You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by ad...@apache.org on 2013/12/14 22:13:12 UTC
svn commit: r1550971 [6/15] - in /wicket/common/site/trunk/_site/guide: ./
gapi/ gapi/DefaultPackage/ gapi/spring/ guide/ guide/pages/
guide/src/docs/guide/chapter14/ guide/src/docs/guide/chapter15/
guide/src/docs/guide/chapter16/ guide/src/docs/guide/...
Modified: wicket/common/site/trunk/_site/guide/guide/chapter18.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/chapter18.html?rev=1550971&r1=1550970&r2=1550971&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/guide/guide/chapter18.html (original)
+++ wicket/common/site/trunk/_site/guide/guide/chapter18.html Sat Dec 14 21:13:09 2013
@@ -174,11 +174,11 @@ function addJsClass() {
<h1 id="chapter18">19 Integration with enterprise containers</h1>
-Writing a web application is not just about producing a good layout and a bunch of âcoolâ pages. We must also integrate our presentation code with enterprise resources like data sources, message queues, business objects, etc...<p class="paragraph"/>The first decade of 2000s has seen the rising of new frameworks (like <a href="http://www.springsource.org/" target="blank">Spring</a> ) and new specifications (like <a href="http://en.wikipedia.org/wiki/Enterprise_JavaBeans" target="blank">EJB 3.1</a> ) aimed to simplify the management of enterprise resources and (among other things) their integration with presentation code.<p class="paragraph"/>All these new technologies are based on the concepts of container and dependency injection. Container is the environment where our enterprise resources are created and configured while <a href="http://en.wikipedia.org/wiki/Dependency_Injection" target="blank">dependency injection</a> is a pattern implemented by containers to inject int
o an object the resources it depends on.<p class="paragraph"/>Wicket can be easily integrated with enterprise containers using component instantiation listeners. These entities are instances of interface org.apache.wicket.application.IComponent InstantiationListener and can be registered during application's initialization. IComponentInstantiationListener defines callback method onInstantiation(Component component) which can be used to provide custom instantiation logic for Wicket components.<p class="paragraph"/>Wicket distribution and project <a href="https://github.com/wicketstuff" target="blank">WicketStuff</a> already provide a set of built-in listeners to integrate our applications with EJB 3.1 compliant containers (like JBoss Seam) or with some of the most popular enterprise frameworks like <a href="http://code.google.com/p/google-guice/" target="blank">Guice</a> or Spring.<p class="paragraph"/>In this chapter we will see two basic examples of injecting a container-defined
object into a page using first an implementation of the EJB 3.1 specifications (project <a href="http://openejb.apache.org/" target="blank">OpenEJB</a> ) and then using Spring.
+Writing a web application is not just about producing a good layout and a bunch of âcoolâ pages. We must also integrate our presentation code with enterprise resources like data sources, message queues, business objects, etc...<p class="paragraph"/>The first decade of 2000s has seen the rising of new frameworks (like <a href="http://www.springsource.org/" target="blank">Spring</a> ) and new specifications (like <a href="http://en.wikipedia.org/wiki/Enterprise_JavaBeans" target="blank">EJB 3.1</a> ) aimed to simplify the management of enterprise resources and (among other things) their integration with presentation code.<p class="paragraph"/>All these new technologies are based on the concepts of container and dependency injection. Container is the environment where our enterprise resources are created and configured while <a href="http://en.wikipedia.org/wiki/Dependency_Injection" target="blank">dependency injection</a> is a pattern implemented by containers to inject int
o an object the resources it depends on.<p class="paragraph"/>Wicket can be easily integrated with enterprise containers using component instantiation listeners. These entities are instances of interface <code>org.apache.wicket.application.IComponentInstantiationListener</code> and can be registered during application's initialization. IComponentInstantiationListener defines callback method onInstantiation(Component component) which can be used to provide custom instantiation logic for Wicket components.<p class="paragraph"/>Wicket distribution and project <a href="https://github.com/wicketstuff" target="blank">WicketStuff</a> already provide a set of built-in listeners to integrate our applications with EJB 3.1 compliant containers (like JBoss Seam) or with some of the most popular enterprise frameworks like <a href="http://code.google.com/p/google-guice/" target="blank">Guice</a> or Spring.<p class="paragraph"/>In this chapter we will see two basic examples of injecting a contai
ner-defined object into a page using first an implementation of the EJB 3.1 specifications (project <a href="http://openejb.apache.org/" target="blank">OpenEJB</a> ) and then using Spring.
<h2 id="chapter18_1">19.1 Integrating Wicket with EJB</h2>
-<p class="paragraph"/>WicketStuff provides a module called wicketstuff-javaee-inject that contains component instantiation listener JavaEEComponentInjector. If we register this listener in our application we can use standard EJB annotations to inject dependencies into our Wicket components.<p class="paragraph"/>To register a component instantiation listener in Wicket we must use Application's method getComponentInstantiationListeners which returns a typed collection of IComponent InstantiationListeners.<p class="paragraph"/>The following initialization code is taken from project EjbInjectionExample:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class WicketApplication <span class="java-keyword">extends</span> WebApplication
+<p class="paragraph"/>WicketStuff provides a module called wicketstuff-javaee-inject that contains component instantiation listener <code>JavaEEComponentInjector</code>. If we register this listener in our application we can use standard EJB annotations to inject dependencies into our Wicket components.<p class="paragraph"/>To register a component instantiation listener in Wicket we must use <code>Application</code>'s method <code>getComponentInstantiationListeners</code> which returns a typed collection of <code>IComponentInstantiationListeners</code>.<p class="paragraph"/>The following initialization code is taken from project <code>EjbInjectionExample</code>:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class WicketApplication <span class="java-keyword">extends</span> WebApplication
{
//Constructor...<p class="paragraph"/> @Override
<span class="java-keyword">public</span> void init()
@@ -198,7 +198,7 @@ Writing a web application is not just ab
<h2 id="chapter18_2">19.2 Integrating Wicket with Spring</h2>
-<p class="paragraph"/>If we need to inject dependencies with Spring we can use listener org.apache.wicket.spring. injection.annot.SpringComponentInjector provided by module wicket-spring.<p class="paragraph"/>For the sake of simplicity in the example project SpringInjectionExample we have used Spring class AnnotationConfigApplicationContext to avoid any XML file and create a Spring context directly from code:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class WicketApplication <span class="java-keyword">extends</span> WebApplication
+<p class="paragraph"/>If we need to inject dependencies with Spring we can use listener <code>org.apache.wicket.spring.injection.annot.SpringComponentInjector</code> provided by module wicket-spring.<p class="paragraph"/>For the sake of simplicity in the example project <code>SpringInjectionExample</code> we have used Spring class <code>AnnotationConfigApplicationContext</code> to avoid any XML file and create a Spring context directly from code:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class WicketApplication <span class="java-keyword">extends</span> WebApplication
{
//Constructor...<p class="paragraph"/> @Override
<span class="java-keyword">public</span> void init()
@@ -208,7 +208,7 @@ Writing a web application is not just ab
ctx.scan(<span class="java-quote">"org.wicketTutorial.ejbBean"</span>);
ctx.refresh();<p class="paragraph"/> getComponentInstantiationListeners().add(<span class="java-keyword">new</span> SpringComponentInjector(<span class="java-keyword">this</span>, ctx));
}
-}</pre></div><p class="paragraph"/>As we can see in the code above, the constructor of SpringComponentInjector takes in input also an instance of Spring context.<p class="paragraph"/>The injected object is the same used in the previous project EjbInjectionExample, it differs only for the greeting message:<p class="paragraph"/><div class="code"><pre>@ManagedBean
+}</pre></div><p class="paragraph"/>As we can see in the code above, the constructor of <code>SpringComponentInjector</code> takes in input also an instance of Spring context.<p class="paragraph"/>The injected object is the same used in the previous project <code>EjbInjectionExample</code>, it differs only for the greeting message:<p class="paragraph"/><div class="code"><pre>@ManagedBean
<span class="java-keyword">public</span> class EnterpriseMessage {
<span class="java-keyword">public</span> <span class="java-object">String</span> message = <span class="java-quote">"Welcome to the Spring world!"</span>;
}</pre></div><p class="paragraph"/>In the home page of the project the object is injected using Wicket annotation @SpringBean:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class HomePage <span class="java-keyword">extends</span> WebPage {
