This original post was under wicket stuff users list and I've reposted it hear for more visibility, as requested by Martijn. The following is the response that I got from Maurice.
Hi, what i mean is this: By default SecurePageLink (and all other links with the same securitycheck) checks for an enable action on the page the link points to. This check occurs both in the render (where is decided if the link should be clickable) and in the onclick (just to check if nobody spoofed an url to trigger a link click where it is not allowed). Maybe an example will make things more clear (note to self to update the getting started) HomePage contains a SecurePageLink to PageA. We should declare at least .....HomePage, "render"; in our policy or we will never see the homepage. With just this the link will not be rendered because it lacks .....PageA, "render"; So if we put that in the policy to we will see a disabled link. (wicket turns it into a span by default) but because the component is still available on the server side someone could spoof the url and trigger wicket into thinking the link was clicked, fortunatly the second check i mentioned earlier will detect this and send you to the accessdenied page. Only if we make sure our policy also contains .....PageA, "enable"; the link will be fully operational. I hope this answered your question. :) But if you want to get realy confused you should read on because there is an alternative mode in which it is possible to show the link even if we have not granted render to PageA. I am actually working on some examples showing this alternate mode, but they are not yet available. To activate the alternate rendering mode you need to do this: ((LinkSecurityCheck)link.getSecurityCheck()).setUseAlternativeRenderCheck(true); Given the above example and a policy file only containing ....HomePage, "inherit, render"; the link will render as a disabled link. Note the inherit, this means all child components on the homepage are allowed to render. Optionally we could replace that one line with the following two lines ....HomePage, "render"; and ....HomePage:link, "render"; Assuming the wicket id of our link is link :) To enable the link we would still require ....PageA, "enable"; in our policy. Thanks for checking out swarm and wasp, i hope i did not just confuse the hell out you :) Maurice craigdd wrote: > > In look looking the getting started page for wicket security I came across > the following block on text when describing the configuration of > principals. > > What we just did is grant everyone the right to see (render) our HomePage, > if there are secure components on the homepage we can see them too > (inherit). In addition we granted links to our homepage the right to be > clicked (enable). Because we do not want to give links on our homepage the > right to be clicked we did not place the enable action on the previous > line with the inherit. If we know for a fact that there are absolutely no > links pointing to the homepage we could delete the second line, but > generally you will want these two lines for any given secure page. If you > think, what a long line isn't there a shorter way, then i have good news > for you. Hive supports aliases. This means that besides the build in > aliases for permissions you can add your own aliases for permissions, > principals and names, just not for actions!. aliases can be concatenated > but not nested. sow if we rewrite our policy to use aliases we get > > Just to clarify, when you say "In addition we granted links to our > homepage the right to be clicked (enable)", does this mean that the link, > which I assume you mean , is able to be physically clicked? And if it was > the opposite, as is the next line of the configuration "HomePage", > "enable"", does this mean that the link is disabled to the user, or that > it is enabled but you will get an access error exception on the server > side? > > Thanks > Craig > -- View this message in context: http://www.nabble.com/Wicket-Security-Configuration-Question-tf3884414.html#a11009846 Sent from the Wicket - User mailing list archive at Nabble.com. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
