN") > > .build()); > > > > manager.createUser( > > User.withUsername("actuator") > > > > .password(passwordEncoder().encode("actuator")).roles("ACTUATOR") > > .build()); > > > > return manager; > > } > > } > > > > > > On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael < > > nino.martinez.w...@gmail.com> wrote: > > > > > Thanks will try it:) > > > > > > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros <zbynekvav...@gmail.com> > > > wrote: > > > > > >> In my case it works something like this: > > >> > > >> @Configuration > > >> @EnableWebSecurity > > >> public class SecurityConfiguration { > > >> > > >> @Configuration > > >> @Order(1) > > >> public static class RestSecurityConfig extends > > >> WebSecurityConfigurerAdapter { > > >> > > >> .. user details service, auth providers etc > > >> > > >> @Override > > >> protected void configure(HttpSecurity http) throws Exception { > > >> > > >> > > >> > > > http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated() > > >> .and().csrf().disable() > > >> > > >> > > >> > > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > > >> .and().httpBasic(); > > >> } > > >> } > > >> > > >> @Configuration > > >> @Order(2) > > >> public static class WicketSecurityConfig extends > > >> WebSecurityConfigurerAdapter { > > >> > > >> .. user details service, auth providers etc > > >> > > >> @Override > > >> protected void configure(AuthenticationManagerBuilder auth) > > throws > > >> Exception { > > >> auth.authenticationProvider(wicketAuthenticationProvider); > > >> } > > >> > > >> @Override > > >> protected void configure(HttpSecurity http) throws Exception { > > >> http.antMatcher("/page/**").authorizeRequests() > > >> .antMatchers("/page/login**").permitAll() > > >> .antMatchers("/page/**").hasRole("ROLE") > > >> > > >> > > >> > > > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > > >> .and().csrf().disable(); > > >> } > > >> > > >> @Override > > >> @Bean(name = "authenticationManager") > > >> public AuthenticationManager authenticationManagerBean() > throws > > >> Exception { > > >> return super.authenticationManagerBean(); > > >> } > > >> } > > >> } > > >> > > >> The RestSecurityConfigwould be what you would do for actuators, for me > > >> thats the REST API. > > >> Not the order of "antMatcher", "authorizeRequests" and " antMatchers". > > >> > > >> Zbynek > > >> > > >> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael < > > >> nino.martinez.w...@gmail.com> wrote: > > >> > > >> > do you have an example? OR is it just to cut them into two like: > > >> > WebSecurityConfigurerAdapter A: > > >> > > > >> > > > >> > > > http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > >> > > > >> > WebSecurityConfigurerAdapter B: > > >> > http > > >> > .csrf().disable() > > >> > .authorizeRequests().anyRequest().permitAll() > > >> > .and() > > >> > .logout() > > >> > .permitAll(); > > >> > http.headers().frameOptions().disable(); > > >> > > > >> > > > >> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros < > zbynekvav...@gmail.com > > > > > >> > wrote: > > >> > > > >> > > Hi, > > >> > > > > >> > > I did similar thing, the trick here is to use two > > >> > > WebSecurityConfigurerAdaptes. > > >> > > > > >> > > Zbynek > > >> > > > > >> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael < > > >> > > nino.martinez.w...@gmail.com> wrote: > > >> > > > > >> > > > Hope its okay to use the wicket user mailing list for this:) > > >> > > > > > >> > > > First of all thanks to MarcGiffing for making the project. But I > > >> cannot > > >> > > get > > >> > > > actuator endpoints to work with spring security and wicket > spring > > >> > boot.. > > >> > > > I've tried a lot of things.. > > >> > > > > > >> > > > IN my WebSecurityConfigurerAdapter: > > >> > > > > > >> > > > http > > >> > > > > > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > > .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > >> > > > > > >> > > > http > > >> > > > .csrf().disable() > > >> > > > .authorizeRequests().anyRequest().permitAll() > > >> > > > .and() > > >> > > > .logout() > > >> > > > .permitAll(); > > >> > > > http.headers().frameOptions().disable(); > > >> > > > > > >> > > > But that just disables actuator and messes with the Wicket side > of > > >> the > > >> > > > security.. Any one have some clues= > > >> > > > > > >> > > > -- > > >> > > > Best regards / Med venlig hilsen > > >> > > > Nino Martinez > > >> > > > > > >> > > > > >> > > > >> > > > >> > -- > > >> > Best regards / Med venlig hilsen > > >> > Nino Martinez > > >> > > > >> > > > > > > > > > -- > > > Best regards / Med venlig hilsen > > > Nino Martinez > > > > > > > > > -- > > Best regards / Med venlig hilsen > > Nino Martinez > > > -- Best regards / Med venlig hilsen Nino Martinez