You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by "mathieu.marcotte-gagnon@bell.ca" <ma...@bell.ca> on 2011/08/17 15:11:59 UTC
Wicket-auth issue
Hi wicket developers and users,
I am developing a web application that uses the wicket-auth framework 1.4.17,
more specifically the following class :
org.apache.wicket.authorization.strategies.role.annotations.AnnotationsRoleAuthorizationStrategy
and I am experiencing an issue that I think might be a bug (but I'm not sure, it might be
that I'm doing something wrong). I am using an annotation like below :
@AuthorizeAction(action = ..., roles = ...)
However I have found that I am always denied access to the page. I have traced the reason
of the access to the following code, in method "check" of the above class :
if (hasAny(new Roles(authorizeActionAnnotation.deny())))
{
return false;
}
The deny list returned by "authorizeActionAnnotation.deny()" is empty, therefore "hasAny"
always returns true, which means that when the deny list is empty you are always denied
access to the page!
Maybe it's a feature but it sounds like counter-intuitive to me :) Using the following
annotation did fix the issue :
@AuthorizeAction(action = ..., deny="dummyRoleToDeny", roles = ...)
Am I doing something wrong, or is it really intended that if you don't specify a deny list
then you are always denied access?
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket-auth issue
Posted by Martin Grigorov <mg...@apache.org>.
Indeed this check looks wrong.
Please file a ticket in our Jira to fix it.
On Wed, Aug 17, 2011 at 4:11 PM, mathieu.marcotte-gagnon@bell.ca
<ma...@bell.ca> wrote:
> Hi wicket developers and users,
>
> I am developing a web application that uses the wicket-auth framework 1.4.17,
> more specifically the following class :
>
> org.apache.wicket.authorization.strategies.role.annotations.AnnotationsRoleAuthorizationStrategy
>
> and I am experiencing an issue that I think might be a bug (but I'm not sure, it might be
> that I'm doing something wrong). I am using an annotation like below :
>
> @AuthorizeAction(action = ..., roles = ...)
>
> However I have found that I am always denied access to the page. I have traced the reason
> of the access to the following code, in method "check" of the above class :
>
> if (hasAny(new Roles(authorizeActionAnnotation.deny())))
> {
> return false;
> }
>
> The deny list returned by "authorizeActionAnnotation.deny()" is empty, therefore "hasAny"
> always returns true, which means that when the deny list is empty you are always denied
> access to the page!
>
> Maybe it's a feature but it sounds like counter-intuitive to me :) Using the following
> annotation did fix the issue :
>
> @AuthorizeAction(action = ..., deny="dummyRoleToDeny", roles = ...)
>
> Am I doing something wrong, or is it really intended that if you don't specify a deny list
> then you are always denied access?
>
> Thanks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org