@@ -217,7 +217,7 @@ Writing a web application is not just ab
//getter and setter <span class="java-keyword">for</span> enterpriseMessage...<p class="paragraph"/> <span class="java-keyword">public</span> HomePage(<span class="java-keyword">final</span> PageParameters parameters) {
<span class="java-keyword">super</span>(parameters);<p class="paragraph"/> add(<span class="java-keyword">new</span> Label(<span class="java-quote">"message"</span>, enterpriseMessage.message));
}
-}</pre></div><p class="paragraph"/>By default @SpringBean searches into Spring context for a bean having the same type of the annotated field. If we want we can specify also the name of the bean to use as injected object and we can declare if the dependency is required or not. By default dependencies are required and if they can not be resolved to a compatible bean, Wicket will throw an IllegalStateException:<p class="paragraph"/><div class="code"><pre>//set the dependency as not required, i.e the field can be left <span class="java-keyword">null</span>
+}</pre></div><p class="paragraph"/>By default <code>SpringBean searches into Spring context for a bean having the same type of the annotated field. If we want we can specify also the name of the bean to use as injected object and we can declare if the dependency is required or not. By default dependencies are required and if they can not be resolved to a compatible bean, Wicket will throw an </code>IllegalStateException@:<p class="paragraph"/><div class="code"><pre>//set the dependency as not required, i.e the field can be left <span class="java-keyword">null</span>
@SpringBean(name=<span class="java-quote">"anotherName"</span>, required=<span class="java-keyword">false</span>)
<span class="java-keyword">private</span> EnterpriseMessage enterpriseMessage;</pre></div>
@@ -229,7 +229,7 @@ Writing a web application is not just ab
<h2 id="chapter18_4">19.4 Summary</h2>
-<p class="paragraph"/>In this chapter we have seen how to integrate Wicket applications with Spring and with an EJB container. Module wicket-examples contains also an example of integration with Guice (see application class org.apache.wicket.examples.guice.GuiceApplication).<p class="paragraph"/>
+<p class="paragraph"/>In this chapter we have seen how to integrate Wicket applications with Spring and with an EJB container. Module wicket-examples contains also an example of integration with Guice (see application class <code>org.apache.wicket.examples.guice.GuiceApplication</code>).<p class="paragraph"/>
Modified: wicket/common/site/trunk/_site/guide/guide/chapter19.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/chapter19.html?rev=1550971&r1=1550970&r2=1550971&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/guide/guide/chapter19.html (original)
+++ wicket/common/site/trunk/_site/guide/guide/chapter19.html Sat Dec 14 21:13:09 2013
@@ -181,21 +181,21 @@ Security is one of the most important no
<h2 id="chapter19_1">20.1 Authentication</h2>
-<p class="paragraph"/>The first step in implementing a security policy is assigning a trusted identity to our users, which means that we must authenticate them. Web applications usually adopt a form-based authentication with a login form that asks user for a unique username and the relative password:<p class="paragraph"/><img border="0" class="center" src="../img/wikipedia-login-form.png"></img><p class="paragraph"/>Wicket supports form-based authentication with session class AuthenticatedWebSession and application class AuthenticatedWebApplication, both placed inside package org.apache.wicket.authroles.authentication.<p class="paragraph"/><h3>AuthenticatedWebSession</h3><p class="paragraph"/>Class AuthenticatedWebSession comes with the following set of public methods to manage user authentication:
+<p class="paragraph"/>The first step in implementing a security policy is assigning a trusted identity to our users, which means that we must authenticate them. Web applications usually adopt a form-based authentication with a login form that asks user for a unique username and the relative password:<p class="paragraph"/><img border="0" class="center" src="../img/wikipedia-login-form.png"></img><p class="paragraph"/>Wicket supports form-based authentication with session class <code>AuthenticatedWebSession</code> and application class <code>AuthenticatedWebApplication</code>, both placed inside package <code>org.apache.wicket.authroles.authentication</code>.<p class="paragraph"/><h3>AuthenticatedWebSession</h3><p class="paragraph"/>Class AuthenticatedWebSession comes with the following set of public methods to manage user authentication:
<ul class="star">
-<li><strong class="bold">authenticate(String username, String password)</strong>: this is an abstract method that must be implemented by every subclass of AuthenticatedWebSession. It should contain the actual code that checks for user's identity. It returns a boolean value which is true if authentication has succeeded or false otherwise.</li>
+<li><strong class="bold">authenticate(String username, String password)</strong>: this is an abstract method that must be implemented by every subclass of <code>AuthenticatedWebSession</code>. It should contain the actual code that checks for user's identity. It returns a boolean value which is true if authentication has succeeded or false otherwise.</li>
<li><strong class="bold">signIn(String username, String password)</strong>: this method internally calls authenticate and set the flag signedIn to true if authentication succeeds.</li>
<li><strong class="bold">isSignedIn()</strong>:getter method for flag signedIn.</li>
<li><strong class="bold">signOut()</strong>: sets the flag signedIn to false.</li>
<li><strong class="bold">invalidate()</strong>: calls signOut and invalidates session.</li>
</ul><p class="paragraph"/><blockquote class="warning">
Remember that signOut does not discard any session-relative data. If we want to get rid of these data, we must invoke method invalidate instead of signOut.
-</blockquote><p class="paragraph"/>Another abstract method we must implement when we use AuthenticatedWebSession is getRoles which is inherited from parent class AbstractAuthenticatedWebSession. This method can be ignored for now as it will be discussed later when we will talk about role-based authorization.<p class="paragraph"/><h3>AuthenticatedWebApplication</h3><p class="paragraph"/>Class AuthenticatedWebApplication provides the following methods to support form-based authentication:
+</blockquote><p class="paragraph"/>Another abstract method we must implement when we use <code>AuthenticatedWebSession</code> is getRoles which is inherited from parent class <code>AbstractAuthenticatedWebSession</code>. This method can be ignored for now as it will be discussed later when we will talk about role-based authorization.<p class="paragraph"/><h3>AuthenticatedWebApplication</h3><p class="paragraph"/>Class AuthenticatedWebApplication provides the following methods to support form-based authentication:
<ul class="star">
-<li><strong class="bold">getWebSessionClass()</strong>: abstract method that returns the session class to use for this application. The returned class must be a subclass of AbstractAuthenticatedWeb Session.</li>
+<li><strong class="bold">getWebSessionClass()</strong>: abstract method that returns the session class to use for this application. The returned class must be a subclass of <code>AbstractAuthenticatedWebSession</code>.</li>
<li><strong class="bold">getSignInPageClass()</strong>: abstract method that returns the page to use as sign in page when a user must be authenticated.</li>
-<li><strong class="bold">restartResponseAtSignInPage()</strong>: forces the current response to restart at the sign in page. After we have used this method to redirect a user, we can make her/him return to the original page calling Componet's method continueToOriginalDestination().</li>
-</ul><p class="paragraph"/>The other methods implemented inside AuthenticatedWebApplication will be introduced when we will talk about authorizations.<p class="paragraph"/><h3>A basic example of authentication</h3><p class="paragraph"/>Project BasicAuthenticationExample is a basic example of form-based authentication implemented with classes AuthenticatedWebSession and AuthenticatedWebApplication.<p class="paragraph"/>The homepage of the project contains only a link to page AuthenticatedPage which can be accessed only if user is signed in. The code of AuthenticatedPage is this following:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class AuthenticatedPage <span class="java-keyword">extends</span> WebPage {
+<li><strong class="bold">restartResponseAtSignInPage()</strong>: forces the current response to restart at the sign in page. After we have used this method to redirect a user, we can make her/him return to the original page calling <code>Componet</code>'s method <code>continueToOriginalDestination()</code>.</li>
+</ul><p class="paragraph"/>The other methods implemented inside <code>AuthenticatedWebApplication</code> will be introduced when we will talk about authorizations.<p class="paragraph"/><h3>A basic example of authentication</h3><p class="paragraph"/>Project <code>BasicAuthenticationExample</code> is a basic example of form-based authentication implemented with classes <code>AuthenticatedWebSession</code> and <code>AuthenticatedWebApplication</code>.<p class="paragraph"/>The homepage of the project contains only a link to page <code>AuthenticatedPage</code> which can be accessed only if user is signed in. The code of <code>AuthenticatedPage</code> is this following:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class AuthenticatedPage <span class="java-keyword">extends</span> WebPage {
