You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Igor Vaynberg <ig...@gmail.com> on 2009/05/27 04:00:45 UTC
Re: What's the simplest way to do Context-sensitive Authorization in
Wicket?
class EditListingLink extends Link<Listing> {
protected void isEnabled() {
Listing listing=getModelObject();
return MySession.get().getUser().equals(listing.getAuthor());
}
}
-igor
On Tue, May 26, 2009 at 6:12 PM, Ben Hutchison <be...@ibsglobalweb.com> wrote:
> Marco Santos wrote:
>>
>> On the book "Wicket in Action" there is a chapter (12) that cover the
>> Authentication and the Authorization. It will be very useful to you, and
>> is
>> very easy to understand and implement.
>>
>
> Well no.. actually.
>
> As I made clear in my question, I need to do _context-sensitive_
> authorization.
>
> The example (chapter 11, by the way), is a classic non-contextual
> authorization example - there are User and Admin roles that are unaffected
> by context.
>
> -Ben
>
> --
>
>
>
> *Ben Hutchison
> Senior Developer
> * Level 2 476 St Kilda Road Melbourne VIC 3004
> T 613 8807 5252 | F 613 8807 5203 | M 0423 879 534 | www.ibsglobalweb.com
> <http://www.ibsglobalweb.com/>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: What's the simplest way to do Context-sensitive Authorization
in
Wicket?
Posted by Sam Stainsby <sa...@sustainablesoftware.com.au>.
My code was bigger but I didn't want to brag :-)
On Tue, 26 May 2009 23:11:06 -0700, Igor Vaynberg wrote:
> i was being facetious :)
>
> -igor
>
> On Tue, May 26, 2009 at 10:39 PM, Jeremy Thomerson
> <je...@wickettraining.com> wrote:
>> I didn't mean than yours - Igor - I meant more than the original
>> request. He simply requested basically exactly what you gave him. In
>> mine, each permission can be granted dynamically in the DB. You can be
>> given edit, delete, view, or add permissions each by section of the
>> site / category of the content within that section, etc. It's much
>> more extensible, at the cost of being much more complicated.
>>
>> So, I was just adding to it - not putting yours down - since yours is
>> exactly what he requested.
>>
>> --
>> Jeremy Thomerson
>> http://www.wickettraining.com
>>
>>
>>
>>
>> On Wed, May 27, 2009 at 12:26 AM, Igor Vaynberg
>> <ig...@gmail.com> wrote:
>>> On Tue, May 26, 2009 at 9:57 PM, Jeremy Thomerson
>>> <je...@wickettraining.com> wrote:
>>>
>>>> (mine is actually much more complex
>>>> and dynamic than yours, but this is the basic idea that you could
>>>> apply to yours and build with your domain)
>>>
>>> i hope so - seeing how mine was written in about ten seconds :)
>>>
>>> -igor
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org For
>>> additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org For
>> additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: users-unsubscribe@wicket.apache.org For additional
> commands, e-mail: users-help@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: What's the simplest way to do Context-sensitive Authorization in
Wicket?
Posted by Igor Vaynberg <ig...@gmail.com>.
i was being facetious :)
-igor
On Tue, May 26, 2009 at 10:39 PM, Jeremy Thomerson
<je...@wickettraining.com> wrote:
> I didn't mean than yours - Igor - I meant more than the original
> request. He simply requested basically exactly what you gave him. In
> mine, each permission can be granted dynamically in the DB. You can
> be given edit, delete, view, or add permissions each by section of the
> site / category of the content within that section, etc. It's much
> more extensible, at the cost of being much more complicated.
>
> So, I was just adding to it - not putting yours down - since yours is
> exactly what he requested.
>
> --
> Jeremy Thomerson
> http://www.wickettraining.com
>
>
>
>
> On Wed, May 27, 2009 at 12:26 AM, Igor Vaynberg <ig...@gmail.com> wrote:
>> On Tue, May 26, 2009 at 9:57 PM, Jeremy Thomerson
>> <je...@wickettraining.com> wrote:
>>
>>> (mine is actually much more complex
>>> and dynamic than yours, but this is the basic idea that you could
>>> apply to yours and build with your domain)
>>
>> i hope so - seeing how mine was written in about ten seconds :)
>>
>> -igor
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: What's the simplest way to do Context-sensitive Authorization in
Wicket?
Posted by Jeremy Thomerson <je...@wickettraining.com>.
I didn't mean than yours - Igor - I meant more than the original
request. He simply requested basically exactly what you gave him. In
mine, each permission can be granted dynamically in the DB. You can
be given edit, delete, view, or add permissions each by section of the
site / category of the content within that section, etc. It's much
more extensible, at the cost of being much more complicated.
So, I was just adding to it - not putting yours down - since yours is
exactly what he requested.
