You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by mg...@apache.org on 2013/06/17 11:31:39 UTC
git commit: WICKET-5012 Implement authorization for resources
Updated Branches:
refs/heads/5012-authorize-resources [created] 88b5d5cb4
WICKET-5012 Implement authorization for resources
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/88b5d5cb
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/88b5d5cb
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/88b5d5cb
Branch: refs/heads/5012-authorize-resources
Commit: 88b5d5cb482bc7bb22e2ceb9503e5056b0e89572
Parents: faaae8d
Author: Martin Tzvetanov Grigorov <mg...@apache.org>
Authored: Mon Jun 17 11:31:08 2013 +0200
Committer: Martin Tzvetanov Grigorov <mg...@apache.org>
Committed: Mon Jun 17 11:31:08 2013 +0200
----------------------------------------------------------------------
.../role/AbstractRoleAuthorizationStrategy.java | 4 +-
.../authorization/IAuthorizationStrategy.java | 31 ++++++++--
.../IUnauthorizedResourceRequestListener.java | 36 ++++++++++++
.../UnauthorizedResourceRequestException.java | 61 ++++++++++++++++++++
.../CompoundAuthorizationStrategy.java | 17 +++++-
.../action/ActionAuthorizationStrategy.java | 15 +----
.../page/AbstractPageAuthorizationStrategy.java | 14 +----
.../page/SimplePageAuthorizationStrategy.java | 2 +-
.../resource/ResourceRequestHandler.java | 42 ++++++++++++--
.../wicket/settings/ISecuritySettings.java | 14 +++++
...aultUnauthorizedResourceRequestListener.java | 55 ++++++++++++++++++
.../wicket/settings/def/SecuritySettings.java | 27 ++++++++-
.../org/apache/wicket/AuthorizationTest.java | 36 ++----------
.../wicket/ajax/AjaxBehaviorEnabledTest.java | 15 +----
.../ComponentIsRenderedAllowedTest.java | 11 +---
.../markup/html/form/login/InterceptTest.java | 14 +----
.../markup/html/internal/EnclosureTest.java | 10 +---
.../redirect/intercept/InterceptTest.java | 10 +---
.../wicket/util/tester/WicketTesterTest.java | 2 +-
.../authentication1/SignInApplication.java | 11 +---
.../authentication2/SignIn2Application.java | 10 +---
.../http/handler/ErrorCodeRequestHandler.java | 2 +-
22 files changed, 290 insertions(+), 149 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authorization/strategies/role/AbstractRoleAuthorizationStrategy.java
----------------------------------------------------------------------
diff --git a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authorization/strategies/role/AbstractRoleAuthorizationStrategy.java b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authorization/strategies/role/AbstractRoleAuthorizationStrategy.java
index 4092268..ec592a3 100644
--- a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authorization/strategies/role/AbstractRoleAuthorizationStrategy.java
+++ b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authorization/strategies/role/AbstractRoleAuthorizationStrategy.java
@@ -21,11 +21,11 @@ import org.apache.wicket.util.lang.Args;
/**
* Base strategy that uses an instance of
- * {@link org.apache.wicket.authorization.strategies.role.IRoleCheckingStrategy}.
+ * {@link IRoleCheckingStrategy}.
*
* @author Eelco Hillenius
*/
-public abstract class AbstractRoleAuthorizationStrategy implements IAuthorizationStrategy
+public abstract class AbstractRoleAuthorizationStrategy extends IAuthorizationStrategy.AllowAllAuthorizationStrategy
{
/** Role checking strategy. */
private final IRoleCheckingStrategy roleCheckingStrategy;
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/main/java/org/apache/wicket/authorization/IAuthorizationStrategy.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/authorization/IAuthorizationStrategy.java b/wicket-core/src/main/java/org/apache/wicket/authorization/IAuthorizationStrategy.java
index d7b53b0..e566b9e 100644
--- a/wicket-core/src/main/java/org/apache/wicket/authorization/IAuthorizationStrategy.java
+++ b/wicket-core/src/main/java/org/apache/wicket/authorization/IAuthorizationStrategy.java
@@ -18,6 +18,8 @@ package org.apache.wicket.authorization;
import org.apache.wicket.Component;
import org.apache.wicket.request.component.IRequestableComponent;
+import org.apache.wicket.request.mapper.parameter.PageParameters;
+import org.apache.wicket.request.resource.IResource;
import org.apache.wicket.settings.ISecuritySettings;
/**
@@ -33,10 +35,7 @@ import org.apache.wicket.settings.ISecuritySettings;
*/
public interface IAuthorizationStrategy
{
- /**
- * Implementation of {@link IAuthorizationStrategy} that allows everything.
- */
- public static final IAuthorizationStrategy ALLOW_ALL = new IAuthorizationStrategy()
+ public static class AllowAllAuthorizationStrategy implements IAuthorizationStrategy
{
/**
* @see org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class)
@@ -56,7 +55,18 @@ public interface IAuthorizationStrategy
{
return true;
}
- };
+
+ @Override
+ public boolean isResourceAuthorized(IResource resource, PageParameters pageParameters)
+ {
+ return true;
+ }
+ }
+
+ /**
+ * Implementation of {@link IAuthorizationStrategy} that allows everything.
