You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Arjun Dhar <dh...@yahoo.com> on 2012/09/03 15:33:18 UTC
Wicket Ajax and Session expiry
Hi,
I have implemented authentication on my Wicket Pages by them extending a
Base Class that checks the session.
Those pages also add Panels and Ajax components. Its been really long but I
have forgotten if how Ajax requests works with sessions.
Also, I want to intercept it and re-direct it to a custom page; it seems to
be going to the default landing page of the site. I have not put any code
for this.
Does it use some error-page in web.xml to determine the path?
If I have a page that requires no Session and one which requires a session;
how will it differentiate.
Currently I cant find the code that makes any Ajax bind to the session so
where is this magic happening?
I have to go back and debug stuff, help appreciated to shorten this. I think
there is a some magic ... which is scary when you have to go back a year
later!
thanks
-----
Software documentation is like sex: when it is good, it is very, very good; and when it is bad, it is still better than nothing!
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-Ajax-and-Session-expiry-tp4651715.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket Ajax and Session expiry
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
The real problem is that IAuthorizationStrategy uses
IComponentInstantiationListener (note: *instantiation*).
This works OK for Page in your case because you use it for the check.
When a non-Page component is being instantiated it still doesn't know
about its immediate parent, nor the Page it is in.
You logic seems to be broken since day 1.
You can fix this by rolling out a authorization strategy that use
IComponentInitializationListener (called on #onInitialize()). This way
it will work.
On Tue, Sep 4, 2012 at 4:27 AM, Arjun Dhar <dh...@yahoo.com> wrote:
> BTW this code is on Wicket 1.4 (just FYI)
>
> There seems to be a slight complication when protecting components in a
> hierarchy.
>
> I have protected some pages/Web-Components by marking them as protected via
> Annotation / Marker Interfaces. In the following code of an impl of
> IAuthorizationStrategy, the code gets the list of Protected
> components/classes getPageTypesProtected().
>
>
>
> ..this works well for the components it is intended to protect. However it
> interferes with the construction hierarchy of the components. Example: if
> there is an AjaxLink somewhere in a Page that is Protected by the code
> above, then there is some issue and it gets redirected to landing page
> instead of login page.
> Ideally what I would want is using "component.findParent(Page.class)"; get
> the Page the Link is on. But in the event Auth failed on the page, this
> comes null and the code has no way of knowing if the component is on which
> page.
>
> Also unlike protecting pages by annotating them, I cant do this a at a link
> Level; so I have to know where the link sits. Logically if the LINK is ON a
> Protected COMPONENT then it itself inherits the PROTECTION --- Clean Magic
> and Logic. But I cant seem to perfect this :(
>
> I tried to code the AjaxLink Auth in "public boolean
> isActionAuthorized(Component component, Action action) " instead, but in
> vain. Looks like Wicket component construction hierarchy prevents the page
> from being constructed in the first place, so I have no way of knowing where
> my AjaxLink sits if the page itself is un-authorized.
>
> However on processing the link, instead of invoking the page protection
> mechanism it just dies.
>
>
>
> -----
> Software documentation is like sex: when it is good, it is very, very good; and when it is bad, it is still better than nothing!
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-Ajax-and-Session-expiry-tp4651715p4651724.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket Ajax and Session expiry
Posted by Arjun Dhar <dh...@yahoo.com>.
BTW this code is on Wicket 1.4 (just FYI)
There seems to be a slight complication when protecting components in a
hierarchy.
I have protected some pages/Web-Components by marking them as protected via
Annotation / Marker Interfaces. In the following code of an impl of
IAuthorizationStrategy, the code gets the list of Protected
components/classes getPageTypesProtected().
..this works well for the components it is intended to protect. However it
interferes with the construction hierarchy of the components. Example: if
there is an AjaxLink somewhere in a Page that is Protected by the code
above, then there is some issue and it gets redirected to landing page
instead of login page.
Ideally what I would want is using "component.findParent(Page.class)"; get
the Page the Link is on. But in the event Auth failed on the page, this
comes null and the code has no way of knowing if the component is on which
page.
