Redirect to login page on UnauthorizedActionException(Page,RENDER)

[Jesse Long <jp...@unknown.za.net>]

Hi All,

I am using the authorization strategy to authorize viewing of pages by 
checking if instantiation is allowed. If the session is not 
authenticated, and if instantiation is not allowed, I redirect the user 
to a login page using an IUnauthorizedComponentInstantiationListener.

I also check if the RENDER action is allowed using the authorization 
strategy. At the moment, if the user tries to view a Page which he is 
allowed to instantiate, but where the authorization strategy denies 
RENDER permission (permissions configured for render/enable, but not for 
instantiation), he gets a AccessDenied page. In these situations, I also 
want to redirect the user to a login page if the session is not 
authenticated.

Would IExceptionMapper be the correct place to do this? If so, could we 
make DefaultExceptionMapper a bit easier to extend please?

Thanks,
Jesse

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

RE: Redirect to login page on UnauthorizedActionException(Page,RENDER)

[Paul Bors <pa...@bors.ws>]

Cool, so if I understand your use-case correctly you want to redirect the
user to the log-in page when a component on a page should be protected. And
you're running this logic at the RENDER or ENABLE stages for each of your
components.

I opted not to do so because of performance reasons. I rather protect the
entire page/tab.

For individual components I used Behaviors that either hide/disable a
panel/form field since I didn't have that many of them.

I would advise you against copying and pasting the current implementation of
a Wicket class as down the road it'll be harder for you to upgrade Wicket. I
went through that pain once when I had to re-implement some specific
application logic because former developers on of the product resorted to
the a similar solution.

Perhaps you should consider looking at how other Wicket
authentication/authorization frameworks achieve a similar feature and
"steal" their ideas.

Try taking a look at Wicket Shiro or Wicket Security, do they not offer a
similar solution?
(I'm not sure as I had to maintain our own legacy implementation).

http://wicket.apache.org/learn/projects/authroles.html

~ Thank you,
  Paul Bors

-----Original Message-----
From: Jesse Long [mailto:jpl@unknown.za.net] 
Sent: Tuesday, December 11, 2012 12:53 PM
To: users@wicket.apache.org
Subject: Re: Redirect to login page on
UnauthorizedActionException(Page,RENDER)

Hi Paul,

Thanks for the reply. I think you are misunderstanding me. I have the my
instantiation authorization working perfectly the way I want it. I now want
my action (RENDER or ENABLE) authorization to work the same way.

IAuthorizationStrategy says yes or no to instantiations and actions.

If the question was instantiation and the answer was no, then
IUnauthorizedComponentInstantiationListener can make a decision to possibly
redirect to a login page.

If the question was action and the answer was no, then an
UnauthorizedActionException is thrown. The IExceptionMapper is asked about
what to do with the exception, and an access denied page is shown.

I dont think the IAuthorizationStrategy is the right place to be throwing
redirect exception. If it was, the return type would be void and and it
would either work or throw an exception. Also, it seems a shame to limit the
use of IAuthorizationStrategy to components involved in the current request
cycle, as would be the case if IAuthorizationStrategy threw redirect
exceptions. You would not be able to get a target page/page class, check
permissions, and enable/disable a link based on the answer.

Seems to me IExceptionMapper should make decisions about what to do, but the
default implementation is very unfriendly towards being extended. 
Either that, or we need something like a IUnauthorizedActionListener.

For now I'm just going ahead with IExceptionMapper, copy and paste
DefaultExceptionMapper...