@Override
<span class="java-keyword">protected</span> void onConfigure() {
AuthenticatedWebApplication app = (AuthenticatedWebApplication)Application.get();
@@ -216,7 +216,7 @@ Remember that signOut does not discard a
}
});
}
-}</pre></div><p class="paragraph"/>Page AuthenticatedPage checks inside onConfigure if user is signed in and if not, it redirects her/him to the sign in page with method restartResponseAtSignInPage. The page contains also a link to the homepage and another link that signs out user.<p class="paragraph"/>The sign in page is implemented in class SignInPage and contains the form used to authenticate users:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class SignInPage <span class="java-keyword">extends</span> WebPage {
+}</pre></div><p class="paragraph"/>Page <code>AuthenticatedPage</code> checks inside onConfigure if user is signed in and if not, it redirects her/him to the sign in page with method <code>restartResponseAtSignInPage</code>. The page contains also a link to the homepage and another link that signs out user.<p class="paragraph"/>The sign in page is implemented in class <code>SignInPage</code> and contains the form used to authenticate users:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class SignInPage <span class="java-keyword">extends</span> WebPage {
<span class="java-keyword">private</span> <span class="java-object">String</span> username;
<span class="java-keyword">private</span> <span class="java-object">String</span> password;<p class="paragraph"/> @Override
<span class="java-keyword">protected</span> void onInitialize() {
@@ -232,7 +232,7 @@ Remember that signOut does not discard a
};<p class="paragraph"/> form.setDefaultModel(<span class="java-keyword">new</span> CompoundPropertyModel(<span class="java-keyword">this</span>));<p class="paragraph"/> form.add(<span class="java-keyword">new</span> TextField(<span class="java-quote">"username"</span>));
form.add(<span class="java-keyword">new</span> PasswordTextField(<span class="java-quote">"password"</span>));<p class="paragraph"/> add(form);
}
-}</pre></div><p class="paragraph"/>The form is responsible for handling user authentication inside its method onSubmit. The username and password are passed to AuthenticatedWebSession's method signIn(username, password) and if authentication succeeds, the user is redirected to the original page with method continueToOriginalDestination.<p class="paragraph"/>The session class and the application class used in the project are reported here:<p class="paragraph"/><strong class="bold">Session class:</strong><p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class BasicAuthenticationSession <span class="java-keyword">extends</span> AuthenticatedWebSession {<p class="paragraph"/> <span class="java-keyword">public</span> BasicAuthenticationSession(Request request) {
+}</pre></div><p class="paragraph"/>The form is responsible for handling user authentication inside its method onSubmit. The username and password are passed to <code>AuthenticatedWebSession</code>'s method <code>signIn(username, password)</code> and if authentication succeeds, the user is redirected to the original page with method <code>continueToOriginalDestination</code>.<p class="paragraph"/>The session class and the application class used in the project are reported here:<p class="paragraph"/><strong class="bold">Session class:</strong><p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class BasicAuthenticationSession <span class="java-keyword">extends</span> AuthenticatedWebSession {<p class="paragraph"/> <span class="java-keyword">public</span> BasicAuthenticationSession(Request request) {
<span class="java-keyword">super</span>(request);
}<p class="paragraph"/> @Override
<span class="java-keyword">public</span> <span class="java-object">boolean</span> authenticate(<span class="java-object">String</span> username, <span class="java-object">String</span> password) {
@@ -253,14 +253,14 @@ Remember that signOut does not discard a
<span class="java-keyword">protected</span> <span class="java-object">Class</span><? <span class="java-keyword">extends</span> WebPage> getSignInPageClass() {
<span class="java-keyword">return</span> SignInPage.class;
}
-}</pre></div><p class="paragraph"/>The authentication logic inside authenticate has been kept quite trivial in order to make the code as clean as possible. Please note also that session class must have a constructor that accepts an instance of class Request.<p class="paragraph"/><h3>Redirecting user to an intermediate page</h3><p class="paragraph"/>Method restartResponseAtSignInPage is an example of redirecting user to an intermediate page before allowing him to access to the requested page. This method internally throws exception org.apache.wicket.RestartResponseAtInterceptPageException which saves the URL of the requested page into session metadata and then redirects user to the page passed as constructor parameter (the sign in page).<p class="paragraph"/>Component's method redirectToInterceptPage(Page) works in much the same way as restartResponseAtSignInPage but it allows us to specify which page to use as intermediate page:<p class="paragraph"/><code>redirectToInterceptP
age(intermediatePage);</code><p class="paragraph"/><blockquote class="note">
-Since both restartResponseAtSignInPage and redirectToIntercept Page internally throw an exception, the code placed after them will not be executed.
+}</pre></div><p class="paragraph"/>The authentication logic inside authenticate has been kept quite trivial in order to make the code as clean as possible. Please note also that session class must have a constructor that accepts an instance of class <code>Request</code>.<p class="paragraph"/><h3>Redirecting user to an intermediate page</h3><p class="paragraph"/>Method <code>restartResponseAtSignInPage</code> is an example of redirecting user to an intermediate page before allowing him to access to the requested page. This method internally throws exception <code>org.apache.wicket.RestartResponseAtInterceptPageException</code> which saves the URL of the requested page into session metadata and then redirects user to the page passed as constructor parameter (the sign in page).<p class="paragraph"/>Component's method <code>redirectToInterceptPage(Page)</code> works in much the same way as <code>restartResponseAtSignInPage</code> but it allows us to specify which page to use as int
ermediate page:<p class="paragraph"/><code>redirectToInterceptPage(intermediatePage);</code><p class="paragraph"/><blockquote class="note">
+Since both <code>restartResponseAtSignInPage</code> and <code>redirectToInterceptPage</code> internally throw an exception, the code placed after them will not be executed.
</blockquote>
<h2 id="chapter19_2">20.2 Authorizations</h2>
-<p class="paragraph"/>The authorization support provided by Wicket is built around the concept of authorization strategy which is represented by interface IAuthorizationStrategy (in package org.apache.wicket .authorization):<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> <span class="java-keyword">interface</span> IAuthorizationStrategy
+<p class="paragraph"/>The authorization support provided by Wicket is built around the concept of authorization strategy which is represented by interface <code>IAuthorizationStrategy</code> (in package <code>org.apache.wicket.authorization</code>):<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> <span class="java-keyword">interface</span> IAuthorizationStrategy
{
//<span class="java-keyword">interface</span> methods
<T <span class="java-keyword">extends</span> IRequestableComponent> <span class="java-object">boolean</span> isInstantiationAuthorized(<span class="java-object">Class</span><T> componentClass);
@@ -282,7 +282,7 @@ Since both restartResponseAtSignInPage a
<ul class="star">
<li>isInstantiationAuthorized checks if user is allowed to instantiate a given component.</li>
<li>isActionAuthorized checks if user is authorized to perform a given action on a component's instance. The standard actions checked by this method are defined into class Action and are Action.ENABLE and Action.RENDER.</li>
-</ul><p class="paragraph"/>Inside IAuthorizationStrategy we can also find a default implementation of the interface (called ALLOW_ALL) that allows everyone to instantiate every component and perform every possible action on it. This is the default strategy adopted by class Application.<p class="paragraph"/>To change the authorization strategy in use we must register the desired implementation into security settings (interface ISecuritySettings) during initialization phase with method setAuthorization Strategy:<p class="paragraph"/><div class="code"><pre>//Application class code…
+</ul><p class="paragraph"/>Inside <code>IAuthorizationStrategy</code> we can also find a default implementation of the interface (called ALLOW_ALL) that allows everyone to instantiate every component and perform every possible action on it. This is the default strategy adopted by class <code>Application</code>.<p class="paragraph"/>To change the authorization strategy in use we must register the desired implementation into security settings (interface <code>ISecuritySettings</code>) during initialization phase with method setAuthorization Strategy:<p class="paragraph"/><div class="code"><pre>//Application class code…
@Override
<span class="java-keyword">public</span> void init()
{
@@ -290,14 +290,14 @@ Since both restartResponseAtSignInPage a
getSecuritySettings().
