You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Matthias Keller <ma...@ergon.ch> on 2009/05/26 13:56:11 UTC
Problems using wicket with web.xml security
Hi
We have a wicket application which should be completely secured by FORM
authentication by the webserver.
For that, we have the following in web.xml:
<security-constraint>
<display-name>Secured pages</display-name>
<web-resource-collection>
<web-resource-name>All Pages</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>someRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Secure Everything</realm-name>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>User security role</description>
<role-name>someRole</role-name>
</security-role>
<security-role>
<description>User security role</description>
<role-name>someOtherRole</role-name>
</security-role>
Unfortunately, it seems that every user having ANY role gets access to
the wicket pages.
For example a user with role someOtherRole will get access to the main
page, as its url is for example:
http://localhost:7001/app/?wicket:interface=:2::::
When he tries to access a mounted page though, he gets the Error
403--Forbidden as expected.
But he should also get this error when trying to access the home page of
the wicket app.
I suspect it has something to do with the /* url-pattern not catching
the /?wicket:interface=:2:::: ???
Thanks for your help!!
Matt
--
matthias.keller@ergon.ch +41 44 268 83 98
Ergon Informatik AG, Kleinstrasse 15, CH-8008 Zürich
http://www.ergon.ch
______________________________________________________________
e r g o n smart people - smart software
Re: Problems using wicket with web.xml security
Posted by Igor Vaynberg <ig...@gmail.com>.
try in a different servlet container
-igor
On Tue, May 26, 2009 at 4:56 AM, Matthias Keller
<ma...@ergon.ch> wrote:
> Hi
>
> We have a wicket application which should be completely secured by FORM
> authentication by the webserver.
> For that, we have the following in web.xml:
>
> <security-constraint>
> <display-name>Secured pages</display-name>
> <web-resource-collection>
> <web-resource-name>All Pages</web-resource-name>
> <url-pattern>/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>someRole</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Secure Everything</realm-name>
> <form-login-config>
> <form-login-page>/login</form-login-page>
> <form-error-page>/login/login-error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-role>
> <description>User security role</description>
> <role-name>someRole</role-name>
> </security-role>
> <security-role>
> <description>User security role</description>
> <role-name>someOtherRole</role-name>
> </security-role>
>
> Unfortunately, it seems that every user having ANY role gets access to the
> wicket pages.
> For example a user with role someOtherRole will get access to the main
> page, as its url is for example:
> http://localhost:7001/app/?wicket:interface=:2::::
> When he tries to access a mounted page though, he gets the Error
> 403--Forbidden as expected.
> But he should also get this error when trying to access the home page of the
> wicket app.
> I suspect it has something to do with the /* url-pattern not catching the
> /?wicket:interface=:2:::: ???
>
> Thanks for your help!!
>
> Matt
>
> --
> matthias.keller@ergon.ch +41 44 268 83 98
> Ergon Informatik AG, Kleinstrasse 15, CH-8008 Zürich
> http://www.ergon.ch
> ______________________________________________________________
> e r g o n smart people - smart software
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org