Cheers,
Jesse

On 11/12/2012 18:28, Paul Bors wrote:
> Maybe this helps you a bit more...
>
> I have my own CompoundAuthorizationStrategy that in turn uses a few 
> nested IAuthorizationStrategy and one of them throws 
> RestartResponseAtInterceptPageException depending on the condition 
> inside
> isInstantiationAuthorized() similar to:
>
> public boolean isInstantiationAuthorized(Class componentClass) {
>      MySession session = MySession.session();
>      ...
>      // Page is the parent of all protected pages
>      if(componentClass.getAnnotation(Authenticate.class) != null) {
>          User user = session.getUser();
>          if(user == null) {
>              throw new
> RestartResponseAtInterceptPageException(MyApplication.myApp().getSignI
> nPageC
> lass());
>          }
>      }
>      ...
> }
>
> For the above code I have my pages annotated with my own Authenticate 
> but I think you should be able to check the type of the componentClass 
> for what you want and etc.
>
> ~ Thank you,
>    Paul Bors
>
> -----Original Message-----
> From: Jesse Long [mailto:jpl@unknown.za.net]
> Sent: Tuesday, December 11, 2012 2:30 AM
> To: users@wicket.apache.org
> Subject: Re: Redirect to login page on
> UnauthorizedActionException(Page,RENDER)
>
> Hi Paul,
>
> Thanks for the reply. Yes, I only want to redirect to a login page on 
> UnauthorizedActionException when the component is an instance of Page 
> and the action as RENDER and when the session is not authenticated, so 
> a custom access denied page is not exactly what I'm looking for, but I 
> could probably make it work.
>
> Cheers,
> Jesse
>
> On 10/12/2012 19:40, Paul Bors wrote:
>> Do you want to redirect to the Login page for all "thrown"
>> AccessDenied exceptions? Or just in some situations?
>>
>> If you want to do it for all, then create your own WebPage for 
>> AccessDeinedPage such as:
>>
>> public class AccessDeniedPage extends WebPage {
>>       private static final long serialVersionUID = 1L;
>>       
>>       public AccessDeniedPage() {
>>           Session.get().warn(ResourceModel("access.denied"));
>>           throw new
>> RestartResponseException(Application.get().getLoginPage());
>>       }
>> }
>>
>> And inside your Application class in your init():
>>
>> @Override
>> protected void init() {
>>       ...
>>       IApplicationSettings applicationSettings =
getApplicationSettings();
>>       applicationSettings.setAccessDeniedPage(AccessDeniedPage.class);
>>       ...
>> }
>>
>> There are other such exceptions which you can assign your own page 
>> implementation, see the API for IApplicationSettings.
>>
>> As for redirecting the user to your custom AccessDeined page (the
>> LoginPage) only under few circumstances, I haven't run into that need 
>> yet so someone else could help you if you really need to do that.
>>
>> ~ Thank you,
>>     Paul Bors
>>
>> -----Original Message-----
>> From: Jesse Long [mailto:jpl@unknown.za.net]
>> Sent: Monday, December 10, 2012 11:05 AM
>> To: users@wicket.apache.org
>> Subject: Redirect to login page on
>> UnauthorizedActionException(Page,RENDER)
>>
>> Hi All,
>>
>> I am using the authorization strategy to authorize viewing of pages 
>> by checking if instantiation is allowed. If the session is not 
>> authenticated, and if instantiation is not allowed, I redirect the 
>> user to a login page using an
IUnauthorizedComponentInstantiationListener.
>>
>> I also check if the RENDER action is allowed using the authorization 
>> strategy. At the moment, if the user tries to view a Page which he is 
>> allowed to instantiate, but where the authorization strategy denies 
>> RENDER permission (permissions configured for render/enable, but not 
>> for instantiation), he gets a AccessDenied page. In these situations, 
>> I also want to redirect the user to a login page if the session is 
>> not authenticated.
>>
>> Would IExceptionMapper be the correct place to do this? If so, could 
>> we make DefaultExceptionMapper a bit easier to extend please?
>>
>> Thanks,
>> Jesse
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: Redirect to login page on UnauthorizedActionException(Page,RENDER)

[Jesse Long <jp...@unknown.za.net>]

Hi Paul,

Thanks for the reply. I think you are misunderstanding me. I have the my 
instantiation authorization working perfectly the way I want it. I now 
want my action (RENDER or ENABLE) authorization to work the same way.

IAuthorizationStrategy says yes or no to instantiations and actions.

If the question was instantiation and the answer was no, then 
IUnauthorizedComponentInstantiationListener can make a decision to 
possibly redirect to a login page.

If the question was action and the answer was no, then an 
UnauthorizedActionException is thrown. The IExceptionMapper is asked 
about what to do with the exception, and an access denied page is shown.

I dont think the IAuthorizationStrategy is the right place to be 
throwing redirect exception. If it was, the return type would be void 
and and it would either work or throw an exception. Also, it seems a 
shame to limit the use of IAuthorizationStrategy to components involved 
in the current request cycle, as would be the case if 
IAuthorizationStrategy threw redirect exceptions. You would not be able 
to get a target page/page class, check permissions, and enable/disable a 
link based on the answer.

