we do very much need isInstantiationAuthorized(Class). it is a building block for implementing component security, including role based authorization. and since pages are components, all the cases you're concerned with are covered. but pages are not the world in a component framework. it's important to provide a higher granularity of security for (a) those who want broad assurances on the use of their components and/or (b) those who want to composite authorization- restricted components into pages that are also accessible to users with different or lower authorization.
for example, you can imagine an admin panel with quick administration features that you would never want anyone to see without admin access. by declaring access to the admin panel as "only admins can create one of these" you ensure no programmer can accidentally misuse the panel. or by asserting "this panel is only enabled for admins", you ensure that nobody can mistakenly give access to an admin panel by putting it on the wrong page... if the page is accessable to "user" and the panel on the page is accessible to "admin" and the user is in role "user", the panel will be disabled automatically for that user. this is very useful behavior if you have a lot of different roles who should have slightly different views of common pages. Martin Benda wrote: > > I think that there should be a mechanism that checks authorization > everytime a > page instance is created or retrieved from a page map. Something like > isAccessAuthorized(Class<? extends Page> pageClass). Another question: do > we > need this fine-grained isInstantisationAuthorized(componentClass) at all? > -- View this message in context: http://www.nabble.com/Is-IAuthorizationStrategy-isInstantiationAuthorized-prone-to-security-bugs--tf3299965.html#a9188661 Sent from the Wicket - Dev mailing list archive at Nabble.com.