+ */
+ public static final IAuthorizationStrategy ALLOW_ALL = new AllowAllAuthorizationStrategy();
/**
* Checks whether an instance of the given component class may be created. If this method
@@ -94,4 +104,15 @@ public interface IAuthorizationStrategy
* @see Component#RENDER
*/
boolean isActionAuthorized(Component component, Action action);
+
+ /**
+ * Checks whether a request with some parameters is allowed to a resource.
+ *
+ * @param resource
+ * The resource that should be processed
+ * @param parameters
+ * The request parameters
+ * @return {@code true} if the request to this resource is allowed.
+ */
+ boolean isResourceAuthorized(IResource resource, PageParameters parameters);
}
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/main/java/org/apache/wicket/authorization/IUnauthorizedResourceRequestListener.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/authorization/IUnauthorizedResourceRequestListener.java b/wicket-core/src/main/java/org/apache/wicket/authorization/IUnauthorizedResourceRequestListener.java
new file mode 100644
index 0000000..6efbeeb
--- /dev/null
+++ b/wicket-core/src/main/java/org/apache/wicket/authorization/IUnauthorizedResourceRequestListener.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.authorization;
+
+import org.apache.wicket.request.mapper.parameter.PageParameters;
+import org.apache.wicket.request.resource.IResource;
+
+/**
+ * A listener that is notified when a request to some resource is not allowed.
+ */
+public interface IUnauthorizedResourceRequestListener
+{
+ /**
+ * Called when a request to a given resource is not allowed
+ *
+ * @param resource
+ * The requested resource which processing is not allowed
+ * @param parameters
+ * The request parameters
+ */
+ void onUnauthorizedRequest(IResource resource, PageParameters parameters);
+}
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/main/java/org/apache/wicket/authorization/UnauthorizedResourceRequestException.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/authorization/UnauthorizedResourceRequestException.java b/wicket-core/src/main/java/org/apache/wicket/authorization/UnauthorizedResourceRequestException.java
new file mode 100644
index 0000000..6140a08
--- /dev/null
+++ b/wicket-core/src/main/java/org/apache/wicket/authorization/UnauthorizedResourceRequestException.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.authorization;
+
+import org.apache.wicket.request.mapper.parameter.PageParameters;
+import org.apache.wicket.request.resource.IResource;
+
+/**
+ * Exception that is thrown when a request to a resource is not allowed.
+ *
+ * @author Eelco Hillenius
+ * @author Jonathan Locke
+ */
+public class UnauthorizedResourceRequestException extends AuthorizationException
+{
+ private static final long serialVersionUID = 1L;
+
+ private final IResource resource;
+
+ private final PageParameters parameters;
+
+ /**
+ * Construct.
+ *
+ * @param resource
+ * The unauthorized resource
+ * @param parameters
+ * The request parameters
+ */
+ public UnauthorizedResourceRequestException(final IResource resource, PageParameters parameters)
+ {
+ super("Not authorized to instantiate class " + resource.getClass().getName());
+
+ this.resource = resource;
+ this.parameters = parameters;
+ }
+
+ public IResource getResource()
+ {
+ return resource;
+ }
+
+ public PageParameters getParameters()
+ {
+ return parameters;
+ }
+}
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/CompoundAuthorizationStrategy.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/CompoundAuthorizationStrategy.java b/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/CompoundAuthorizationStrategy.java
index d480520..13fa667 100644
--- a/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/CompoundAuthorizationStrategy.java
+++ b/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/CompoundAuthorizationStrategy.java
@@ -23,6 +23,8 @@ import org.apache.wicket.Component;
import org.apache.wicket.authorization.Action;
import org.apache.wicket.authorization.IAuthorizationStrategy;
import org.apache.wicket.request.component.IRequestableComponent;
+import org.apache.wicket.request.mapper.parameter.PageParameters;
+import org.apache.wicket.request.resource.IResource;
/**
@@ -34,7 +36,7 @@ import org.apache.wicket.request.component.IRequestableComponent;
public class CompoundAuthorizationStrategy implements IAuthorizationStrategy
{
/** List of strategies to consult */
- private final List<IAuthorizationStrategy> strategies = new ArrayList<IAuthorizationStrategy>();
+ private final List<IAuthorizationStrategy> strategies = new ArrayList<>();
/**
* Adds a strategy to the chain
@@ -84,4 +86,17 @@ public class CompoundAuthorizationStrategy implements IAuthorizationStrategy
}
return true;
}
+
+ @Override
+ public boolean isResourceAuthorized(IResource resource, PageParameters parameters)
+ {
+ for (IAuthorizationStrategy strategy : strategies)
+ {
+ if (!strategy.isResourceAuthorized(resource, parameters))
+ {
+ return false;
+ }
+ }
+ return true;
+ }
}
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/action/ActionAuthorizationStrategy.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/action/ActionAuthorizationStrategy.java b/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/action/ActionAuthorizationStrategy.java
index ef355f4..f016758 100644
--- a/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/action/ActionAuthorizationStrategy.java
+++ b/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/action/ActionAuthorizationStrategy.java
@@ -22,7 +22,6 @@ import java.util.Map;
import org.apache.wicket.Component;
import org.apache.wicket.authorization.Action;
import org.apache.wicket.authorization.IAuthorizationStrategy;
-import org.apache.wicket.request.component.IRequestableComponent;
/**
@@ -32,10 +31,10 @@ import org.apache.wicket.request.component.IRequestableComponent;
* @author Jonathan Locke
* @since Wicket 1.2
*/
-public class ActionAuthorizationStrategy implements IAuthorizationStrategy
+public class ActionAuthorizationStrategy extends IAuthorizationStrategy.AllowAllAuthorizationStrategy
{
/** Map from Action keys to IActionAuthorizer implementations. */
- private final Map<Action, IActionAuthorizer> actionAuthorizerForAction = new HashMap<Action, IActionAuthorizer>();
+ private final Map<Action, IActionAuthorizer> actionAuthorizerForAction = new HashMap<>();
/**
* Adds an action authorizer.