setAuthorizationStrategy(myAuthorizationStrategy);
}
-//...</pre></div><p class="paragraph"/>If we want to combine the action of two or more authorization strategies we can chain them with strategy CompoundAuthorizationStrategy which implements composite patter for authorization strategies.<p class="paragraph"/>Most of the times we won't need to implement an IAuthorizationStrategy from scratch as Wicket already comes with a set of built-in strategies. In the next paragraphs we will see some of these strategies that can be used to implement an effective and flexible security policy.<p class="paragraph"/><h3>SimplePageAuthorizationStrategy</h3><p class="paragraph"/>Abstract class SimplePageAuthorizationStrategy (in package org.apache.wicket.authorization.strategies.page) is a strategy that checks user authorizations calling abstract method isAuthorized only for those pages that are subclasses of a given supertype. If isAuthorized returns false, the user is redirected to the sign in page specified as second constructor parameter:<p class=
"paragraph"/><div class="code"><pre>SimplePageAuthorizationStrategy authorizationStrategy = <span class="java-keyword">new</span> SimplePageAuthorizationStrategy(
+//...</pre></div><p class="paragraph"/>If we want to combine the action of two or more authorization strategies we can chain them with strategy <code>CompoundAuthorizationStrategy</code> which implements composite patter for authorization strategies.<p class="paragraph"/>Most of the times we won't need to implement an <code>IAuthorizationStrategy</code> from scratch as Wicket already comes with a set of built-in strategies. In the next paragraphs we will see some of these strategies that can be used to implement an effective and flexible security policy.<p class="paragraph"/><h3>SimplePageAuthorizationStrategy</h3><p class="paragraph"/>Abstract class SimplePageAuthorizationStrategy (in package <code>org.apache.wicket.authorization.strategies.page</code>) is a strategy that checks user authorizations calling abstract method <code>isAuthorized</code> only for those pages that are subclasses of a given supertype. If <code>isAuthorized</code> returns false, the user is redirected to the
sign in page specified as second constructor parameter:<p class="paragraph"/><div class="code"><pre>SimplePageAuthorizationStrategy authorizationStrategy = <span class="java-keyword">new</span> SimplePageAuthorizationStrategy(
PageClassToCheck.class, SignInPage.class)
{
<span class="java-keyword">protected</span> <span class="java-object">boolean</span> isAuthorized()
{
//Authentication code…
}
-};</pre></div><p class="paragraph"/>By default SimplePageAuthorizationStrategy checks for permissions only on pages. If we want to change this behavior and check also other kinds of components, we must override method isActionAuthorized and implement our custom logic inside it.<p class="paragraph"/><h3>Role-based strategies</h3><p class="paragraph"/>At the end of paragraph 18.1.1 we have introduced AbstractAuthenticatedWebSession's method getRoles which is provided to support role-based authorization returning the set of roles granted to the current user.<p class="paragraph"/>In Wicket roles are simple strings like âBASIC_USERâ or âADMINâ (they don't need to be capitalized) and they are handled with class org.apache.wicket.authroles.authorization.strategies. role.Roles. This class extends standard HashSet collection adding some functionalities to check whether the set contains one or more roles. Class Roles already defines roles Roles.USER and Roles.ADMIN.<p
class="paragraph"/>The session class in the following example returns a custom âSIGNED_INâ role for every authenticated user and it adds an Roles.ADMIN role if username is equal to superuser:<p class="paragraph"/><div class="code"><pre>class BasicAuthenticationRolesSession <span class="java-keyword">extends</span> AuthenticatedWebSession {
+};</pre></div><p class="paragraph"/>By default <code>SimplePageAuthorizationStrategy</code> checks for permissions only on pages. If we want to change this behavior and check also other kinds of components, we must override method <code>isActionAuthorized</code> and implement our custom logic inside it.<p class="paragraph"/><h3>Role-based strategies</h3><p class="paragraph"/>At the end of paragraph 18.1.1 we have introduced AbstractAuthenticatedWebSession's method getRoles which is provided to support role-based authorization returning the set of roles granted to the current user.<p class="paragraph"/>In Wicket roles are simple strings like âBASIC_USERâ or âADMINâ (they don't need to be capitalized) and they are handled with class <code>org.apache.wicket.authroles.authorization.strategies.role.Roles</code>. This class extends standard HashSet collection adding some functionalities to check whether the set contains one or more roles. Class <code>Roles</code>
already defines roles Roles.USER and Roles.ADMIN.<p class="paragraph"/>The session class in the following example returns a custom âSIGNED_INâ role for every authenticated user and it adds an Roles.ADMIN role if username is equal to superuser:<p class="paragraph"/><div class="code"><pre>class BasicAuthenticationRolesSession <span class="java-keyword">extends</span> AuthenticatedWebSession {
<span class="java-keyword">private</span> <span class="java-object">String</span> userName;<p class="paragraph"/> <span class="java-keyword">public</span> BasicAuthenticationRolesSession(Request request) {
<span class="java-keyword">super</span>(request);
}<p class="paragraph"/> @Override
@@ -310,9 +310,9 @@ Since both restartResponseAtSignInPage a
resultRoles.add(<span class="java-quote">"SIGNED_IN"</span>);<p class="paragraph"/> <span class="java-keyword">if</span>(userName.equals(<span class="java-quote">"superuser"</span>))
resultRoles.add(Roles.ADMIN);<p class="paragraph"/> <span class="java-keyword">return</span> resultRoles;
}
-}</pre></div><p class="paragraph"/>Roles can be adopted to apply security restrictions on our pages and components. This can be done using one of the two built-in authorization strategies that extend super class AbstractRole AuthorizationStrategyWicket: MetaDataRoleAuthorizationStrategy and Annotations RoleAuthorizationStrategy<p class="paragraph"/>The difference between these two strategies is that MetaDataRoleAuthorizationStrategy handles role-based authorizations with Wicket metadata while AnnotationsRoleAuthorization-Strategy uses Java annotations.<p class="paragraph"/><blockquote class="note">
-Application class AuthenticatedWebApplication already sets MetaData RoleAuthorizationStrategy and AnnotationsRoleAuthorization Strategy as its own authorization strategies (it uses a compound strategy as we will see in paragraph 18.2.4).<p class="paragraph"/>The code that we will see in the next examples is for illustrative purpose only. If our application class inherits from AuthenticatedWebApplication we won't need to configure anything to use these two strategies.
-</blockquote><p class="paragraph"/><h4>Using roles with metadata</h4><p class="paragraph"/>Strategy MetaDataRoleAuthorizationStrategy uses application and components metadata to implement role-based authorizations. The class defines a set of static methods authorize that can be used to specify which roles are allowed to instantiate a component and which roles can perform a given action on a component.<p class="paragraph"/>The following code snippet reports both application and session classes from project MetaDataRolesStrategyExample and illustrates how to use MetaDataRoleAuthorizationStrategy to allow access to a given page (AdminOnlyPage) only to ADMIN role:<p class="paragraph"/><strong class="bold">Application class:</strong><p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class WicketApplication <span class="java-keyword">extends</span> AuthenticatedWebApplication{
+}</pre></div><p class="paragraph"/>Roles can be adopted to apply security restrictions on our pages and components. This can be done using one of the two built-in authorization strategies that extend super class <code>AbstractRoleAuthorizationStrategyWicket</code>: <code>MetaDataRoleAuthorizationStrategy</code> and <code>AnnotationsRoleAuthorizationStrategy</code><p class="paragraph"/>The difference between these two strategies is that <code>MetaDataRoleAuthorizationStrategy</code> handles role-based authorizations with Wicket metadata while <code>AnnotationsRoleAuthorizationStrategy</code> uses Java annotations.<p class="paragraph"/><blockquote class="note">
+Application class <code>AuthenticatedWebApplication</code> already sets <code>MetaDataRoleAuthorizationStrategy</code> and <code>AnnotationsRoleAuthorizationStrategy</code> as its own authorization strategies (it uses a compound strategy as we will see in paragraph 18.2.4).<p class="paragraph"/>The code that we will see in the next examples is for illustrative purpose only. If our application class inherits from <code>AuthenticatedWebApplication</code> we won't need to configure anything to use these two strategies.