Also unlike protecting pages by annotating them, I cant do this a at a link
Level; so I have to know where the link sits. Logically if the LINK is ON a
Protected COMPONENT then it itself inherits the PROTECTION --- Clean Magic
and Logic. But I cant seem to perfect this :(
I tried to code the AjaxLink Auth in "public boolean
isActionAuthorized(Component component, Action action) " instead, but in
vain. Looks like Wicket component construction hierarchy prevents the page
from being constructed in the first place, so I have no way of knowing where
my AjaxLink sits if the page itself is un-authorized.
However on processing the link, instead of invoking the page protection
mechanism it just dies.
-----
Software documentation is like sex: when it is good, it is very, very good; and when it is bad, it is still better than nothing!
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-Ajax-and-Session-expiry-tp4651715p4651724.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket Ajax and Session expiry
Posted by Martin Grigorov <mg...@apache.org>.
On Mon, Sep 3, 2012 at 4:27 PM, Arjun Dhar <dh...@yahoo.com> wrote:
> Yess!
>
> I found the an implementation of IAuthorizationStrategy and in the Site
> Application I do:
> getSecuritySettings().setAuthorizationStrategy(authStrategy);
>
> I built an Annotation, where all pages using that annotation are mapped to
> the Authorization Strategy. Its all come back on that front thanks.
>
> However, the Auth Strategy is on the WebPage's. How are the Ajax Links and
> components protected?
public void onUnauthorizedInstantiation(Component component) {
As you see it is actually on Component, rather than on a Page.
> Furthermore I have :
>
>
> ..The redirection works well for Web-Pages, but for Ajax calls on failure
> goes to Site landing page which is not consistent with the code above.
>
> So on the Ajax Front I'm still not clear.
Attach the debugger and see what happens.
>
>
>
> -----
> Software documentation is like sex: when it is good, it is very, very good; and when it is bad, it is still better than nothing!
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-Ajax-and-Session-expiry-tp4651715p4651717.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket Ajax and Session expiry
Posted by Arjun Dhar <dh...@yahoo.com>.
Yess!
I found the an implementation of IAuthorizationStrategy and in the Site
Application I do:
getSecuritySettings().setAuthorizationStrategy(authStrategy);
I built an Annotation, where all pages using that annotation are mapped to
the Authorization Strategy. Its all come back on that front thanks.
However, the Auth Strategy is on the WebPage's. How are the Ajax Links and
components protected?
Furthermore I have :
..The redirection works well for Web-Pages, but for Ajax calls on failure
goes to Site landing page which is not consistent with the code above.
So on the Ajax Front I'm still not clear.
-----
Software documentation is like sex: when it is good, it is very, very good; and when it is bad, it is still better than nothing!
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-Ajax-and-Session-expiry-tp4651715p4651717.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket Ajax and Session expiry
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
On Mon, Sep 3, 2012 at 3:33 PM, Arjun Dhar <dh...@yahoo.com> wrote:
> Hi,
> I have implemented authentication on my Wicket Pages by them extending a
> Base Class that checks the session.
Where exactly is this check ?
Do you use IAuthorizationStrategy ? Check it. This is what you need.
>
> Those pages also add Panels and Ajax components. Its been really long but I
> have forgotten if how Ajax requests works with sessions.
Yes, Ajax requests are like non-Ajax ones.
>
> Also, I want to intercept it and re-direct it to a custom page; it seems to
> be going to the default landing page of the site. I have not put any code
> for this.
> Does it use some error-page in web.xml to determine the path?
>
> If I have a page that requires no Session and one which requires a session;
> how will it differentiate.
> Currently I cant find the code that makes any Ajax bind to the session so
> where is this magic happening?
>
> I have to go back and debug stuff, help appreciated to shorten this. I think
> there is a some magic ... which is scary when you have to go back a year
> later!
>
> thanks
>
>
>
> -----
> Software documentation is like sex: when it is good, it is very, very good; and when it is bad, it is still better than nothing!
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-Ajax-and-Session-expiry-tp4651715.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org