@@ -49,16 +48,6 @@ public class ActionAuthorizationStrategy implements IAuthorizationStrategy
}
/**
- * @see org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class)
- */
- @Override
- public <T extends IRequestableComponent> boolean isInstantiationAuthorized(
- Class<T> componentClass)
- {
- return true;
- }
-
- /**
* @see org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
* org.apache.wicket.authorization.Action)
*/
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/page/AbstractPageAuthorizationStrategy.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/page/AbstractPageAuthorizationStrategy.java b/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/page/AbstractPageAuthorizationStrategy.java
index 736ae60..fb49856 100644
--- a/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/page/AbstractPageAuthorizationStrategy.java
+++ b/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/page/AbstractPageAuthorizationStrategy.java
@@ -16,9 +16,7 @@
*/
package org.apache.wicket.authorization.strategies.page;
-import org.apache.wicket.Component;
import org.apache.wicket.Page;
-import org.apache.wicket.authorization.Action;
import org.apache.wicket.authorization.IAuthorizationStrategy;
import org.apache.wicket.request.component.IRequestableComponent;
@@ -30,19 +28,9 @@ import org.apache.wicket.request.component.IRequestableComponent;
* @author Jonathan Locke
* @author Eelco Hillenius
*/
-public abstract class AbstractPageAuthorizationStrategy implements IAuthorizationStrategy
+public abstract class AbstractPageAuthorizationStrategy extends IAuthorizationStrategy.AllowAllAuthorizationStrategy
{
/**
- * @see org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
- * org.apache.wicket.authorization.Action)
- */
- @Override
- public boolean isActionAuthorized(final Component component, final Action action)
- {
- return true;
- }
-
- /**
* @see org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class)
*/
@Override
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/page/SimplePageAuthorizationStrategy.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/page/SimplePageAuthorizationStrategy.java b/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/page/SimplePageAuthorizationStrategy.java
index 1bbfcb7..1eb5754 100644
--- a/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/page/SimplePageAuthorizationStrategy.java
+++ b/wicket-core/src/main/java/org/apache/wicket/authorization/strategies/page/SimplePageAuthorizationStrategy.java
@@ -55,7 +55,7 @@ import org.apache.wicket.authorization.UnauthorizedInstantiationException;
public abstract class SimplePageAuthorizationStrategy extends AbstractPageAuthorizationStrategy
{
/**
- * The supertype (class or interface) of Pages that require authorization to be instantiated.
+ * The super type (class or interface) of Pages that require authorization to be instantiated.
*/
private final WeakReference<Class<?>> securePageSuperTypeRef;
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/main/java/org/apache/wicket/request/handler/resource/ResourceRequestHandler.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/request/handler/resource/ResourceRequestHandler.java b/wicket-core/src/main/java/org/apache/wicket/request/handler/resource/ResourceRequestHandler.java
index 09537e2..8a1466e 100644
--- a/wicket-core/src/main/java/org/apache/wicket/request/handler/resource/ResourceRequestHandler.java
+++ b/wicket-core/src/main/java/org/apache/wicket/request/handler/resource/ResourceRequestHandler.java
@@ -16,10 +16,14 @@
*/
package org.apache.wicket.request.handler.resource;
+import org.apache.wicket.Application;
+import org.apache.wicket.Session;
+import org.apache.wicket.authorization.IAuthorizationStrategy;
import org.apache.wicket.request.IRequestCycle;
import org.apache.wicket.request.IRequestHandler;
import org.apache.wicket.request.mapper.parameter.PageParameters;
import org.apache.wicket.request.resource.IResource;
+import org.apache.wicket.settings.def.DefaultUnauthorizedResourceRequestListener;
import org.apache.wicket.util.lang.Args;
/**
@@ -30,30 +34,56 @@ import org.apache.wicket.util.lang.Args;
public class ResourceRequestHandler implements IRequestHandler
{
private final IResource resource;
- private final PageParameters pageParameters;
+ private final PageParameters parameters;
/**
* Construct.