--
Jeremy Thomerson
http://www.wickettraining.com
On Wed, May 27, 2009 at 12:26 AM, Igor Vaynberg <ig...@gmail.com> wrote:
> On Tue, May 26, 2009 at 9:57 PM, Jeremy Thomerson
> <je...@wickettraining.com> wrote:
>
>> (mine is actually much more complex
>> and dynamic than yours, but this is the basic idea that you could
>> apply to yours and build with your domain)
>
> i hope so - seeing how mine was written in about ten seconds :)
>
> -igor
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: What's the simplest way to do Context-sensitive Authorization in
Wicket?
Posted by Igor Vaynberg <ig...@gmail.com>.
On Tue, May 26, 2009 at 9:57 PM, Jeremy Thomerson
<je...@wickettraining.com> wrote:
> (mine is actually much more complex
> and dynamic than yours, but this is the basic idea that you could
> apply to yours and build with your domain)
i hope so - seeing how mine was written in about ten seconds :)
-igor
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: What's the simplest way to do Context-sensitive Authorization in
Wicket?
Posted by Jeremy Thomerson <je...@wickettraining.com>.
I have built an auth strategy similar to the one below, but more
generic that could be applied through my whole application. i.e.:
I have an interface IUserOwnedEntity
I have an interface IEntity
Then, it is basically as follows (mine is actually much more complex
and dynamic than yours, but this is the basic idea that you could
apply to yours and build with your domain):
class mystrategy implements iauthorizationstrategy {
public boolean isActionAuthorized(Component c, Action action) {
if (action==Component.RENDER) {
IModel mod = c.getDefaultModel();
if (mod.getObject() instanceof IUserOwnedEntity) {
User user = Session.getUser(); // or similar - not exactly right
return user.owns((IUserOwnedEntity) c.getObject()) || user.isAdmin();
}
}
return true;
}
}
--
Jeremy Thomerson
http://www.wickettraining.com
On Tue, May 26, 2009 at 10:55 PM, Igor Vaynberg <ig...@gmail.com> wrote:
> if the edit page is not bookmarkable - and edit pages are not unless
> you make them so for whatever reason - then there is no way for the
> user to build the url unless wicket builds it. so this is hardly
> security by obscurity.
>
> security pages is trivial
>
> class mystrategy implements iauthorizationstrategy {
> public boolean isActionAuthorized(Component c, Action action) {
> if (action==Component.RENDER) {
> if (c instanceof editpage) {
> return (((editpage)c).getlisting().getauthor().equals(mysession.get().getuser());
> }
> }
> return true;
> }
> }
>
> you can see how it would be easy to extend this to a generic
> IListingPage { Listing getListing(); }
>
> -igor
>
> On Tue, May 26, 2009 at 8:43 PM, Ben Hutchison <be...@ibsglobalweb.com> wrote:
>> Igor,
>>
>> Your suggestion seems to be based on "security through obscurity", ie hiding
>> the Edit link rather than securing the Edit page? Thus, if an unauthorized
>> user knows or discovers the URL of the edit page (eg from browser history),
>> what stops them from editing another user's listing?
>>
>> -Ben
>>
>> Igor Vaynberg wrote:
>>>
>>> class EditListingLink extends Link<Listing> {
>>> protected void isEnabled() {
>>> Listing listing=getModelObject();
>>> return MySession.get().getUser().equals(listing.getAuthor());
>>> }
>>> }
>>>
>>> -igor
>>>
>>>
>>> On Tue, May 26, 2009 at 6:12 PM, Ben Hutchison <be...@ibsglobalweb.com>
>>> wrote:
>>>
>>>>
>>>> Marco Santos wrote:
>>>>
>>>>>
>>>>> On the book "Wicket in Action" there is a chapter (12) that cover the
>>>>> Authentication and the Authorization. It will be very useful to you, and
>>>>> is
>>>>> very easy to understand and implement.
>>>>>
>>>>>
>>>>
>>>> Well no.. actually.
>>>>
>>>> As I made clear in my question, I need to do _context-sensitive_
>>>> authorization.
>>>>
>>>> The example (chapter 11, by the way), is a classic non-contextual
>>>> authorization example - there are User and Admin roles that are
>>>> unaffected
>>>> by context.
>>>>
>>>> -Ben
>>>>
>>>> --
>>>>
>>>>
>>>>
>>>> *Ben Hutchison
>>>> Senior Developer
>>>> * Level 2 476 St Kilda Road Melbourne VIC 3004
>>>> T 613 8807 5252 | F 613 8807 5203 | M 0423 879 534 | www.ibsglobalweb.com
>>>> <http://www.ibsglobalweb.com/>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>
>>
>> --
>>
>>
>>
>> *Ben Hutchison
>> Senior Developer
>> * Level 2 476 St Kilda Road Melbourne VIC 3004
>> T 613 8807 5252 | F 613 8807 5203 | M 0423 879 534 | www.ibsglobalweb.com
>> <http://www.ibsglobalweb.com/>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: What's the simplest way to do Context-sensitive Authorization in
Wicket?
