how to setup call context for every request

[Tom Eicher <to...@teicher.net>]

Hello,

I am using JAAS to secure my EJB layer in JBoss AS7,
which is called from wicket 6, by adding a 
org.jboss.security.ClientLoginModule for every request.

This works nicely for page requests, I have built a setupJAAS()
method that is called from my BasePage.

However the wicket callbacks, onClick() et all, do of
course not go through the basepage constructor, and thus
fail the JAAS check.

What would be the best place to plug my setupJAAS()
into EVERY request, be it a page request, callback or
AJAX request (and what else there might be ;-) ?

I tried
@Override
public WebRequest newWebRequest(HttpServletRequest servletRequest, final 
String filterPath)
but at that point, the Session is not yet set up, and my
Session.get() complains
org.apache.wicket.util.lang.Args.notNull(Args.java:41)
org.apache.wicket.Application.fetchCreateAndSetSession(Application.java:1552)
org.apache.wicket.Session.get(Session.java:152)

I do however need the Session() to retrieve the user and his/her
roles, so I can set up the JAAS.

There must be many ways to do this, most of them probably wrong, so
I thought I'd better ask here. ;-)
Please note that I want to setup JAAS only once per request, since I 
need to perform a lookup and a database query for it...

Input mostly appreciated...

Cheers, Tom.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: how to setup call context for every request

[Tom Eicher <ro...@teicher.net>]

Reposting to the list (sorry Martin ;-) in hope for
feedback on @RequestScoped Wicket-CDI vs EJB... :

> [...about seeting up stuff to propagate user/session/JAAS
> info from the wicket web layer to a JBoss AS7 EJB...]
>
> You can use IRequestCycleListener#onBeginRequest().

Thanks for the suggestion - but I just put the whole JAAS idea in
the bin, it's just too much crappy and proprietary code for what
it's worth.

Now, I just built my own @SessionScoped "call context" in the
web layer (Wicket WebPage constructor), and check it with a standard
default EJB interceptor at the ejb layer (which @Inject's the "call
context").

Since I used SessionScoped, not RequestScoped, all calls in-between
the page class (which sets the "call context") like AJAX, onClick()s
etc still have the instance from the previous "full page request"
available.

Is there anything fundamentally wrong with my approach ?
Any security issues, race conditions, threadsafety, ... ?

There is not too much current info about using Wicket with the
lesser known CDI/Weld scope stuff around ...
...@RequestScoped is supposed to work for
Wicket6/wicket-cdi-6.4/Tomcat7, right ?

(And looks ok, but not heavily concurrently tested of course...)

Cheers, Tom.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: Re: how to setup call context for every request

[Martin Grigorov <mg...@apache.org>]

Hi Tom,

Please post to the mailing lists. The chance to get an answer is bigger ;-)

Check Igor's series about Wicket-CDI at
https://www.42lines.net/category/blog/software-engineering/
You may need the conversation scope.


On Wed, Mar 13, 2013 at 11:59 PM, Tom Eicher <to...@teicher.net> wrote:

> Hey Martin,
>
> > [...about seeting up stuff to propagate user/session/JAAS
> > info from the wicket web layer to a JBoss AS7 EJB...]
> >
>
>> You can use IRequestCycleListener#**onBeginRequest().
>>
>
> Thanks for the suggestion - but I just put the whole JAAS idea in
> the bin, it's just too much crappy and proprietary code for what
> it's worth.
>
> Now, I just built my own @SessionScoped "call context" in the
> web layer (Wicket WebPage constructor), and check it with a standard
> default EJB interceptor at the ejb layer (which @Inject's the "call
> context").
>
> Since I used SessionScoped, not RequestScoped, all calls in-between
> the page class (which sets the "call context") like AJAX, onClick()s
> etc still have the instance from the previous "full page request"
> available.
>
> Is there anything fundamentally wrong with my approach ?
> Any security issues, race conditions, threadsafety, ... ?
>
> There is not too much current info about using Wicket with the
> lesser known CDI/Weld scope stuff around ...
> ...@RequestScoped is supposed to work for
> Wicket6/wicket-cdi-6.4/**Tomcat7, right ?
>
> (And looks ok, but not heavily concurrently tested of course...)
>
> Cheers, Tom.
>
>
>


-- 
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com <http://jweekend.com/>

Re: how to setup call context for every request

[Martin Grigorov <mg...@apache.org>]

Hi,

The Session may be not there even later.
Session.get() will create a temporary session for the current request,
unless you do session.bind() to make it available for all following
requests.
Use Session.exists() to check whether a temporary or bound one is available
at all.
You can use IRequestCycleListener#onBeginRequest().
But what you should do when the user is not authenticated ? I guess you
will throw some exception. Depending where you throw it Wicket may or may
not be able to catch it and thus show or not a proper error page.



On Tue, Mar 12, 2013 at 11:03 PM, Tom Eicher <to...@teicher.net> wrote:

> Hello,
>
> I am using JAAS to secure my EJB layer in JBoss AS7,
> which is called from wicket 6, by adding a org.jboss.security.**ClientLoginModule
> for every request.
>
> This works nicely for page requests, I have built a setupJAAS()
> method that is called from my BasePage.
>
> However the wicket callbacks, onClick() et all, do of
> course not go through the basepage constructor, and thus
> fail the JAAS check.
>
> What would be the best place to plug my setupJAAS()
> into EVERY request, be it a page request, callback or
> AJAX request (and what else there might be ;-) ?
>
> I tried
> @Override
> public WebRequest newWebRequest(**HttpServletRequest servletRequest,
> final String filterPath)
> but at that point, the Session is not yet set up, and my
> Session.get() complains
> org.apache.wicket.util.lang.**Args.notNull(Args.java:41)
> org.apache.wicket.Application.**fetchCreateAndSetSession(**
> Application.java:1552)
> org.apache.wicket.Session.get(**Session.java:152)
>
> I do however need the Session() to retrieve the user and his/her
> roles, so I can set up the JAAS.
>
> There must be many ways to do this, most of them probably wrong, so
> I thought I'd better ask here. ;-)
> Please note that I want to setup JAAS only once per request, since I need
> to perform a lookup and a database query for it...
>
> Input mostly appreciated...
>
> Cheers, Tom.
>
>
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@wicket.**apache.org<us...@wicket.apache.org>
> For additional commands, e-mail: users-help@wicket.apache.org
>
>


-- 
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com <http://jweekend.com/>