Yes this is exactly how I've done it :) Thanks for taking time to help...
@WicketSignInPage
@MountPath("page/login")
public class LoginPage extends BasePage {
public LoginPage(PageParameters parameters) {
super(parameters);
if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
continueToOriginalDestination();
}
add(new LoginForm("loginForm"));
}
private class LoginForm extends StatelessForm<LoginForm> {
private String username;
private String password;
public LoginForm(String id) {
super(id);
setModel(new CompoundPropertyModel<>(this));
add(new FeedbackPanel("feedback"));
add(new RequiredTextField<String>("username"));
add(new PasswordTextField("password"));
}
@Override
protected void onSubmit() {
AuthenticatedWebSession session = AuthenticatedWebSession.get();
if (session.signIn(username, password)) {
setResponsePage(HomePage.class);
} else {
error("Login failed");
}
}
}
}
On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros <zbynekvav...@gmail.com>
wrote:
> Is seems you have mixed my code with your code somehow.
> You must configure formLogin() and specify loginPage() pointing to your
> Wicket login page (maybe using @MountPath?).
> The .loginProcessingUrl() points to "/fake-url" because the authentication
> itself is called from Wicket login page
> via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism
> in your Wicket login page?
>
> Zbynek
>
> On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > It sort of works, If I go to the actuator I get the http basic auth, if I
> > on the same session goto my pages.. I get an "ugly" access denied page
> and
> > not the configured wicket login page. So it sort of works..
> >
> > If I just goto localhost:8080/ I get an default spring login page not the
> > wicket one.. Upon succesfull login it forwards me to the wicket login
> page,
> > where I can login again and then get to the real application..
> >
> > Below my current code:
> >
> >
> > package dk.netdesign.ccadmin.frontend.security;
> >
> > import org.springframework.context.annotation.Bean;
> > import org.springframework.context.annotation.Configuration;
> > import org.springframework.core.annotation.Order;
> > import org.springframework.security.authentication.AuthenticationManager;
> > import
> >
> >
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> > import
> > org.springframework.security.config.annotation.web.builders.HttpSecurity;
> > import
> >
> >
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> > import org.springframework.security.config.http.SessionCreationPolicy;
> > import org.springframework.security.core.Authentication;
> > import org.springframework.security.core.context.SecurityContextHolder;
> > import org.springframework.security.core.userdetails.User;
> > import org.springframework.security.core.userdetails.UserDetailsService;
> > import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> > import
> > org.springframework.security.provisioning.InMemoryUserDetailsManager;
> > import org.springframework.stereotype.Component;
> >
> > @Configuration
> > public class WicketWebSecurityAdapterConfig extends
> > WebSecurityConfigurerAdapter {
> >
> >
> > @Configuration
> > @Order(1)
> > public static class RestSecurityConfig extends
> > WebSecurityConfigurerAdapter {
> >
> > @Override
> > protected void configure(HttpSecurity http) throws Exception {
> >
> >
> >
> >
> http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
> > .and().csrf().disable()
> >
> >
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > .and().httpBasic();
> > }
> > }
> >
> > @Configuration
> > @Order(2)
> > public static class WicketSecurityConfig extends
> > WebSecurityConfigurerAdapter {
> > @Override
> > protected void configure(HttpSecurity http) throws Exception {
> > http.antMatcher("/page/**").authorizeRequests()
> > .antMatchers("/page/login**").permitAll()
> > .antMatchers("/page/**").hasAnyAuthority("USER",
> > "ADMIN")
> >
> >
> >
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> >
> > .and().csrf().disable();
> > }
> > }
> >
> > @Bean
> > public static BCryptPasswordEncoder passwordEncoder() {
> > return new BCryptPasswordEncoder();
> > }
> >
> > @Bean(name = "authenticationManager")
> > @Override
> > public AuthenticationManager authenticationManagerBean() throws
> > Exception {
> >
> > return super.authenticationManagerBean();
> > }
> > public interface IAuthenticationFacade {
> > Authentication getAuthentication();
> > }
> > @Component
> > public class AuthenticationFacade implements IAuthenticationFacade {
> >
> > @Override
> > public Authentication getAuthentication() {
> > return
> SecurityContextHolder.getContext().getAuthentication();
> > }
> > }
> >
> > @Bean
> > public UserDetailsService userDetailsService() {
> > InMemoryUserDetailsManager manager = new
> > InMemoryUserDetailsManager();