+</blockquote><p class="paragraph"/><h4>Using roles with metadata</h4><p class="paragraph"/>Strategy <code>MetaDataRoleAuthorizationStrategy</code> uses application and components metadata to implement role-based authorizations. The class defines a set of static methods authorize that can be used to specify which roles are allowed to instantiate a component and which roles can perform a given action on a component.<p class="paragraph"/>The following code snippet reports both application and session classes from project <code>MetaDataRolesStrategyExample</code> and illustrates how to use <code>MetaDataRoleAuthorizationStrategy</code> to allow access to a given page (AdminOnlyPage) only to ADMIN role:<p class="paragraph"/><strong class="bold">Application class:</strong><p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class WicketApplication <span class="java-keyword">extends</span> AuthenticatedWebApplication{
@Override
<span class="java-keyword">public</span> <span class="java-object">Class</span><? <span class="java-keyword">extends</span> WebPage> getHomePage(){
<span class="java-keyword">return</span> HomePage.class;
@@ -347,19 +347,19 @@ Application class AuthenticatedWebApplic
<span class="java-keyword">super</span>.signOut();
username = <span class="java-keyword">null</span>;
}
-}</pre></div><p class="paragraph"/>The code that instantiates MetaDataRoleAuthorizationStrategy and set it as application's strategy is inside application class method init.<p class="paragraph"/>Any subclass of AbstractRoleAuthorizationStrategyWicket needs an implementation of interface IRoleCheckingStrategy to be instantiated. For this purpose in the code above we used the application class itself because its base class AuthenticatedWebApplication already implements interface IRoleCheckingStrategy. By default AuthenticatedWebApplication checks for authorizations using the roles returned by the current AbstractAuthenticated WebSession. As final step inside init we grant the access to page AdminOnlyPage to ADMIN role calling method authorize.<p class="paragraph"/>The code from session class has three interesting methods. The first is authenticate which considers as valid credentials every pair of username and password having the same value. The second notable method is getRoles
which returns role SIGNED_IN if user is authenticated and it adds role ADMIN if username is equal to superuser. Finally, we have method signOut which has been overridden in order to clean the username field used internally to generate roles.<p class="paragraph"/>Now if we run the project and we try to access to AdminOnlyPage from the home page without having the ADMIN role, we will be redirected to the default access-denied page used by Wicket:<p class="paragraph"/><img border="0" class="center" src="../img/authorization-access-denied.png"></img><p class="paragraph"/>The access-denied page can be customized using method setAccessDeniedPage(Class<? extends Page>) of setting interface IApplicationSettings:<p class="paragraph"/><div class="code"><pre>//Application class code…
+}</pre></div><p class="paragraph"/>The code that instantiates <code>MetaDataRoleAuthorizationStrategy</code> and set it as application's strategy is inside application class method init.<p class="paragraph"/>Any subclass of <code>AbstractRoleAuthorizationStrategyWicket</code> needs an implementation of interface <code>IRoleCheckingStrategy</code> to be instantiated. For this purpose in the code above we used the application class itself because its base class <code>AuthenticatedWebApplication</code> already implements interface <code>IRoleCheckingStrategy</code>. By default <code>AuthenticatedWebApplication</code> checks for authorizations using the roles returned by the current <code>AbstractAuthenticatedWebSession</code>. As final step inside init we grant the access to page <code>AdminOnlyPage</code> to ADMIN role calling method authorize.<p class="paragraph"/>The code from session class has three interesting methods. The first is authenticate which considers as valid creden
tials every pair of username and password having the same value. The second notable method is getRoles which returns role SIGNED_IN if user is authenticated and it adds role ADMIN if username is equal to superuser. Finally, we have method signOut which has been overridden in order to clean the username field used internally to generate roles.<p class="paragraph"/>Now if we run the project and we try to access to <code>AdminOnlyPage</code> from the home page without having the ADMIN role, we will be redirected to the default access-denied page used by Wicket:<p class="paragraph"/><img border="0" class="center" src="../img/authorization-access-denied.png"></img><p class="paragraph"/>The access-denied page can be customized using method <code>setAccessDeniedPage(Class<? extends Page>)</code> of setting interface <code>IApplicationSettings</code>:<p class="paragraph"/><div class="code"><pre>//Application class code…
@Override
<span class="java-keyword">public</span> void init(){
getApplicationSettings().setAccessDeniedPage(
MyCustomAccessDeniedPage.class);
- }</pre></div><p class="paragraph"/>Just like custom âPage expiredâ page (see chapter 6.2.5), also custom âAccess deniedâ page must be bookmarkable.<p class="paragraph"/><h4>Using roles with annotations</h4><p class="paragraph"/>Strategy AnnotationsRoleAuthorizationStrategy relies on two built-in annotations to handle role-based authorizations. These annotations are AuthorizeInstantiation and Authorize Action. As their names suggest the first annotation specifies which roles are allowed to instantiate the annotated component while the second must be used to indicate which roles are allowed to perform a specific action on the annotated component.<p class="paragraph"/>In the following example we use annotations to make a page accessible only to signed-in users and to enable it only if user has the ADMIN role:<p class="paragraph"/><div class="code"><pre>@AuthorizeInstantiation(<span class="java-quote">"SIGNED_IN"</span>)
+ }</pre></div><p class="paragraph"/>Just like custom âPage expiredâ page (see chapter 6.2.5), also custom âAccess deniedâ page must be bookmarkable.<p class="paragraph"/><h4>Using roles with annotations</h4><p class="paragraph"/>Strategy <code>AnnotationsRoleAuthorizationStrategy</code> relies on two built-in annotations to handle role-based authorizations. These annotations are <code>AuthorizeInstantiation</code> and <code>AuthorizeAction</code>. As their names suggest the first annotation specifies which roles are allowed to instantiate the annotated component while the second must be used to indicate which roles are allowed to perform a specific action on the annotated component.<p class="paragraph"/>In the following example we use annotations to make a page accessible only to signed-in users and to enable it only if user has the ADMIN role:<p class="paragraph"/><div class="code"><pre>@AuthorizeInstantiation(<span class="java-quote">"SIGNED_IN"</spa
n>)
@AuthorizeAction(action = <span class="java-quote">"ENABLE"</span>, roles = {<span class="java-quote">"ADMIN"</span>})
<span class="java-keyword">public</span> class MyPage <span class="java-keyword">extends</span> WebPage {
//Page class code…
-}</pre></div><p class="paragraph"/>Remember that when a component is not enabled, user can render it but he can neither click on its links nor interact with its forms.<p class="paragraph"/>Example project AnnotationsRolesStrategyExample is a revisited version of MetaDataRolesStrategy Example where we use AnnotationsRoleAuthorizationStrategy as authorization strategy. To ensure that page AdminOnlyPage is accessible only to ADMIN role we have used the following annotation:<p class="paragraph"/><div class="code"><pre>@AuthorizeInstantiation(<span class="java-quote">"ADMIN"</span>)
+}</pre></div><p class="paragraph"/>Remember that when a component is not enabled, user can render it but he can neither click on its links nor interact with its forms.<p class="paragraph"/>Example project <code>AnnotationsRolesStrategyExample</code> is a revisited version of <code>MetaDataRolesStrategyExample</code> where we use <code>AnnotationsRoleAuthorizationStrategy</code> as authorization strategy. To ensure that page <code>AdminOnlyPage</code> is accessible only to ADMIN role we have used the following annotation:<p class="paragraph"/><div class="code"><pre>@AuthorizeInstantiation(<span class="java-quote">"ADMIN"</span>)
<span class="java-keyword">public</span> class AdminOnlyPage <span class="java-keyword">extends</span> WebPage {
//Page class code…
-}</pre></div><p class="paragraph"/><h3>Catching an unauthorized component instantiation</h3><p class="paragraph"/>Interface IUnauthorizedComponentInstantiationListener (in package org.apache.wicket.authorization) is provided to give the chance to handle the case in which a user tries to instantiate a component without having the permissions to do it. The method defined inside this interface is onUnauthorizedInstantiation(Component) and it is executed whenever a user attempts to execute an unauthorized instantiation.<p class="paragraph"/>This listener must be registered into application's security settings with method setUnauthorized ComponentInstantiationListener defined by setting interface ISecuritySettings. In the following code snippet we register a listener that redirect user to a warning page if he tries to do a not-allowed instantiation:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> class WicketApplication <span class="java-
keyword">extends</span> AuthenticatedWebApplication{
+}</pre></div><p class="paragraph"/><h3>Catching an unauthorized component instantiation</h3><p class="paragraph"/>Interface IUnauthorizedComponentInstantiationListener (in package <code>org.apache.wicket.authorization</code>) is provided to give the chance to handle the case in which a user tries to instantiate a component without having the permissions to do it. The method defined inside this interface is <code>onUnauthorizedInstantiation(Component)</code> and it is executed whenever a user attempts to execute an unauthorized instantiation.<p class="paragraph"/>This listener must be registered into application's security settings with method setUnauthorized <code>ComponentInstantiationListener</code> defined by setting interface <code>ISecuritySettings</code>. In the following code snippet we register a listener that redirect user to a warning page if he tries to do a not-allowed instantiation:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</
span> class WicketApplication <span class="java-keyword">extends</span> AuthenticatedWebApplication{
//Application code…
@Override
<span class="java-keyword">public</span> void init(){
@@ -370,12 +370,12 @@ Application class AuthenticatedWebApplic
}
});
}
-}</pre></div><p class="paragraph"/>In addition to interface IRoleCheckingStrategy, class AuthenticatedWebApplication implements also IUnauthorizedComponentInstantiationListener and registers itself as listener for unauthorized instantiations.<p class="paragraph"/>By default AuthenticatedWebApplication redirects users to sign-in page if they are not signed-in and they try to instantiate a restricted component. Otherwise, if users are already signed in but they are not allowed to instantiate a given component, an UnauthorizedInstantiationException will be thrown.<p class="paragraph"/><h3>Strategy RoleAuthorizationStrategy</h3><p class="paragraph"/>Class RoleAuthorizationStrategy is a compound strategy that combines both MetaData RoleAuthorizationStrategy and AnnotationsRoleAuthorizationStrategy.<p class="paragraph"/>This is the strategy used internally by AuthenticatedWebApplication.
+}</pre></div><p class="paragraph"/>In addition to interface <code>IRoleCheckingStrategy</code>, class <code>AuthenticatedWebApplication</code> implements also <code>IUnauthorizedComponentInstantiationListener</code> and registers itself as listener for unauthorized instantiations.<p class="paragraph"/>By default <code>AuthenticatedWebApplication</code> redirects users to sign-in page if they are not signed-in and they try to instantiate a restricted component. Otherwise, if users are already signed in but they are not allowed to instantiate a given component, an <code>UnauthorizedInstantiationException</code> will be thrown.<p class="paragraph"/><h3>Strategy RoleAuthorizationStrategy</h3><p class="paragraph"/>Class <code>RoleAuthorizationStrategy</code> is a compound strategy that combines both <code>MetaDataRoleAuthorizationStrategy</code> and <code>AnnotationsRoleAuthorizationStrategy</code>.<p class="paragraph"/>This is the strategy used internally by <code>AuthenticatedWebA
pplication</code>.