Seems to me IExceptionMapper should make decisions about what to do, but 
the default implementation is very unfriendly towards being extended. 
Either that, or we need something like a IUnauthorizedActionListener.

For now I'm just going ahead with IExceptionMapper, copy and paste 
DefaultExceptionMapper...

Cheers,
Jesse

On 11/12/2012 18:28, Paul Bors wrote:
> Maybe this helps you a bit more...
>
> I have my own CompoundAuthorizationStrategy that in turn uses a few nested
> IAuthorizationStrategy and one of them throws
> RestartResponseAtInterceptPageException depending on the condition inside
> isInstantiationAuthorized() similar to:
>
> public boolean isInstantiationAuthorized(Class componentClass) {
>      MySession session = MySession.session();
>      ...
>      // Page is the parent of all protected pages
>      if(componentClass.getAnnotation(Authenticate.class) != null) {
>          User user = session.getUser();
>          if(user == null) {
>              throw new
> RestartResponseAtInterceptPageException(MyApplication.myApp().getSignInPageC
> lass());
>          }
>      }
>      ...
> }
>
> For the above code I have my pages annotated with my own Authenticate but I
> think you should be able to check the type of the componentClass for what
> you want and etc.
>
> ~ Thank you,
>    Paul Bors
>
> -----Original Message-----
> From: Jesse Long [mailto:jpl@unknown.za.net]
> Sent: Tuesday, December 11, 2012 2:30 AM
> To: users@wicket.apache.org
> Subject: Re: Redirect to login page on
> UnauthorizedActionException(Page,RENDER)
>
> Hi Paul,
>
> Thanks for the reply. Yes, I only want to redirect to a login page on
> UnauthorizedActionException when the component is an instance of Page and
> the action as RENDER and when the session is not authenticated, so a custom
> access denied page is not exactly what I'm looking for, but I could probably
> make it work.
>
> Cheers,
> Jesse
>
> On 10/12/2012 19:40, Paul Bors wrote:
>> Do you want to redirect to the Login page for all "thrown"
>> AccessDenied exceptions? Or just in some situations?
>>
>> If you want to do it for all, then create your own WebPage for
>> AccessDeinedPage such as:
>>
>> public class AccessDeniedPage extends WebPage {
>>       private static final long serialVersionUID = 1L;
>>       
>>       public AccessDeniedPage() {
>>           Session.get().warn(ResourceModel("access.denied"));
>>           throw new
>> RestartResponseException(Application.get().getLoginPage());
>>       }
>> }
>>
>> And inside your Application class in your init():
>>
>> @Override
>> protected void init() {
>>       ...
>>       IApplicationSettings applicationSettings = getApplicationSettings();
>>       applicationSettings.setAccessDeniedPage(AccessDeniedPage.class);
>>       ...
>> }
>>
>> There are other such exceptions which you can assign your own page
>> implementation, see the API for IApplicationSettings.
>>
>> As for redirecting the user to your custom AccessDeined page (the
>> LoginPage) only under few circumstances, I haven't run into that need
>> yet so someone else could help you if you really need to do that.
>>
>> ~ Thank you,
>>     Paul Bors
>>
>> -----Original Message-----
>> From: Jesse Long [mailto:jpl@unknown.za.net]
>> Sent: Monday, December 10, 2012 11:05 AM
>> To: users@wicket.apache.org
>> Subject: Redirect to login page on
>> UnauthorizedActionException(Page,RENDER)
>>
>> Hi All,
>>
>> I am using the authorization strategy to authorize viewing of pages by
>> checking if instantiation is allowed. If the session is not
>> authenticated, and if instantiation is not allowed, I redirect the
>> user to a login page using an IUnauthorizedComponentInstantiationListener.
>>
>> I also check if the RENDER action is allowed using the authorization
>> strategy. At the moment, if the user tries to view a Page which he is
>> allowed to instantiate, but where the authorization strategy denies
>> RENDER permission (permissions configured for render/enable, but not
>> for instantiation), he gets a AccessDenied page. In these situations,
>> I also want to redirect the user to a login page if the session is not
>> authenticated.
>>
>> Would IExceptionMapper be the correct place to do this? If so, could
>> we make DefaultExceptionMapper a bit easier to extend please?
>>
>> Thanks,
>> Jesse
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

RE: Redirect to login page on UnauthorizedActionException(Page,RENDER)

[Paul Bors <pa...@bors.ws>]

Maybe this helps you a bit more...