*
* @param resource
- * @param pageParameters
+ * @param parameters
*/
- public ResourceRequestHandler(IResource resource, PageParameters pageParameters)
+ public ResourceRequestHandler(IResource resource, PageParameters parameters)
{
Args.notNull(resource, "resource");
this.resource = resource;
- this.pageParameters = pageParameters != null ? pageParameters : new PageParameters();
+ this.parameters = parameters != null ? parameters : new PageParameters();
+
+ authorize();
}
+ private void authorize()
+ {
+ IAuthorizationStrategy authorizationStrategy = null;
+ if (Session.exists())
+ {
+ authorizationStrategy = Session.get().getAuthorizationStrategy();
+ }
+ else if (Application.exists())
+ {
+ authorizationStrategy = Application.get().getSecuritySettings().getAuthorizationStrategy();
+ }
+
+ if (authorizationStrategy != null && authorizationStrategy.isResourceAuthorized(resource, parameters) == false)
+ {
+ if (Application.exists())
+ {
+ Application.get().getSecuritySettings().getUnauthorizedResourceRequestListener().onUnauthorizedRequest(resource, parameters);
+ }
+ else
+ {
+ new DefaultUnauthorizedResourceRequestListener().onUnauthorizedRequest(resource, parameters);
+ }
+ }
+ }
/**
* @return page parameters
*/
public PageParameters getPageParameters()
{
- return pageParameters;
+ return parameters;
}
/**
@@ -71,7 +101,7 @@ public class ResourceRequestHandler implements IRequestHandler
public void respond(final IRequestCycle requestCycle)
{
IResource.Attributes a = new IResource.Attributes(requestCycle.getRequest(),
- requestCycle.getResponse(), pageParameters);
+ requestCycle.getResponse(), parameters);
resource.respond(a);
}
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/main/java/org/apache/wicket/settings/ISecuritySettings.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/settings/ISecuritySettings.java b/wicket-core/src/main/java/org/apache/wicket/settings/ISecuritySettings.java
index f244bff..cf6806a 100644
--- a/wicket-core/src/main/java/org/apache/wicket/settings/ISecuritySettings.java
+++ b/wicket-core/src/main/java/org/apache/wicket/settings/ISecuritySettings.java
@@ -19,6 +19,7 @@ package org.apache.wicket.settings;
import org.apache.wicket.authentication.IAuthenticationStrategy;
import org.apache.wicket.authorization.IAuthorizationStrategy;
import org.apache.wicket.authorization.IUnauthorizedComponentInstantiationListener;
+import org.apache.wicket.authorization.IUnauthorizedResourceRequestListener;
import org.apache.wicket.util.crypt.ICryptFactory;
/**
@@ -108,4 +109,17 @@ public interface ISecuritySettings
*/
void setUnauthorizedComponentInstantiationListener(
IUnauthorizedComponentInstantiationListener unauthorizedComponentInstantiationListener);
+
+ /**
+ * @return The listener that will be used when a request to an IResource is not allowed for some reason
+ */
+ IUnauthorizedResourceRequestListener getUnauthorizedResourceRequestListener();
+
+ /**
+ * Sets a listener that will be used when a request to an IResource is not allowed for some reason
+ *
+ * @param listener
+ * The listener
+ */
+ void setUnauthorizedResourceRequestListener(IUnauthorizedResourceRequestListener listener);
}
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/main/java/org/apache/wicket/settings/def/DefaultUnauthorizedResourceRequestListener.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/settings/def/DefaultUnauthorizedResourceRequestListener.java b/wicket-core/src/main/java/org/apache/wicket/settings/def/DefaultUnauthorizedResourceRequestListener.java
new file mode 100644
index 0000000..d13a994
--- /dev/null
+++ b/wicket-core/src/main/java/org/apache/wicket/settings/def/DefaultUnauthorizedResourceRequestListener.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.settings.def;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.wicket.authorization.IUnauthorizedResourceRequestListener;
+import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.cycle.RequestCycle;
+import org.apache.wicket.request.http.handler.ErrorCodeRequestHandler;
+import org.apache.wicket.request.mapper.parameter.PageParameters;
+import org.apache.wicket.request.resource.IResource;
+
+/**
+ * An IUnauthorizedResourceRequestListener that schedules a response with status code 403 (Forbidden)
+ */
+public class DefaultUnauthorizedResourceRequestListener implements IUnauthorizedResourceRequestListener
+{
+ @Override
+ public void onUnauthorizedRequest(IResource resource, PageParameters parameters)
+ {
+ RequestCycle cycle = RequestCycle.get();
+ if (cycle != null)
+ {
+ IRequestHandler handler = new ErrorCodeRequestHandler(HttpServletResponse.SC_FORBIDDEN, createErrorMessage(resource, parameters));
+ cycle.replaceAllRequestHandlers(handler);
+ }
+ }
+
+ protected String createErrorMessage(IResource resource, PageParameters parameters)
+ {
+ return new StringBuilder()
+ .append("The request to resource '")
+ .append(resource)
+ .append("' with parameters '")
+ .append(parameters)
+ .append("' cannot be authorized.")
