Thanks, Craig I've updated the getting started to include the example for the default mode, which is what most likely you will be using. I am sorry to say that as of yet i do not have an ETA for the examples but i will post it on the mailing list when i have them ready.
Maurice On 6/7/07, craigdd <[EMAIL PROTECTED]> wrote: > > This original post was under wicket stuff users list and I've reposted it > hear for more visibility, as requested by Martijn. The following is the > response that I got from Maurice. > > Hi, > > what i mean is this: By default SecurePageLink (and all other links > with the same securitycheck) checks for an enable action on the page > the link points to. This check occurs both in the render (where is > decided if the link should be clickable) and in the onclick (just to > check if nobody spoofed an url to trigger a link click where it is not > allowed). > > Maybe an example will make things more clear (note to self to update > the getting started) > HomePage contains a SecurePageLink to PageA. > We should declare at least .....HomePage, "render"; in our policy or > we will never see the homepage. With just this the link will not be > rendered because it lacks .....PageA, "render"; > So if we put that in the policy to we will see a disabled link. > (wicket turns it into a span by default) but because the component is > still available on the server side someone could spoof the url and > trigger wicket into thinking the link was clicked, fortunatly the > second check i mentioned earlier will detect this and send you to the > accessdenied page. > Only if we make sure our policy also contains .....PageA, "enable"; > the link will be fully operational. > > I hope this answered your question. :) > > But if you want to get realy confused you should read on because there > is an alternative mode in which it is possible to show the link even > if we have not granted render to PageA. > I am actually working on some examples showing this alternate mode, > but they are not yet available. > To activate the alternate rendering mode you need to do this: > ((LinkSecurityCheck)link.getSecurityCheck()).setUseAlternativeRenderCheck(true); > Given the above example and a policy file only containing > ....HomePage, "inherit, render"; > the link will render as a disabled link. Note the inherit, this means > all child components on the homepage are allowed to render. Optionally > we could replace that one line with the following two lines > ....HomePage, "render"; and ....HomePage:link, "render"; Assuming the > wicket id of our link is link :) To enable the link we would still > require ....PageA, "enable"; in our policy. > > Thanks for checking out swarm and wasp, i hope i did not just confuse > the hell out you :) > > Maurice > > > > craigdd wrote: > > > > In look looking the getting started page for wicket security I came across > > the following block on text when describing the configuration of > > principals. > > > > What we just did is grant everyone the right to see (render) our HomePage, > > if there are secure components on the homepage we can see them too > > (inherit). In addition we granted links to our homepage the right to be > > clicked (enable). Because we do not want to give links on our homepage the > > right to be clicked we did not place the enable action on the previous > > line with the inherit. If we know for a fact that there are absolutely no > > links pointing to the homepage we could delete the second line, but > > generally you will want these two lines for any given secure page. If you > > think, what a long line isn't there a shorter way, then i have good news > > for you. Hive supports aliases. This means that besides the build in > > aliases for permissions you can add your own aliases for permissions, > > principals and names, just not for actions!. aliases can be concatenated > > but not nested. sow if we rewrite our policy to use aliases we get > > > > Just to clarify, when you say "In addition we granted links to our > > homepage the right to be clicked (enable)", does this mean that the link, > > which I assume you mean , is able to be physically clicked? And if it was > > the opposite, as is the next line of the configuration "HomePage", > > "enable"", does this mean that the link is disabled to the user, or that > > it is enabled but you will get an access error exception on the server > > side? > > > > Thanks > > Craig > > > > -- > View this message in context: > http://www.nabble.com/Wicket-Security-Configuration-Question-tf3884414.html#a11009846 > Sent from the Wicket - User mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