I have my own CompoundAuthorizationStrategy that in turn uses a few nested
IAuthorizationStrategy and one of them throws
RestartResponseAtInterceptPageException depending on the condition inside
isInstantiationAuthorized() similar to:

public boolean isInstantiationAuthorized(Class componentClass) {
    MySession session = MySession.session();
    ...
    // Page is the parent of all protected pages
    if(componentClass.getAnnotation(Authenticate.class) != null) {
        User user = session.getUser();
        if(user == null) {
            throw new
RestartResponseAtInterceptPageException(MyApplication.myApp().getSignInPageC
lass());
        }
    }
    ...
}

For the above code I have my pages annotated with my own Authenticate but I
think you should be able to check the type of the componentClass for what
you want and etc.

~ Thank you,
  Paul Bors

-----Original Message-----
From: Jesse Long [mailto:jpl@unknown.za.net] 
Sent: Tuesday, December 11, 2012 2:30 AM
To: users@wicket.apache.org
Subject: Re: Redirect to login page on
UnauthorizedActionException(Page,RENDER)

Hi Paul,

Thanks for the reply. Yes, I only want to redirect to a login page on
UnauthorizedActionException when the component is an instance of Page and
the action as RENDER and when the session is not authenticated, so a custom
access denied page is not exactly what I'm looking for, but I could probably
make it work.

Cheers,
Jesse

On 10/12/2012 19:40, Paul Bors wrote:
> Do you want to redirect to the Login page for all "thrown" 
> AccessDenied exceptions? Or just in some situations?
>
> If you want to do it for all, then create your own WebPage for 
> AccessDeinedPage such as:
>
> public class AccessDeniedPage extends WebPage {
>      private static final long serialVersionUID = 1L;
>      
>      public AccessDeniedPage() {
>          Session.get().warn(ResourceModel("access.denied"));
>          throw new
> RestartResponseException(Application.get().getLoginPage());
>      }
> }
>
> And inside your Application class in your init():
>
> @Override
> protected void init() {
>      ...
>      IApplicationSettings applicationSettings = getApplicationSettings();
>      applicationSettings.setAccessDeniedPage(AccessDeniedPage.class);
>      ...
> }
>
> There are other such exceptions which you can assign your own page 
> implementation, see the API for IApplicationSettings.
>
> As for redirecting the user to your custom AccessDeined page (the 
> LoginPage) only under few circumstances, I haven't run into that need 
> yet so someone else could help you if you really need to do that.
>
> ~ Thank you,
>    Paul Bors
>
> -----Original Message-----
> From: Jesse Long [mailto:jpl@unknown.za.net]
> Sent: Monday, December 10, 2012 11:05 AM
> To: users@wicket.apache.org
> Subject: Redirect to login page on 
> UnauthorizedActionException(Page,RENDER)
>
> Hi All,
>
> I am using the authorization strategy to authorize viewing of pages by 
> checking if instantiation is allowed. If the session is not 
> authenticated, and if instantiation is not allowed, I redirect the 
> user to a login page using an IUnauthorizedComponentInstantiationListener.
>
> I also check if the RENDER action is allowed using the authorization 
> strategy. At the moment, if the user tries to view a Page which he is 
> allowed to instantiate, but where the authorization strategy denies 
> RENDER permission (permissions configured for render/enable, but not 
> for instantiation), he gets a AccessDenied page. In these situations, 
> I also want to redirect the user to a login page if the session is not 
> authenticated.
>
> Would IExceptionMapper be the correct place to do this? If so, could 
> we make DefaultExceptionMapper a bit easier to extend please?
>
> Thanks,
> Jesse
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: Redirect to login page on UnauthorizedActionException(Page,RENDER)

[Jesse Long <jp...@unknown.za.net>]

Hi Paul,

Thanks for the reply. Yes, I only want to redirect to a login page on 
UnauthorizedActionException when the component is an instance of Page 
and the action as RENDER and when the session is not authenticated, so a 
custom access denied page is not exactly what I'm looking for, but I 
could probably make it work.