<h2 id="chapter19_3">20.3 Using HTTPS protocol</h2>
-<p class="paragraph"/>HTTPS is the standard technology adopted on Internet to create a secure communication channel between web applications and their users.<p class="paragraph"/>In Wicket we can easily protect our pages with HTTPS mounting a special request mapper called HttpsMapper and using annotation RequireHttps with those pages we want to serve over this protocol. Both these two entities are in package org.apache.wicket.protocol.https.<p class="paragraph"/>HttpsMapper wraps an existing mapper and redirects incoming requests to HTTPS if the related response must render a page containing annotation RequireHttps. Most of the times the wrapped mapper will be the root one, just like we saw before for CryptoManager in paragraph 8.6.6.<p class="paragraph"/>Another parameter needed to build a HttpsMapper is an instance of class HttpsConfig. This class allows us to specify which ports must be used for HTTPS and HTTP. By default the port numbers used by these two protocols are respectiv
ely 443 and 80.<p class="paragraph"/>The following code is taken from project HttpsProtocolExample and illustrates how to enable HTTPS in our applications:<p class="paragraph"/><div class="code"><pre>//Application class code…
+<p class="paragraph"/>HTTPS is the standard technology adopted on Internet to create a secure communication channel between web applications and their users.<p class="paragraph"/>In Wicket we can easily protect our pages with HTTPS mounting a special request mapper called <code>HttpsMapper</code> and using annotation RequireHttps with those pages we want to serve over this protocol. Both these two entities are in package <code>org.apache.wicket.protocol.https</code>.<p class="paragraph"/>HttpsMapper wraps an existing mapper and redirects incoming requests to HTTPS if the related response must render a page containing annotation <code>RequireHttps</code>. Most of the times the wrapped mapper will be the root one, just like we saw before for <code>CryptoManager</code> in paragraph 8.6.6.<p class="paragraph"/>Another parameter needed to build a <code>HttpsMapper</code> is an instance of class <code>HttpsConfi</code>g. This class allows us to specify which ports must be used for HTTPS a
nd HTTP. By default the port numbers used by these two protocols are respectively 443 and 80.<p class="paragraph"/>The following code is taken from project <code>HttpsProtocolExample</code> and illustrates how to enable HTTPS in our applications:<p class="paragraph"/><div class="code"><pre>//Application class code…
@Override
<span class="java-keyword">public</span> void init(){
setRootRequestMapper(<span class="java-keyword">new</span> HttpsMapper(getRootRequestMapper(),
@@ -385,7 +385,7 @@ Application class AuthenticatedWebApplic
<span class="java-keyword">public</span> HomePage(<span class="java-keyword">final</span> PageParameters parameters) {
<span class="java-keyword">super</span>(parameters);
}
-}</pre></div><p class="paragraph"/>If we want to protect many pages with HTTPS without adding annotation RequireHttps to each of them, we can annotate a marker interface or a base page class and implement/extend it in any page we want to make secure:<p class="paragraph"/><div class="code"><pre>// Marker <span class="java-keyword">interface</span>:
+}</pre></div><p class="paragraph"/>If we want to protect many pages with HTTPS without adding annotation <code>RequireHttps</code> to each of them, we can annotate a marker interface or a base page class and implement/extend it in any page we want to make secure:<p class="paragraph"/><div class="code"><pre>// Marker <span class="java-keyword">interface</span>:
@RequireHttps
<span class="java-keyword">public</span> <span class="java-keyword">interface</span> IMarker{
}<p class="paragraph"/>// Base class:
@@ -402,7 +402,7 @@ Application class AuthenticatedWebApplic
<h2 id="chapter19_4">20.4 Package Resource Guard</h2>
-<p class="paragraph"/>Wicket internally uses an entity called package resource guard to protect package resources from external access. This entity is an implementation of interface org.apache.wicket.markup.html. IPackageResourceGuard.<p class="paragraph"/>By default Wicket applications use as package resource guard class SecurePackageResource Guard, which allows to access only to the following file extensions (grouped by type):<p class="paragraph"/><table class="wiki-table" cellpadding="0" cellspacing="0" border="0"><tr><th>File</th><th>Extensions</th></tr><tr class="table-odd"><td><strong class="bold">JavaScript files</strong></td><td>.js</td></tr><tr class="table-even"><td><strong class="bold">CSS files</strong></td><td>.css</td></tr><tr class="table-odd"><td><strong class="bold">HTML pages</strong></td><td>.html</td></tr><tr class="table-even"><td><strong class="bold">Textual files</strong></td><td>.txt</td></tr><tr class="table-odd"><td><strong class="bold">Flash files</strong>
</td><td>.swf</td></tr><tr class="table-even"><td><strong class="bold">Picture files</strong></td><td>.png, .jpg, .jpeg, .gif, .ico, .cur, .bmp, .svg</td></tr><tr class="table-odd"><td><strong class="bold">Web font files</strong></td><td>.eot, .ttf, .woff</td></tr></table><p class="paragraph"/>To modify the set of allowed files formats we can add one or more patterns with method addPattern (String). The rules to write a pattern are the following:
+<p class="paragraph"/>Wicket internally uses an entity called package resource guard to protect package resources from external access. This entity is an implementation of interface <code>org.apache.wicket.markup.html.IPackageResourceGuard</code>.<p class="paragraph"/>By default Wicket applications use as package resource guard class <code>SecurePackageResourceGuard</code>, which allows to access only to the following file extensions (grouped by type):<p class="paragraph"/><table class="wiki-table" cellpadding="0" cellspacing="0" border="0"><tr><th>File</th><th>Extensions</th></tr><tr class="table-odd"><td><strong class="bold">JavaScript files</strong></td><td>.js</td></tr><tr class="table-even"><td><strong class="bold">CSS files</strong></td><td>.css</td></tr><tr class="table-odd"><td><strong class="bold">HTML pages</strong></td><td>.html</td></tr><tr class="table-even"><td><strong class="bold">Textual files</strong></td><td>.txt</td></tr><tr class="table-odd"><td><strong class="bo
ld">Flash files</strong></td><td>.swf</td></tr><tr class="table-even"><td><strong class="bold">Picture files</strong></td><td>.png, .jpg, .jpeg, .gif, .ico, .cur, .bmp, .svg</td></tr><tr class="table-odd"><td><strong class="bold">Web font files</strong></td><td>.eot, .ttf, .woff</td></tr></table><p class="paragraph"/>To modify the set of allowed files formats we can add one or more patterns with method <code>addPattern(String)</code>. The rules to write a pattern are the following:
<ul class="star">
<li>patterns start with either a "+" or a "-". In the first case the pattern will add one or more file to the set while starting a pattern with a â-â we exclude all the files matching the given pattern. For example pattern â-web.xmlâ excludes all web.xml files in all directories.</li>
<li>wildcard character â*â is supported as placeholder for zero or more characters. For example pattern â+*.mp4â adds all the mp4 files inside all directories.</li>
@@ -425,7 +425,7 @@ Application class AuthenticatedWebApplic
<h2 id="chapter19_5">20.5 Summary</h2>
-<p class="paragraph"/> In this chapter we have seen the components and the mechanisms that allow us to implement security policies in our Wicket-based applications. Wicket comes with an out of the box support for both authorization and authentication.<p class="paragraph"/>The central element of authorization mechanism is the interface IAuthorizationStrategy which decouples our components from any detail about security strategy. The implementations of this interface must decide if a user is allowed to instantiate a given page or component and if she/he can perform a given action on it.<p class="paragraph"/>Wicket natively supports role-based authorizations with strategies MetaDataRoleAuthorization Strategy and AnnotationsRoleAuthorizationStrategy. The difference between these two strategies is that the first offers a programmatic approach for role handling while the second promotes a declarative approach using built-in annotations.<p class="paragraph"/>After having explored how Wicke
t internally implements authentication and authorization, in the last part of the chapter we have learnt how to configure our applications to support HTTPS and how to specify which pages must be served over this protocol.<p class="paragraph"/>In the last paragraph we have seen how Wicket protects package resources with a guard entity that allows us to decide which package resources can be accessed from users.<p class="paragraph"/><p class="paragraph"/>
+<p class="paragraph"/> In this chapter we have seen the components and the mechanisms that allow us to implement security policies in our Wicket-based applications. Wicket comes with an out of the box support for both authorization and authentication.<p class="paragraph"/>The central element of authorization mechanism is the interface <code>IAuthorizationStrategy</code> which decouples our components from any detail about security strategy. The implementations of this interface must decide if a user is allowed to instantiate a given page or component and if she/he can perform a given action on it.<p class="paragraph"/>Wicket natively supports role-based authorizations with strategies <code>MetaDataRoleAuthorizationStrategy</code> and <code>AnnotationsRoleAuthorizationStrategy</code>. The difference between these two strategies is that the first offers a programmatic approach for role handling while the second promotes a declarative approach using built-in annotations.<p class="parag