+ .toString();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/main/java/org/apache/wicket/settings/def/SecuritySettings.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/settings/def/SecuritySettings.java b/wicket-core/src/main/java/org/apache/wicket/settings/def/SecuritySettings.java
index 3b7f8ad..0eec303 100644
--- a/wicket-core/src/main/java/org/apache/wicket/settings/def/SecuritySettings.java
+++ b/wicket-core/src/main/java/org/apache/wicket/settings/def/SecuritySettings.java
@@ -21,6 +21,7 @@ import org.apache.wicket.authentication.IAuthenticationStrategy;
import org.apache.wicket.authentication.strategy.DefaultAuthenticationStrategy;
import org.apache.wicket.authorization.IAuthorizationStrategy;
import org.apache.wicket.authorization.IUnauthorizedComponentInstantiationListener;
+import org.apache.wicket.authorization.IUnauthorizedResourceRequestListener;
import org.apache.wicket.authorization.UnauthorizedInstantiationException;
import org.apache.wicket.settings.ISecuritySettings;
import org.apache.wicket.util.crypt.CachingSunJceCryptFactory;
@@ -55,7 +56,7 @@ public class SecuritySettings implements ISecuritySettings
private boolean enforceMounts = false;
/** Authorizer for component instantiations */
- private IUnauthorizedComponentInstantiationListener unauthorizedComponentInstantiationListener = new IUnauthorizedComponentInstantiationListener()
+ private static final IUnauthorizedComponentInstantiationListener DEFAULT_UNAUTHORIZED_COMPONENT_INSTANTIATION_LISTENER = new IUnauthorizedComponentInstantiationListener()
{
/**
* Called when an unauthorized component instantiation is about to take place (but before it
@@ -71,6 +72,14 @@ public class SecuritySettings implements ISecuritySettings
}
};
+ private IUnauthorizedComponentInstantiationListener unauthorizedComponentInstantiationListener =
+ DEFAULT_UNAUTHORIZED_COMPONENT_INSTANTIATION_LISTENER;
+
+ private static final IUnauthorizedResourceRequestListener DEFAULT_UNAUTHORIZED_RESOURCE_REQUEST_LISTENER =
+ new DefaultUnauthorizedResourceRequestListener();
+
+ private IUnauthorizedResourceRequestListener unauthorizedResourceRequestListener = DEFAULT_UNAUTHORIZED_RESOURCE_REQUEST_LISTENER;
+
/**
* @see org.apache.wicket.settings.ISecuritySettings#getAuthorizationStrategy()
*/
@@ -151,9 +160,21 @@ public class SecuritySettings implements ISecuritySettings
*/
@Override
public void setUnauthorizedComponentInstantiationListener(
- IUnauthorizedComponentInstantiationListener unauthorizedComponentInstantiationListener)
+ IUnauthorizedComponentInstantiationListener listener)
+ {
+ this.unauthorizedComponentInstantiationListener = listener == null ? DEFAULT_UNAUTHORIZED_COMPONENT_INSTANTIATION_LISTENER : listener;
+ }
+
+ @Override
+ public IUnauthorizedResourceRequestListener getUnauthorizedResourceRequestListener()
+ {
+ return unauthorizedResourceRequestListener;
+ }
+
+ @Override
+ public void setUnauthorizedResourceRequestListener(IUnauthorizedResourceRequestListener listener)
{
- this.unauthorizedComponentInstantiationListener = unauthorizedComponentInstantiationListener;
+ this.unauthorizedResourceRequestListener = listener == null ? DEFAULT_UNAUTHORIZED_RESOURCE_REQUEST_LISTENER : listener;
}
/**
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/test/java/org/apache/wicket/AuthorizationTest.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/test/java/org/apache/wicket/AuthorizationTest.java b/wicket-core/src/test/java/org/apache/wicket/AuthorizationTest.java
index 53dd707..742bcf0 100644
--- a/wicket-core/src/test/java/org/apache/wicket/AuthorizationTest.java
+++ b/wicket-core/src/test/java/org/apache/wicket/AuthorizationTest.java
@@ -58,7 +58,7 @@ public class AuthorizationTest extends WicketTestCase
{
tester.getApplication()
.getSecuritySettings()
- .setAuthorizationStrategy(new DummyAuthorizationStrategy()
+ .setAuthorizationStrategy(new IAuthorizationStrategy.AllowAllAuthorizationStrategy()
{
@Override
public <T extends IRequestableComponent> boolean isInstantiationAuthorized(
@@ -88,7 +88,7 @@ public class AuthorizationTest extends WicketTestCase
{
tester.getApplication()
.getSecuritySettings()
- .setAuthorizationStrategy(new DummyAuthorizationStrategy());
+ .setAuthorizationStrategy(new IAuthorizationStrategy.AllowAllAuthorizationStrategy());
tester.startPage(AuthTestPage1.class);
tester.assertRenderedPage(AuthTestPage1.class);
@@ -104,7 +104,7 @@ public class AuthorizationTest extends WicketTestCase
{
tester.getApplication()
.getSecuritySettings()
- .setAuthorizationStrategy(new DummyAuthorizationStrategy()
+ .setAuthorizationStrategy(new IAuthorizationStrategy.AllowAllAuthorizationStrategy()
{
/**
* @see org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
@@ -134,7 +134,7 @@ public class AuthorizationTest extends WicketTestCase
{
tester.getApplication()
.getSecuritySettings()
- .setAuthorizationStrategy(new DummyAuthorizationStrategy());
+ .setAuthorizationStrategy(new IAuthorizationStrategy.AllowAllAuthorizationStrategy());
tester.startPage(AuthTestPage1.class);
tester.assertRenderedPage(AuthTestPage1.class);
@@ -157,7 +157,7 @@ public class AuthorizationTest extends WicketTestCase
{
tester.getApplication()
.getSecuritySettings()
- .setAuthorizationStrategy(new DummyAuthorizationStrategy()
+ .setAuthorizationStrategy(new IAuthorizationStrategy.AllowAllAuthorizationStrategy()
{
/**
* @see org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
@@ -190,32 +190,6 @@ public class AuthorizationTest extends WicketTestCase
}
/**
- * noop strategy so we don't have to implement the whole interface every time.