> > manager.createUser(
> > User.withUsername("admin")
> >
> > .password(passwordEncoder().encode("admin")).authorities("USER", "ADMIN")
> > .build());
> >
> > manager.createUser(
> > User.withUsername("actuator")
> >
> > .password(passwordEncoder().encode("actuator")).roles("ACTUATOR")
> > .build());
> >
> > return manager;
> > }
> > }
> >
> >
> > On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael <
> > nino.martinez.w...@gmail.com> wrote:
> >
> > > Thanks will try it:)
> > >
> > > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros <zbynekvav...@gmail.com>
> > > wrote:
> > >
> > >> In my case it works something like this:
> > >>
> > >> @Configuration
> > >> @EnableWebSecurity
> > >> public class SecurityConfiguration {
> > >>
> > >> @Configuration
> > >> @Order(1)
> > >> public static class RestSecurityConfig extends
> > >> WebSecurityConfigurerAdapter {
> > >>
> > >> .. user details service, auth providers etc
> > >>
> > >> @Override
> > >> protected void configure(HttpSecurity http) throws Exception {
> > >>
> > >>
> > >>
> >
> http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
> > >> .and().csrf().disable()
> > >>
> > >>
> > >>
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > >> .and().httpBasic();
> > >> }
> > >> }
> > >>
> > >> @Configuration
> > >> @Order(2)
> > >> public static class WicketSecurityConfig extends
> > >> WebSecurityConfigurerAdapter {
> > >>
> > >> .. user details service, auth providers etc
> > >>
> > >> @Override
> > >> protected void configure(AuthenticationManagerBuilder auth)
> > throws
> > >> Exception {
> > >> auth.authenticationProvider(wicketAuthenticationProvider);
> > >> }
> > >>
> > >> @Override
> > >> protected void configure(HttpSecurity http) throws Exception {
> > >> http.antMatcher("/page/**").authorizeRequests()
> > >> .antMatchers("/page/login**").permitAll()
> > >> .antMatchers("/page/**").hasRole("ROLE")
> > >>
> > >>
> > >>
> >
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> > >> .and().csrf().disable();
> > >> }
> > >>
> > >> @Override
> > >> @Bean(name = "authenticationManager")
> > >> public AuthenticationManager authenticationManagerBean()
> throws
> > >> Exception {
> > >> return super.authenticationManagerBean();
> > >> }
> > >> }
> > >> }
> > >>
> > >> The RestSecurityConfigwould be what you would do for actuators, for me
> > >> thats the REST API.
> > >> Not the order of "antMatcher", "authorizeRequests" and " antMatchers".
> > >>
> > >> Zbynek
> > >>
> > >> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael <
> > >> nino.martinez.w...@gmail.com> wrote:
> > >>
> > >> > do you have an example? OR is it just to cut them into two like:
> > >> > WebSecurityConfigurerAdapter A:
> > >> >
> > >> >
> > >>
> >
> http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > >> >
> > >> > WebSecurityConfigurerAdapter B:
> > >> > http
> > >> > .csrf().disable()
> > >> > .authorizeRequests().anyRequest().permitAll()
> > >> > .and()
> > >> > .logout()
> > >> > .permitAll();
> > >> > http.headers().frameOptions().disable();
> > >> >
> > >> >
> > >> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros <
> zbynekvav...@gmail.com
> > >
> > >> > wrote:
> > >> >
> > >> > > Hi,
> > >> > >
> > >> > > I did similar thing, the trick here is to use two
> > >> > > WebSecurityConfigurerAdaptes.
> > >> > >
> > >> > > Zbynek
> > >> > >
> > >> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> > >> > > nino.martinez.w...@gmail.com> wrote:
> > >> > >
> > >> > > > Hope its okay to use the wicket user mailing list for this:)
> > >> > > >
> > >> > > > First of all thanks to MarcGiffing for making the project. But I
> > >> cannot
> > >> > > get
> > >> > > > actuator endpoints to work with spring security and wicket
> spring
> > >> > boot..
> > >> > > > I've tried a lot of things..
> > >> > > >
> > >> > > > IN my WebSecurityConfigurerAdapter:
> > >> > > >
> > >> > > > http
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > >> > > >
> > >> > > > http
> > >> > > > .csrf().disable()
> > >> > > > .authorizeRequests().anyRequest().permitAll()
> > >> > > > .and()
> > >> > > > .logout()
> > >> > > > .permitAll();
> > >> > > > http.headers().frameOptions().disable();
> > >> > > >
> > >> > > > But that just disables actuator and messes with the Wicket side
> of
> > >> the
> > >> > > > security.. Any one have some clues=
> > >> > > >
> > >> > > > --
> > >> > > > Best regards / Med venlig hilsen
> > >> > > > Nino Martinez
> > >> > > >
> > >> > >
> > >> >
> > >> >
> > >> > --
> > >> > Best regards / Med venlig hilsen
> > >> > Nino Martinez
> > >> >
> > >>
> > >
> > >
> > > --
> > > Best regards / Med venlig hilsen
> > > Nino Martinez
> > >
> >
> >
> > --
> > Best regards / Med venlig hilsen
> > Nino Martinez
> >
>
--
Best regards / Med venlig hilsen
Nino Martinez