raph"/>After having explored how Wicket internally implements authentication and authorization, in the last part of the chapter we have learnt how to configure our applications to support HTTPS and how to specify which pages must be served over this protocol.<p class="paragraph"/>In the last paragraph we have seen how Wicket protects package resources with a guard entity that allows us to decide which package resources can be accessed from users.<p class="paragraph"/><p class="paragraph"/>
<div style="clear:both;margin-top:15px;"></div>
Modified: wicket/common/site/trunk/_site/guide/guide/chapter20.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/chapter20.html?rev=1550971&r1=1550970&r2=1550971&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/guide/guide/chapter20.html (original)
+++ wicket/common/site/trunk/_site/guide/guide/chapter20.html Sat Dec 14 21:13:09 2013
@@ -190,7 +190,7 @@ function addJsClass() {
//assert rendered page class
tester.assertRenderedPage(HomePage.class);
}
-}</pre></div><p class="paragraph"/>The central class in a Wicket testing is org.apache.wicket.util.tester.WicketTester. This utility class provides a set of methods to render a component, click links, check if page contains a given component or a feedback message, and so on.<p class="paragraph"/>The basic test case shipped with TestHomePage illustrates how WicketTester is typically instantiated (inside method setUp()). In order to test our components, WicketTester needs to use an instance of WebApplication. Usually, we will use our application class as WebApplication, but we can also decide to build WicketTester invoking its no-argument constructor and letting it automatically build a mock web application (an instance of class org.apache.wicket.mock. MockApplication).<p class="paragraph"/>The code from TestHomePage introduces two basic methods to test our pages. The first is method startPage that renders a new instance of the given page class and sets it as current rendered pag
e for WicketTester. The second method is assertRenderedPage which checks if the current rendered page is an instance of the given class. In this way if TestHomePage succeeds we are sure that page HomePage has been rendered without any problem. The last rendered page can be retrieved with method getLastRenderedPage.<p class="paragraph"/>That's only a taste of what WicketTester can do. In the next paragraphs we will see how it can be used to test every element that composes a Wicket page (links, models, behaviors, etc...).<p class="paragraph"/><h3>Testing links</h3><p class="paragraph"/>A click on a Wicket link can be simulated with method clickLink which takes in input the link component or the page-relative path to it.<p class="paragraph"/>To see an example of usage of clickLink, let's consider again project LifeCycleStagesRevisited. As we know from chapter 5 the home page of the project alternately displays two different labels (âFirst labelâ and âSecond labelâ)
, swapping between them each time button "reload" is clicked. The code from its test case checks that label has actually changed after button "reload" has been pressed:<p class="paragraph"/><div class="code"><pre>//…
+}</pre></div><p class="paragraph"/>The central class in a Wicket testing is <code>org.apache.wicket.util.tester.WicketTester</code>. This utility class provides a set of methods to render a component, click links, check if page contains a given component or a feedback message, and so on.<p class="paragraph"/>The basic test case shipped with <code>TestHomePage</code> illustrates how <code>WicketTester</code> is typically instantiated (inside method <code>setUp()</code>). In order to test our components, WicketTester needs to use an instance of <code>WebApplication</code>. Usually, we will use our application class as <code>WebApplication</code>, but we can also decide to build WicketTester invoking its no-argument constructor and letting it automatically build a mock web application (an instance of class <code>org.apache.wicket.mock.MockApplication</code>).<p class="paragraph"/>The code from <code>TestHomePage</code> introduces two basic methods to test our pages. The first is m
ethod <code>startPage</code> that renders a new instance of the given page class and sets it as current rendered page for WicketTester. The second method is assertRenderedPage which checks if the current rendered page is an instance of the given class. In this way if TestHomePage succeeds we are sure that page HomePage has been rendered without any problem. The last rendered page can be retrieved with method <code>getLastRenderedPage</code>.<p class="paragraph"/>That's only a taste of what <code>WicketTester</code> can do. In the next paragraphs we will see how it can be used to test every element that composes a Wicket page (links, models, behaviors, etc...).<p class="paragraph"/><h3>Testing links</h3><p class="paragraph"/>A click on a Wicket link can be simulated with method clickLink which takes in input the link component or the page-relative path to it.<p class="paragraph"/>To see an example of usage of clickLink, let's consider again project LifeCycleStagesRevisited. As we kno
w from chapter 5 the home page of the project alternately displays two different labels (âFirst labelâ and âSecond labelâ), swapping between them each time button "reload" is clicked. The code from its test case checks that label has actually changed after button "reload" has been pressed:<p class="paragraph"/><div class="code"><pre>//…
@Test
<span class="java-keyword">public</span> void switchLabelTest(){
//start and render the test page
@@ -366,7 +366,7 @@ formTester.submit(<span class="java-
<h2 id="chapter20_3">21.3 Testing markup with TagTester</h2>
-<p class="paragraph"/>If we need to test component markup at a more fine-grained level, we can use class TagTester from package org.apache.wicket.util.tester.<p class="paragraph"/>This test class allows to check if the generated markup contains one or more tags having a given attribute with a given value. TagTester can not be directly instantiated but it comes with three factory methods that return one or more TagTester matching the searching criteria. In the following test case (from project TagTesterExample) we retrieve the first tag of the home page (a <span> tag) having attribute class equal to myClass:<p class="paragraph"/><strong class="bold">HomePage markup:</strong><p class="paragraph"/><div class="code"><pre><html xmlns:wicket=<span class="java-quote">"http://wicket.apache.org"</span>>
+<p class="paragraph"/>If we need to test component markup at a more fine-grained level, we can use class <code>TagTester</code> from package <code>org.apache.wicket.util.tester</code>.<p class="paragraph"/>This test class allows to check if the generated markup contains one or more tags having a given attribute with a given value. TagTester can not be directly instantiated but it comes with three factory methods that return one or more TagTester matching the searching criteria. In the following test case (from project TagTesterExample) we retrieve the first tag of the home page (a <span> tag) having attribute class equal to myClass:<p class="paragraph"/><strong class="bold">HomePage markup:</strong><p class="paragraph"/><div class="code"><pre><html xmlns:wicket=<span class="java-quote">"http://wicket.apache.org"</span>>
<head>
<meta charset=<span class="java-quote">"utf-8"</span> />
<title></title>
@@ -384,7 +384,7 @@ formTester.submit(<span class="java-
<span class="java-object">String</span> responseTxt = tester.getLastResponse().getDocument();<p class="paragraph"/> TagTester tagTester = TagTester.createTagByAttribute(responseTxt, <span class="java-quote">"class"</span>, <span class="java-quote">"myClass"</span>);<p class="paragraph"/> Assert.assertNotNull(tagTester);
Assert.assertEquals(<span class="java-quote">"span"</span>, tagTester.getName());<p class="paragraph"/> List<TagTester> tagTesterList = TagTester.createTagsByAttribute(responseTxt,
<span class="java-quote">"class"</span>, <span class="java-quote">"myClass"</span>, <span class="java-keyword">false</span>);<p class="paragraph"/> Assert.assertEquals(2, tagTesterList.size());
-}</pre></div><p class="paragraph"/>The name of the tag found by TagTester can be retrieved with its method getName. Method createTagsByAttribute returns all the tags that have the given value on the class attribute. In the code above we have used this method to test that our markup contains two tags having attribute class equal to myClass.<p class="paragraph"/>Another utility class that comes in handy when we want to test components markup is ComponentRenderer in package org.apache.wicket.core.util.string. The purpose of this class is to render a page or a component in isolation with its static methods renderComponent and renderPage. Both methods return the generated markup as CharSequence:<p class="paragraph"/><div class="code"><pre>@Test
+}</pre></div><p class="paragraph"/>The name of the tag found by TagTester can be retrieved with its method getName. Method createTagsByAttribute returns all the tags that have the given value on the class attribute. In the code above we have used this method to test that our markup contains two tags having attribute class equal to myClass.<p class="paragraph"/>Another utility class that comes in handy when we want to test components markup is ComponentRenderer in package <code>org.apache.wicket.core.util.string</code>. The purpose of this class is to render a page or a component in isolation with its static methods renderComponent and renderPage. Both methods return the generated markup as CharSequence:<p class="paragraph"/><div class="code"><pre>@Test
<span class="java-keyword">public</span> void customComponentMarkupTest()
{
//instantiate MyComponent
Modified: wicket/common/site/trunk/_site/guide/guide/chapter21.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/chapter21.html?rev=1550971&r1=1550970&r2=1550971&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/guide/guide/chapter21.html (original)
+++ wicket/common/site/trunk/_site/guide/guide/chapter21.html Sat Dec 14 21:13:09 2013
@@ -258,7 +258,7 @@ Since the development of many web applic
at org.apache.wicket.util.tester.WicketTester.