- */
- private static class DummyAuthorizationStrategy implements IAuthorizationStrategy
- {
- /**
- * @see org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class)
- */
- @Override
- public <T extends IRequestableComponent> boolean isInstantiationAuthorized(
- Class<T> componentClass)
- {
- return true;
- }
-
- /**
- * @see org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
- * org.apache.wicket.authorization.Action)
- */
- @Override
- public boolean isActionAuthorized(Component c, Action action)
- {
- return true;
- }
- }
-
- /**
* Test page for authentication tests.
*/
public static class AuthTestPage1 extends WebPage
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/test/java/org/apache/wicket/ajax/AjaxBehaviorEnabledTest.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/test/java/org/apache/wicket/ajax/AjaxBehaviorEnabledTest.java b/wicket-core/src/test/java/org/apache/wicket/ajax/AjaxBehaviorEnabledTest.java
index 9359163..c8af758 100644
--- a/wicket-core/src/test/java/org/apache/wicket/ajax/AjaxBehaviorEnabledTest.java
+++ b/wicket-core/src/test/java/org/apache/wicket/ajax/AjaxBehaviorEnabledTest.java
@@ -25,7 +25,6 @@ import org.apache.wicket.mock.MockApplication;
import org.apache.wicket.protocol.http.WebSession;
import org.apache.wicket.request.Request;
import org.apache.wicket.request.Response;
-import org.apache.wicket.request.component.IRequestableComponent;
import org.apache.wicket.util.tester.WicketTester;
import org.junit.Before;
import org.junit.Test;
@@ -40,7 +39,7 @@ public class AjaxBehaviorEnabledTest extends WicketTestCase
*
* @author marrink
*/
- private static final class CustomStrategy implements IAuthorizationStrategy
+ private static final class CustomStrategy extends IAuthorizationStrategy.AllowAllAuthorizationStrategy
{
/**
*
@@ -56,18 +55,6 @@ public class AjaxBehaviorEnabledTest extends WicketTestCase
}
return true;
}
-
- /**
- *
- * @see org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class)
- */
- @Override
- public <T extends IRequestableComponent> boolean isInstantiationAuthorized(
- Class<T> componentClass)
- {
- return true;
- }
-
}
/**
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/test/java/org/apache/wicket/authorization/ComponentIsRenderedAllowedTest.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/test/java/org/apache/wicket/authorization/ComponentIsRenderedAllowedTest.java b/wicket-core/src/test/java/org/apache/wicket/authorization/ComponentIsRenderedAllowedTest.java
index fe676e7..d18a069 100644
--- a/wicket-core/src/test/java/org/apache/wicket/authorization/ComponentIsRenderedAllowedTest.java
+++ b/wicket-core/src/test/java/org/apache/wicket/authorization/ComponentIsRenderedAllowedTest.java
@@ -24,7 +24,6 @@ import org.apache.wicket.markup.html.WebMarkupContainer;
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.mock.MockApplication;
import org.apache.wicket.protocol.http.WebApplication;
-import org.apache.wicket.request.component.IRequestableComponent;
import org.apache.wicket.util.resource.IResourceStream;
import org.apache.wicket.util.resource.StringResourceStream;
import org.junit.Test;
@@ -134,16 +133,8 @@ public class ComponentIsRenderedAllowedTest extends WicketTestCase
}
- private static class Authorizer implements IAuthorizationStrategy
+ private static class Authorizer extends IAuthorizationStrategy.AllowAllAuthorizationStrategy
{
-
- @Override
- public <T extends IRequestableComponent> boolean isInstantiationAuthorized(
- Class<T> componentClass)
- {
- return true;
- }
-
@Override
public boolean isActionAuthorized(Component component, Action action)
{
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/test/java/org/apache/wicket/markup/html/form/login/InterceptTest.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/test/java/org/apache/wicket/markup/html/form/login/InterceptTest.java b/wicket-core/src/test/java/org/apache/wicket/markup/html/form/login/InterceptTest.java
index 47eadfe..ca7a930 100644
--- a/wicket-core/src/test/java/org/apache/wicket/markup/html/form/login/InterceptTest.java
+++ b/wicket-core/src/test/java/org/apache/wicket/markup/html/form/login/InterceptTest.java
@@ -29,6 +29,8 @@ import org.apache.wicket.protocol.http.WebSession;
import org.apache.wicket.request.Request;
import org.apache.wicket.request.Response;
import org.apache.wicket.request.component.IRequestableComponent;
+import org.apache.wicket.request.mapper.parameter.PageParameters;
+import org.apache.wicket.request.resource.IResource;
import org.apache.wicket.util.string.Strings;
