You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Christopher L Merrill <ch...@webperformance.com> on 2009/06/09 22:31:04 UTC
getting started with swarm/wasp - rendering links to secure pages
I have a question about rendering of links to secure pages when the user has not
been authenticated.
Based on this line from the tutorial:
"In addition we granted links to our homepage the right to be clicked (enable)."
I expected the link to either be non-visible or non-clickable - since I did not grant the
enable permission for this page until login. The link is enabled (though the user is
redirected to the login page when clicked).
I've made my way through the getting-started guide
(http://wicketstuff.org/confluence/display/STUFFWIKI/Getting+started+with+Swarm)
and have a simple example working in my prototype. I have 3 pages:
- HomePage (non-secure)
- LoginPage (non-secure...obviously)
- Page2 (secure)
My authorization file looks like this:
grant principal org.apache.wicket.security.hive.authorization.SimplePrincipal "basic"
{
permission org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
"com.webperformance.portal.web.Page2", "inherit, render";
permission org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
"com.webperformance.portal.web.Page2", "enable";
};
When the user logs in, they get the "basic" principal via a UsernamePasswordContext.
I have a link from the HomePage to Page2 (secure page). When the HomePage renders and the
user had not logged in, the link is enabled. Clicking the link does not take the user to
the page - it takes them to the login page. I was expecting the link to be disabled - so
you don't even get the clickable cursor for it. Am I simply mistaken in my understanding
of what "right to be clicked" means? Or have I missed some crucial bit somewhere to allow
it to function as I expected?
If user is not authorized for an action, we will either want links to be disabled (i.e. non-
clickable) or be not rendered at all...depending on the context. Is this something that
should be done via wasp/swarm or should I be doing this manually during page construction?
TIA!
Chris
--
------------------------------------------------------------------------ -
Chris Merrill | Web Performance, Inc.
chris@webperformance.com | http://webperformance.com
919-433-1762 | 919-845-7601
Website Load Testing and Stress Testing Software & Services
------------------------------------------------------------------------ -
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: getting started with swarm/wasp - rendering links to secure pages
Posted by Christopher L Merrill <ch...@webperformance.com>.
Now I'm embarrassed for posting that question. I see there is a SecurePageLink
class that already does that I need...and I see from that source how I can create
the LinkSecurityCheck if I wanted to do it myself.
Thanks Warren!
I've got it working now. Like everything else in Wicket, that was really easy :>
Chris
Christopher L Merrill wrote:
> Warren Bell wrote:
> > Try securing the link on your HomePage and do not secure the HomePage
> > itself. The link has to implement ISecureComponent.
>
> Warren,
>
> I've followed your suggestion but the link is still rendering, so I'm still
> missing something.
>
> First, I made my own component MyPageLink that extends PageLink and
> implements
> ISecureComponent. I implemented the ISecureComponent methods by simply
> calling
> into the corresponding methods in SecureComponentHelper, as suggested in
> the
> ISecureComponent docs.
>
> I added the link in the home page like this:
> add(new MyPageLink("link", Page2.class));
>
> Maybe I needed to do more in the implementation - I see that
> getSecurityCheck()
> in MyPageLink is returning null...which the results in
> WaspAuthorizationStrategy.
> isActionAuthorized("link", "RENDER") returning true.
>
> Who should be calling MyPageLink.setSecurityCheck()? Me? I'm not sure
> what
> I should be passing to it?
>
>
> Any suggestions?
>
> TIA!
> Chris
>
>
--
------------------------------------------------------------------------ -
Chris Merrill | Web Performance, Inc.
chris@webperformance.com | http://webperformance.com
919-433-1762 | 919-845-7601
Website Load Testing and Stress Testing Software & Services
------------------------------------------------------------------------ -
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: getting started with swarm/wasp - rendering links to secure pages
Posted by Christopher L Merrill <ch...@webperformance.com>.
Warren Bell wrote:
> Try securing the link on your HomePage and do not secure the HomePage
> itself. The link has to implement ISecureComponent.
Warren,
I've followed your suggestion but the link is still rendering, so I'm still
missing something.
First, I made my own component MyPageLink that extends PageLink and implements
ISecureComponent. I implemented the ISecureComponent methods by simply calling
into the corresponding methods in SecureComponentHelper, as suggested in the
ISecureComponent docs.
I added the link in the home page like this:
add(new MyPageLink("link", Page2.class));
Maybe I needed to do more in the implementation - I see that getSecurityCheck()
in MyPageLink is returning null...which the results in WaspAuthorizationStrategy.
isActionAuthorized("link", "RENDER") returning true.
Who should be calling MyPageLink.setSecurityCheck()? Me? I'm not sure what
I should be passing to it?
Any suggestions?
TIA!
Chris
--
------------------------------------------------------------------------ -
Chris Merrill | Web Performance, Inc.
chris@webperformance.com | http://webperformance.com
919-433-1762 | 919-845-7601
Website Load Testing and Stress Testing Software & Services
------------------------------------------------------------------------ -
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: getting started with swarm/wasp - rendering links to secure pages
Posted by Warren Bell <wa...@gmail.com>.
Try securing the link on your HomePage and do not secure the HomePage
itself. The link has to implement ISecureComponent.