<init>(WicketTester.java:325)
at org.apache.wicket.util.tester.WicketTester.
- <init>(WicketTester.java:308)</pre></div><p class="paragraph"/>As you can see above, the Exception gets raised during the initialization of the WicketTester instance even before the actual test method gets executed. Even though we have applied rather cool and simple annotation based test configuration already described and passed in perfectly well prepared ApplicationContext instance to the WicketTester instance in the constructor, somewhere down the rabbit hole someone complained that no WebApplicationContext instance could have been found which seems to be required in order to initialize the WicketTester properly.<p class="paragraph"/><img border="0" class="center" src="../img/description-of-illegalstate.jpg"></img><p class="paragraph"/>The problem that we run against here is due to the fact that SpringComponentInjector during its own initialization is trying to get hold of an according Spring's ApplicationContext instance that would normally be there in a runtime environ
ment but does not find any since we are running in a test environment currently. SpringComponentInjector delegates to Spring's own WebApplicationContextUtils class to retrieve the instance of ApplicationContext out of the ServletContext which is perfectly fine for a runtime environment but is unfortunately failing in a test environment:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> <span class="java-keyword">static</span> WebApplicationContext getRequiredWebApplicationContext(ServletContext sc)
+ <init>(WicketTester.java:308)</pre></div><p class="paragraph"/>As you can see above, the Exception gets raised during the initialization of the <code>WicketTester</code> instance even before the actual test method gets executed. Even though we have applied rather cool and simple annotation based test configuration already described and passed in perfectly well prepared ApplicationContext instance to the WicketTester instance in the constructor, somewhere down the rabbit hole someone complained that no WebApplicationContext instance could have been found which seems to be required in order to initialize the WicketTester properly.<p class="paragraph"/><img border="0" class="center" src="../img/description-of-illegalstate.jpg"></img><p class="paragraph"/>The problem that we run against here is due to the fact that SpringComponentInjector during its own initialization is trying to get hold of an according Spring's ApplicationContext instance that would normally be there in a ru
ntime environment but does not find any since we are running in a test environment currently. SpringComponentInjector delegates to Spring's own WebApplicationContextUtils class to retrieve the instance of ApplicationContext out of the ServletContext which is perfectly fine for a runtime environment but is unfortunately failing in a test environment:<p class="paragraph"/><div class="code"><pre><span class="java-keyword">public</span> <span class="java-keyword">static</span> WebApplicationContext getRequiredWebApplicationContext(ServletContext sc)
<span class="java-keyword">throws</span> IllegalStateException {<p class="paragraph"/> WebApplicationContext wac = getWebApplicationContext(sc);
<span class="java-keyword">if</span> (wac == <span class="java-keyword">null</span>) {
<span class="java-keyword">throw</span> <span class="java-keyword">new</span> IllegalStateException(<span class="java-quote">"No WebApplicationContext found: no ContextLoaderListener registered?"</span>);
Modified: wicket/common/site/trunk/_site/guide/guide/chapter26.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/chapter26.html?rev=1550971&r1=1550970&r2=1550971&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/guide/guide/chapter26.html (original)
+++ wicket/common/site/trunk/_site/guide/guide/chapter26.html Sat Dec 14 21:13:09 2013
@@ -158,7 +158,7 @@ function addJsClass() {
You can contribute to this guide by following these steps:
<ul class="star">
<li>The guide uses Grails GDoc to generate the final HTML/PDF so you should consult with its <a href="http://grails.org/WikiSyntax" target="blank">syntax</a>.</li>
-<li>Checkout Apache Wicket's <a href="../ref/Httpssvnapacheorgreposasfwicketcommonsitetrunksite/site.html" class="https://svn.apache.org/repos/asf/wicket/common/site/trunk/_site/">site</a></li>
+<li>Checkout Apache Wicket's <a href="https://svn.apache.org/repos/asf/wicket/common/site/trunk/_site/" target="blank">site</a></li>
</ul><p class="paragraph"/><div class="code"><pre>svn checkout https://svn.apache.org/repos/asf/wicket/common/site/trunk/_site/</pre></div>
<ul class="star">
<li>Edit the <em class="italic">.gdoc</em> files in <em class="italic">_site/guide/guide/src/docs/guide</em> folder</li>
@@ -176,7 +176,7 @@ You can contribute to this guide by foll
<li>To preview your changes open <em class="italic">_site/guide/index.html</em> in a browser</li>
<li>Create a patch with</li>
</ul><p class="paragraph"/><div class="code"><pre>svn diff > my.patch</pre></div>
-and attach it to a ticket in Apache Wicket's <a href="../ref/Httpsissuesapacheorgjirabrowse WICKET/JIRA.html" class="https://issues.apache.org/jira/browse/WICKET">JIRA</a><p class="paragraph"/><strong class="bold">Thank you!</strong>
+and attach it to a ticket in Apache Wicket's <a href="https://issues.apache.org/jira/browse/WICKET" target="blank">JIRA</a><p class="paragraph"/><strong class="bold">Thank you!</strong>
<div style="clear:both;margin-top:15px;"></div>
Modified: wicket/common/site/trunk/_site/guide/guide/chapter6.html
URL: http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/chapter6.html?rev=1550971&r1=1550970&r2=1550971&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/guide/guide/chapter6.html (original)
+++ wicket/common/site/trunk/_site/guide/guide/chapter6.html Sat Dec 14 21:13:09 2013
@@ -224,7 +224,7 @@ This stage is triggered each time a comp
replace(firstLabel);<p class="paragraph"/> <span class="java-keyword">super</span>.onBeforeRender();
}
}</pre></div><p class="paragraph"/>The code inside <code>onBeforeRender()</code> is quite trivial as it just checks which label among <code>firstLabel</code> and <code>secondLabel</code> is currently inserted into the component hierarchy and it replaces the inserted label with the other one.<p class="paragraph"/>This method is also responsible for invoking children <code>onBeforeRender()</code> so if we decide to override it we have to call <code>super.onBeforeRender()</code>. However, unlike <code>onInitialize()</code>, the call to superclass method should be placed at the end of method's body in order to affect children's rendering with our custom code.<p class="paragraph"/>Please note that in the example above we can trigger the rendering stage pressing F5 key or clicking on link âreloadâ.<p class="paragraph"/><blockquote class="warning">
-If we forget to call superclass version of methods <code>onInitialize()</code> or <code>onBeforeRender()</code>, Wicket will throw an <code>IllegalStateException</code> with the following message:<p class="paragraph"/><code>java.lang.IllegalStateException: org.apache.wicket.Component has not been properly initialized. Something in the hierarchy of <page class name> has not called super.onInitialize()/onBeforeRender() in the override of onInitialize()/ onBeforeRender() method</code><p class="paragraph"/></blockquote><p class="paragraph"/><h3>Method onComponentTag</h3><p class="paragraph"/>Method <code>onComponentTag(ComponentTag)</code> is called to process component tag, which can be freely manipulated through its argument of type <code>org.apache.wicket.markup.ComponentTag</code>. For example we can add/remove tag attributes with methods <code>put(String key, String value)</code> and <code>remove(String key)</code>, or we can even decide to change the tag or rename it with
method <code>setName(String)</code> (the following code is taken from project OnComponentTagExample):<p class="paragraph"/><strong class="bold">Markup code:</strong><p class="paragraph"/><div class="code"><pre><head>
+If we forget to call superclass version of methods <code>onInitialize()</code> or <code>onBeforeRender()</code>, Wicket will throw an <code>IllegalStateException</code> with the following message:<p class="paragraph"/><code>java.lang.IllegalStateException: </code>org.apache.wicket.Component<code> has not been properly initialized. Something in the hierarchy of <page class name> has not called super.onInitialize()/onBeforeRender() in the override of onInitialize()/ onBeforeRender() method</code><p class="paragraph"/></blockquote><p class="paragraph"/><h3>Method onComponentTag</h3><p class="paragraph"/>Method <code>onComponentTag(ComponentTag)</code> is called to process component tag, which can be freely manipulated through its argument of type <code>org.apache.wicket.markup.ComponentTag</code>. For example we can add/remove tag attributes with methods <code>put(String key, String value)</code> and <code>remove(String key)</code>, or we can even decide to change the tag or re
name it with method <code>setName(String)</code> (the following code is taken from project OnComponentTagExample):<p class="paragraph"/><strong class="bold">Markup code:</strong><p class="paragraph"/><div class="code"><pre><head>
<meta charset=<span class="java-quote">"utf-8"</span> />
<title></title>
</head>