import org.apache.wicket.util.tester.FormTester;
import org.junit.Test;
@@ -187,7 +189,7 @@ public class InterceptTest extends WicketTestCase
/**
*
*/
- private static class MyAuthorizationStrategy implements IAuthorizationStrategy
+ private static class MyAuthorizationStrategy extends IAuthorizationStrategy.AllowAllAuthorizationStrategy
{
/**
* @see org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class)
@@ -203,15 +205,5 @@ public class InterceptTest extends WicketTestCase
}
return true;
}
-
- /**
- * @see org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
- * org.apache.wicket.authorization.Action)
- */
- @Override
- public boolean isActionAuthorized(Component component, Action action)
- {
- return true;
- }
}
}
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/test/java/org/apache/wicket/markup/html/internal/EnclosureTest.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/test/java/org/apache/wicket/markup/html/internal/EnclosureTest.java b/wicket-core/src/test/java/org/apache/wicket/markup/html/internal/EnclosureTest.java
index edd6261..3c1ae8b 100644
--- a/wicket-core/src/test/java/org/apache/wicket/markup/html/internal/EnclosureTest.java
+++ b/wicket-core/src/test/java/org/apache/wicket/markup/html/internal/EnclosureTest.java
@@ -30,7 +30,6 @@ import org.apache.wicket.markup.html.basic.Label;
import org.apache.wicket.markup.html.form.CheckBox;
import org.apache.wicket.markup.html.link.Link;
import org.apache.wicket.mock.MockApplication;
-import org.apache.wicket.request.component.IRequestableComponent;
import org.apache.wicket.request.mapper.parameter.PageParameters;
import org.apache.wicket.util.resource.IResourceStream;
import org.apache.wicket.util.resource.StringResourceStream;
@@ -337,20 +336,13 @@ public class EnclosureTest extends WicketTestCase
super.init();
// This should cause all SecuredContainer components to be hidden
- getSecuritySettings().setAuthorizationStrategy(new IAuthorizationStrategy()
+ getSecuritySettings().setAuthorizationStrategy(new IAuthorizationStrategy.AllowAllAuthorizationStrategy()
{
@Override
public boolean isActionAuthorized(Component component, Action action)
{
return !(component instanceof SecuredContainer_13);
}
-
- @Override
- public <T extends IRequestableComponent> boolean isInstantiationAuthorized(
- Class<T> componentClass)
- {
- return true;
- }
});
}
});
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/test/java/org/apache/wicket/redirect/intercept/InterceptTest.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/test/java/org/apache/wicket/redirect/intercept/InterceptTest.java b/wicket-core/src/test/java/org/apache/wicket/redirect/intercept/InterceptTest.java
index 04ddf93..9f9a34d 100644
--- a/wicket-core/src/test/java/org/apache/wicket/redirect/intercept/InterceptTest.java
+++ b/wicket-core/src/test/java/org/apache/wicket/redirect/intercept/InterceptTest.java
@@ -16,11 +16,9 @@
*/
package org.apache.wicket.redirect.intercept;
-import org.apache.wicket.Component;
import org.apache.wicket.Page;
import org.apache.wicket.RestartResponseAtInterceptPageException;
import org.apache.wicket.WicketTestCase;
-import org.apache.wicket.authorization.Action;
import org.apache.wicket.authorization.IAuthorizationStrategy;
import org.apache.wicket.mock.MockApplication;
import org.apache.wicket.protocol.http.WebApplication;
@@ -43,18 +41,12 @@ public class InterceptTest extends WicketTestCase
@Override
protected void init()
{
- getSecuritySettings().setAuthorizationStrategy(new IAuthorizationStrategy()
+ getSecuritySettings().setAuthorizationStrategy(new IAuthorizationStrategy.AllowAllAuthorizationStrategy()
{
private boolean block = true;
@Override
- public boolean isActionAuthorized(Component component, Action action)
- {
- return true;
- }
-
- @Override
public <T extends IRequestableComponent> boolean isInstantiationAuthorized(
Class<T> componentClass)
{
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-core/src/test/java/org/apache/wicket/util/tester/WicketTesterTest.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/test/java/org/apache/wicket/util/tester/WicketTesterTest.java b/wicket-core/src/test/java/org/apache/wicket/util/tester/WicketTesterTest.java
index df21f3d..3a10018 100644
--- a/wicket-core/src/test/java/org/apache/wicket/util/tester/WicketTesterTest.java
+++ b/wicket-core/src/test/java/org/apache/wicket/util/tester/WicketTesterTest.java
@@ -1007,7 +1007,7 @@ public class WicketTesterTest extends WicketTestCase
public void rerenderNotAllowed()
{
tester.setExposeExceptions(false);