Posted by Igor Vaynberg <ig...@gmail.com>.
if the edit page is not bookmarkable - and edit pages are not unless
you make them so for whatever reason - then there is no way for the
user to build the url unless wicket builds it. so this is hardly
security by obscurity.
security pages is trivial
class mystrategy implements iauthorizationstrategy {
public boolean isActionAuthorized(Component c, Action action) {
if (action==Component.RENDER) {
if (c instanceof editpage) {
return (((editpage)c).getlisting().getauthor().equals(mysession.get().getuser());
}
}
return true;
}
}
you can see how it would be easy to extend this to a generic
IListingPage { Listing getListing(); }
-igor
On Tue, May 26, 2009 at 8:43 PM, Ben Hutchison <be...@ibsglobalweb.com> wrote:
> Igor,
>
> Your suggestion seems to be based on "security through obscurity", ie hiding
> the Edit link rather than securing the Edit page? Thus, if an unauthorized
> user knows or discovers the URL of the edit page (eg from browser history),
> what stops them from editing another user's listing?
>
> -Ben
>
> Igor Vaynberg wrote:
>>
>> class EditListingLink extends Link<Listing> {
>> protected void isEnabled() {
>> Listing listing=getModelObject();
>> return MySession.get().getUser().equals(listing.getAuthor());
>> }
>> }
>>
>> -igor
>>
>>
>> On Tue, May 26, 2009 at 6:12 PM, Ben Hutchison <be...@ibsglobalweb.com>
>> wrote:
>>
>>>
>>> Marco Santos wrote:
>>>
>>>>
>>>> On the book "Wicket in Action" there is a chapter (12) that cover the
>>>> Authentication and the Authorization. It will be very useful to you, and
>>>> is
>>>> very easy to understand and implement.
>>>>
>>>>
>>>
>>> Well no.. actually.
>>>
>>> As I made clear in my question, I need to do _context-sensitive_
>>> authorization.
>>>
>>> The example (chapter 11, by the way), is a classic non-contextual
>>> authorization example - there are User and Admin roles that are
>>> unaffected
>>> by context.
>>>
>>> -Ben
>>>
>>> --
>>>
>>>
>>>
>>> *Ben Hutchison
>>> Senior Developer
>>> * Level 2 476 St Kilda Road Melbourne VIC 3004
>>> T 613 8807 5252 | F 613 8807 5203 | M 0423 879 534 | www.ibsglobalweb.com
>>> <http://www.ibsglobalweb.com/>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
>
> --
>
>
>
> *Ben Hutchison
> Senior Developer
> * Level 2 476 St Kilda Road Melbourne VIC 3004
> T 613 8807 5252 | F 613 8807 5203 | M 0423 879 534 | www.ibsglobalweb.com
> <http://www.ibsglobalweb.com/>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: What's the simplest way to do Context-sensitive Authorization
in Wicket?
Posted by Ben Hutchison <be...@ibsglobalweb.com>.
Igor,
Your suggestion seems to be based on "security through obscurity", ie
hiding the Edit link rather than securing the Edit page? Thus, if an
unauthorized user knows or discovers the URL of the edit page (eg from
browser history), what stops them from editing another user's listing?
-Ben
Igor Vaynberg wrote:
> class EditListingLink extends Link<Listing> {
> protected void isEnabled() {
> Listing listing=getModelObject();
> return MySession.get().getUser().equals(listing.getAuthor());
> }
> }
>
> -igor
>
>
> On Tue, May 26, 2009 at 6:12 PM, Ben Hutchison <be...@ibsglobalweb.com> wrote:
>
>> Marco Santos wrote:
>>
>>> On the book "Wicket in Action" there is a chapter (12) that cover the
>>> Authentication and the Authorization. It will be very useful to you, and
>>> is
>>> very easy to understand and implement.
>>>
>>>
>> Well no.. actually.
>>
>> As I made clear in my question, I need to do _context-sensitive_
>> authorization.
>>
>> The example (chapter 11, by the way), is a classic non-contextual
>> authorization example - there are User and Admin roles that are unaffected
>> by context.
>>
>> -Ben
>>
>> --
>>
>>
>>
>> *Ben Hutchison
>> Senior Developer
>> * Level 2 476 St Kilda Road Melbourne VIC 3004
>> T 613 8807 5252 | F 613 8807 5203 | M 0423 879 534 | www.ibsglobalweb.com
>> <http://www.ibsglobalweb.com/>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
*Ben Hutchison
Senior Developer
* Level 2 476 St Kilda Road Melbourne VIC 3004
T 613 8807 5252 | F 613 8807 5203 | M 0423 879 534 |
www.ibsglobalweb.com <http://www.ibsglobalweb.com/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org