Add the permission for the link to your "basic" principal.
org.apache.wicket.security.hive.authorization.SimplePrincipal "basic"
{
//Permission for link on HomePage
permission
org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
"com.webperformance.portal.web.HomePage:securelinktopage2", "inherit, render", "enable";
permission
org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
"com.webperformance.portal.web.Page2", "inherit, render";
permission
org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
"com.webperformance.portal.web.Page2", "enable";
};
Warren
Luca Provenzani wrote:
> i don't think it is possible to do... because HomePage isn't a secure page
> and then it's not under swarm control when it's rendered.
> i'm afraid that you have to do by your hand...
>
> but i'm not an expert! ;-)
>
> Luca
>
> 2009/6/9 Christopher L Merrill <ch...@webperformance.com>
>
>
>> I have a question about rendering of links to secure pages when the user
>> has not
>> been authenticated.
>>
>> Based on this line from the tutorial:
>> "In addition we granted links to our homepage the right to be clicked
>> (enable)."
>> I expected the link to either be non-visible or non-clickable - since I did
>> not grant the
>> enable permission for this page until login. The link is enabled (though
>> the user is
>> redirected to the login page when clicked).
>>
>>
>>
>> I've made my way through the getting-started guide
>> (
>> http://wicketstuff.org/confluence/display/STUFFWIKI/Getting+started+with+Swarm
>> )
>> and have a simple example working in my prototype. I have 3 pages:
>> - HomePage (non-secure)
>> - LoginPage (non-secure...obviously)
>> - Page2 (secure)
>>
>> My authorization file looks like this:
>>
>> grant principal
>> org.apache.wicket.security.hive.authorization.SimplePrincipal "basic"
>> {
>> permission
>> org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
>> "com.webperformance.portal.web.Page2", "inherit, render";
>> permission
>> org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
>> "com.webperformance.portal.web.Page2", "enable";
>> };
>>
>> When the user logs in, they get the "basic" principal via a
>> UsernamePasswordContext.
>>
>> I have a link from the HomePage to Page2 (secure page). When the HomePage
>> renders and the
>> user had not logged in, the link is enabled. Clicking the link does not
>> take the user to
>> the page - it takes them to the login page. I was expecting the link to be
>> disabled - so
>> you don't even get the clickable cursor for it. Am I simply mistaken in my
>> understanding
>> of what "right to be clicked" means? Or have I missed some crucial bit
>> somewhere to allow
>> it to function as I expected?
>>
>> If user is not authorized for an action, we will either want links to be
>> disabled (i.e. non-
>> clickable) or be not rendered at all...depending on the context. Is this
>> something that
>> should be done via wasp/swarm or should I be doing this manually during
>> page construction?
>>
>>
>> TIA!
>> Chris
>>
>>
>> --
>> ------------------------------------------------------------------------ -
>> Chris Merrill | Web Performance, Inc.
>> chris@webperformance.com | http://webperformance.com
>> 919-433-1762 | 919-845-7601
>>
>> Website Load Testing and Stress Testing Software & Services
>> ------------------------------------------------------------------------ -
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: getting started with swarm/wasp - rendering links to secure pages
Posted by Luca Provenzani <eu...@gmail.com>.
i don't think it is possible to do... because HomePage isn't a secure page
and then it's not under swarm control when it's rendered.
i'm afraid that you have to do by your hand...
but i'm not an expert! ;-)
Luca
2009/6/9 Christopher L Merrill <ch...@webperformance.com>
> I have a question about rendering of links to secure pages when the user
> has not
> been authenticated.
>
> Based on this line from the tutorial:
> "In addition we granted links to our homepage the right to be clicked
> (enable)."
> I expected the link to either be non-visible or non-clickable - since I did
> not grant the
> enable permission for this page until login. The link is enabled (though
> the user is
> redirected to the login page when clicked).
>
>
>
> I've made my way through the getting-started guide
> (
> http://wicketstuff.org/confluence/display/STUFFWIKI/Getting+started+with+Swarm
> )
> and have a simple example working in my prototype. I have 3 pages:
> - HomePage (non-secure)
> - LoginPage (non-secure...obviously)
> - Page2 (secure)
>
> My authorization file looks like this:
>
> grant principal
> org.apache.wicket.security.hive.authorization.SimplePrincipal "basic"
> {
> permission
> org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
> "com.webperformance.portal.web.Page2", "inherit, render";
> permission
> org.apache.wicket.security.hive.authorization.permissions.ComponentPermission
> "com.webperformance.portal.web.Page2", "enable";
> };
>
> When the user logs in, they get the "basic" principal via a
> UsernamePasswordContext.
>
> I have a link from the HomePage to Page2 (secure page). When the HomePage
> renders and the
> user had not logged in, the link is enabled. Clicking the link does not
> take the user to
> the page - it takes them to the login page. I was expecting the link to be
> disabled - so
> you don't even get the clickable cursor for it. Am I simply mistaken in my
> understanding
> of what "right to be clicked" means? Or have I missed some crucial bit
> somewhere to allow
> it to function as I expected?
>
> If user is not authorized for an action, we will either want links to be
> disabled (i.e. non-
> clickable) or be not rendered at all...depending on the context. Is this
> something that
> should be done via wasp/swarm or should I be doing this manually during
> page construction?
>
>
> TIA!
> Chris
>
>
> --
> ------------------------------------------------------------------------ -
> Chris Merrill | Web Performance, Inc.
> chris@webperformance.com | http://webperformance.com
> 919-433-1762 | 919-845-7601
>
> Website Load Testing and Stress Testing Software & Services
> ------------------------------------------------------------------------ -
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>