- class YesNoPageAuthorizationStrategy implements IAuthorizationStrategy
+ class YesNoPageAuthorizationStrategy extends IAuthorizationStrategy.AllowAllAuthorizationStrategy
{
private boolean allowed = true;
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-examples/src/main/java/org/apache/wicket/examples/authentication1/SignInApplication.java
----------------------------------------------------------------------
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/authentication1/SignInApplication.java b/wicket-examples/src/main/java/org/apache/wicket/examples/authentication1/SignInApplication.java
index fdd8177..db4a6b0 100644
--- a/wicket-examples/src/main/java/org/apache/wicket/examples/authentication1/SignInApplication.java
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/authentication1/SignInApplication.java
@@ -16,11 +16,9 @@
*/
package org.apache.wicket.examples.authentication1;
-import org.apache.wicket.Component;
import org.apache.wicket.Page;
import org.apache.wicket.RestartResponseAtInterceptPageException;
import org.apache.wicket.Session;
-import org.apache.wicket.authorization.Action;
import org.apache.wicket.authorization.IAuthorizationStrategy;
import org.apache.wicket.examples.WicketExampleApplication;
import org.apache.wicket.request.Request;
@@ -68,16 +66,9 @@ public final class SignInApplication extends WicketExampleApplication
super.init();
// Register the authorization strategy
- getSecuritySettings().setAuthorizationStrategy(new IAuthorizationStrategy()
+ getSecuritySettings().setAuthorizationStrategy(new IAuthorizationStrategy.AllowAllAuthorizationStrategy()
{
@Override
- public boolean isActionAuthorized(Component component, Action action)
- {
- // authorize everything
- return true;
- }
-
- @Override
public <T extends IRequestableComponent> boolean isInstantiationAuthorized(
Class<T> componentClass)
{
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-examples/src/main/java/org/apache/wicket/examples/authentication2/SignIn2Application.java
----------------------------------------------------------------------
diff --git a/wicket-examples/src/main/java/org/apache/wicket/examples/authentication2/SignIn2Application.java b/wicket-examples/src/main/java/org/apache/wicket/examples/authentication2/SignIn2Application.java
index 70fb695..f4c0628 100644
--- a/wicket-examples/src/main/java/org/apache/wicket/examples/authentication2/SignIn2Application.java
+++ b/wicket-examples/src/main/java/org/apache/wicket/examples/authentication2/SignIn2Application.java
@@ -16,11 +16,9 @@
*/
package org.apache.wicket.examples.authentication2;
-import org.apache.wicket.Component;
import org.apache.wicket.Page;
import org.apache.wicket.RestartResponseAtInterceptPageException;
import org.apache.wicket.Session;
-import org.apache.wicket.authorization.Action;
import org.apache.wicket.authorization.IAuthorizationStrategy;
import org.apache.wicket.examples.WicketExampleApplication;
import org.apache.wicket.request.Request;
@@ -70,14 +68,8 @@ public final class SignIn2Application extends WicketExampleApplication
super.init();
// Register the authorization strategy
- getSecuritySettings().setAuthorizationStrategy(new IAuthorizationStrategy()
+ getSecuritySettings().setAuthorizationStrategy(new IAuthorizationStrategy.AllowAllAuthorizationStrategy()
{
- public boolean isActionAuthorized(Component component, Action action)
- {
- // authorize everything
- return true;
- }
-
public <T extends IRequestableComponent> boolean isInstantiationAuthorized(
Class<T> componentClass)
{
http://git-wip-us.apache.org/repos/asf/wicket/blob/88b5d5cb/wicket-request/src/main/java/org/apache/wicket/request/http/handler/ErrorCodeRequestHandler.java
----------------------------------------------------------------------
diff --git a/wicket-request/src/main/java/org/apache/wicket/request/http/handler/ErrorCodeRequestHandler.java b/wicket-request/src/main/java/org/apache/wicket/request/http/handler/ErrorCodeRequestHandler.java
index f8e4044..7f7d291 100644
--- a/wicket-request/src/main/java/org/apache/wicket/request/http/handler/ErrorCodeRequestHandler.java
+++ b/wicket-request/src/main/java/org/apache/wicket/request/http/handler/ErrorCodeRequestHandler.java
@@ -24,7 +24,7 @@ import org.apache.wicket.request.http.WebResponse;
/**
* Response target that is to be used in a servlet environment to send an error code and optionally
* a message. NOTE: this target can only be used in a servlet environment with
- * {@link org.apache.wicket.protocol.http.WebRequestCycle}s.
+ * {@link IRequestCycle}s.
*
* @author Eelco Hillenius
*/