Cheers,
Jesse

On 10/12/2012 19:40, Paul Bors wrote:
> Do you want to redirect to the Login page for all "thrown" AccessDenied
> exceptions? Or just in some situations?
>
> If you want to do it for all, then create your own WebPage for
> AccessDeinedPage such as:
>
> public class AccessDeniedPage extends WebPage {
>      private static final long serialVersionUID = 1L;
>      
>      public AccessDeniedPage() {
>          Session.get().warn(ResourceModel("access.denied"));
>          throw new
> RestartResponseException(Application.get().getLoginPage());
>      }
> }
>
> And inside your Application class in your init():
>
> @Override
> protected void init() {
>      ...
>      IApplicationSettings applicationSettings = getApplicationSettings();
>      applicationSettings.setAccessDeniedPage(AccessDeniedPage.class);
>      ...
> }
>
> There are other such exceptions which you can assign your own page
> implementation, see the API for IApplicationSettings.
>
> As for redirecting the user to your custom AccessDeined page (the LoginPage)
> only under few circumstances, I haven't run into that need yet so someone
> else could help you if you really need to do that.
>
> ~ Thank you,
>    Paul Bors
>
> -----Original Message-----
> From: Jesse Long [mailto:jpl@unknown.za.net]
> Sent: Monday, December 10, 2012 11:05 AM
> To: users@wicket.apache.org
> Subject: Redirect to login page on UnauthorizedActionException(Page,RENDER)
>
> Hi All,
>
> I am using the authorization strategy to authorize viewing of pages by
> checking if instantiation is allowed. If the session is not authenticated,
> and if instantiation is not allowed, I redirect the user to a login page
> using an IUnauthorizedComponentInstantiationListener.
>
> I also check if the RENDER action is allowed using the authorization
> strategy. At the moment, if the user tries to view a Page which he is
> allowed to instantiate, but where the authorization strategy denies RENDER
> permission (permissions configured for render/enable, but not for
> instantiation), he gets a AccessDenied page. In these situations, I also
> want to redirect the user to a login page if the session is not
> authenticated.
>
> Would IExceptionMapper be the correct place to do this? If so, could we make
> DefaultExceptionMapper a bit easier to extend please?
>
> Thanks,
> Jesse
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

RE: Redirect to login page on UnauthorizedActionException(Page,RENDER)

[Paul Bors <pa...@bors.ws>]

Do you want to redirect to the Login page for all "thrown" AccessDenied
exceptions? Or just in some situations?

If you want to do it for all, then create your own WebPage for
AccessDeinedPage such as:

public class AccessDeniedPage extends WebPage {
    private static final long serialVersionUID = 1L;
    
    public AccessDeniedPage() {
        Session.get().warn(ResourceModel("access.denied"));
        throw new
RestartResponseException(Application.get().getLoginPage());
    }
}

And inside your Application class in your init():

@Override
protected void init() {
    ...
    IApplicationSettings applicationSettings = getApplicationSettings();
    applicationSettings.setAccessDeniedPage(AccessDeniedPage.class);
    ...
}

There are other such exceptions which you can assign your own page
implementation, see the API for IApplicationSettings.

As for redirecting the user to your custom AccessDeined page (the LoginPage)
only under few circumstances, I haven't run into that need yet so someone
else could help you if you really need to do that.

~ Thank you,
  Paul Bors

-----Original Message-----
From: Jesse Long [mailto:jpl@unknown.za.net] 
Sent: Monday, December 10, 2012 11:05 AM
To: users@wicket.apache.org
Subject: Redirect to login page on UnauthorizedActionException(Page,RENDER)

Hi All,

I am using the authorization strategy to authorize viewing of pages by
checking if instantiation is allowed. If the session is not authenticated,
and if instantiation is not allowed, I redirect the user to a login page
using an IUnauthorizedComponentInstantiationListener.

I also check if the RENDER action is allowed using the authorization
strategy. At the moment, if the user tries to view a Page which he is
allowed to instantiate, but where the authorization strategy denies RENDER
permission (permissions configured for render/enable, but not for
instantiation), he gets a AccessDenied page. In these situations, I also
want to redirect the user to a login page if the session is not
authenticated.

Would IExceptionMapper be the correct place to do this? If so, could we make
DefaultExceptionMapper a bit easier to extend please?

Thanks,
Jesse

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org