Wicket Viewer's security: problem with custom authenticator

[Kevin Meyer - KMZ <ke...@kmz.co.za>]

Hi Dan,

I recall you writing before that you've done something special with 
Wicket - which seems to be causing me some grief. As hinted at 
previously, I've written a SqlAuthenticator, which I specify via 
isis.properties, and which works with the HTML viewer.

isis.authentication=objstore.dflt.saip.authentication.SqlAuthenticationManagerInstaller

But on the Wicket viewer, I get a:

"Access Denied
You do not have access to the page you requested.
Return to home page"

after a successful login.

Any advice?

Regards,
Kevin


PS:
I also notice that the (wicket form?) parser strips leading and trailing 
spaces from the login details - so my passwords that stars/end with  
spaces never matches.

Re: Wicket Viewer's security: problem with custom authenticator

[Kevin Meyer - KMZ <ke...@kmz.co.za>]

Hi Dan,

On 7 Jul 2011 at 8:05, Dan Haywood wrote:

> On 06/07/2011 13:47, Kevin Meyer - KMZ wrote:
> >
> > Any tips on how to logout of Wicket?
> >
> 
> I was about to reply that it wasn't implemented, and offer some tips on 
> how to... but when I got into it there was very little to it, so I 
> implemented it (ISIS-104).
> 
> So, do an "svn up" and when you run your app you should now see a logout 
> link at the bottom.

Thanks! I see it.

I need to do a little more investigation, but I'm finding a quirk with 
logging in - I often need to login twice to actually get into the 
application (using the Wicket viewer)! The first time it just takes me 
back to the login page, with no error or explanation.

Regards,
Kevin

Re: Wicket Viewer's security: problem with custom authenticator

[Dan Haywood <dk...@gmail.com>]

Hi Mark,
The vote is still going so far as I am concerned.

This particular thread related to a feature that wasn't implemented, 
rather than something broken.

On a different thread Rob does seem to have an issue with building the 
site, but I can't reproduce it, we have a workaround, and anyway the 
site is only something that committers would usually build.

Thx
Dan

~~~~~~~~~~

On 07/07/2011 08:38, Mark Struberg wrote:
> Folks, since there are so many discussions about possible errors and so, please allow me if the VOTE is still going on or if it got cancelled?
>
> If it's still alive, then I'll look at it this afternoon.
>
> LieGrue,
> strub
>
> --- On Thu, 7/7/11, Dan Haywood<dk...@gmail.com>  wrote:
>
>> From: Dan Haywood<dk...@gmail.com>
>> Subject: Re: Wicket Viewer's security: problem with custom authenticator
>> To: isis-dev@incubator.apache.org
>> Date: Thursday, July 7, 2011, 7:05 AM
>>
>> On 06/07/2011 13:47, Kevin Meyer - KMZ wrote:
>>> Any tips on how to logout of Wicket?
>>>
>> I was about to reply that it wasn't implemented, and offer
>> some tips on how to... but when I got into it there was very
>> little to it, so I implemented it (ISIS-104).
>>
>> So, do an "svn up" and when you run your app you should now
>> see a logout link at the bottom.
>>
>> Cheers
>> Dan
>>
>>

Re: Wicket Viewer's security: problem with custom authenticator

[Mark Struberg <st...@yahoo.de>]

Folks, since there are so many discussions about possible errors and so, please allow me if the VOTE is still going on or if it got cancelled?

If it's still alive, then I'll look at it this afternoon.

LieGrue,
strub

--- On Thu, 7/7/11, Dan Haywood <dk...@gmail.com> wrote:

> From: Dan Haywood <dk...@gmail.com>
> Subject: Re: Wicket Viewer's security: problem with custom authenticator
> To: isis-dev@incubator.apache.org
> Date: Thursday, July 7, 2011, 7:05 AM
> 
> On 06/07/2011 13:47, Kevin Meyer - KMZ wrote:
> > 
> > Any tips on how to logout of Wicket?
> > 
> 
> I was about to reply that it wasn't implemented, and offer
> some tips on how to... but when I got into it there was very
> little to it, so I implemented it (ISIS-104).
> 
> So, do an "svn up" and when you run your app you should now
> see a logout link at the bottom.
> 
> Cheers
> Dan
> 
> 

Re: Wicket Viewer's security: problem with custom authenticator

[Dan Haywood <dk...@gmail.com>]

On 06/07/2011 13:47, Kevin Meyer - KMZ wrote:
>
> Any tips on how to logout of Wicket?
>

I was about to reply that it wasn't implemented, and offer some tips on 
how to... but when I got into it there was very little to it, so I 
implemented it (ISIS-104).

So, do an "svn up" and when you run your app you should now see a logout 
link at the bottom.

Cheers
Dan

Re: Wicket Viewer's security: problem with custom authenticator

[Kevin Meyer - KMZ <ke...@kmz.co.za>]

On 6 Jul 2011 at 12:12, Dan Haywood wrote:

> There were a few spots you missed, so I've committed the remaining 
> changes (rev 1143343).
> 

Yikes, thanks - I realise I didn't run a full build to catch failing tests first.

Now that we're here, though, I've just discovered that the Wicket 
viewer does not expose a "logout" action - I'm running in deployment 
mode, at the moment (I had to add a sql user profile and installer - just 
an empty shell, at the moment).

Any tips on how to logout of Wicket?

Regards,
Kevin

Re: Wicket Viewer's security: problem with custom authenticator

[Dan Haywood <dk...@gmail.com>]

There were a few spots you missed, so I've committed the remaining 
changes (rev 1143343).



On 06/07/2011 11:46, Kevin Meyer - KMZ wrote:
> Hi Dan,
>
> On 6 Jul 2011 at 9:17, Dan Haywood wrote:
>> Authorization is performed by Wicket.  If you look at
>> org.apache.isis.viewer.wicket.ui.pages.entity.EntityPage you'll see it
>> protected by a role of "org.starobjects.wicket.roles.USER".
> Thanks, that did the trick. I'm just adding that role to the list of roles
> contributed by my domain rules, and now I can login - and the extra
> role doesn't affect the other viewers.
>
> I'll look into where the spaces are being stripped out, later.
>
>> NB: I'll raise a ticket to change that string literal to be
>> "org.apache.isis.viewer.wicket.roles.USER".
> Thanks - I've commited the change.
>
>
> Regards,
> Kevin
>
>
>

Re: Wicket Viewer's security: problem with custom authenticator

[Kevin Meyer - KMZ <ke...@kmz.co.za>]

Hi Dan,

On 6 Jul 2011 at 9:17, Dan Haywood wrote:
> Authorization is performed by Wicket.  If you look at 
> org.apache.isis.viewer.wicket.ui.pages.entity.EntityPage you'll see it 
> protected by a role of "org.starobjects.wicket.roles.USER".

Thanks, that did the trick. I'm just adding that role to the list of roles 
contributed by my domain rules, and now I can login - and the extra 
role doesn't affect the other viewers.

I'll look into where the spaces are being stripped out, later.

> NB: I'll raise a ticket to change that string literal to be 
> "org.apache.isis.viewer.wicket.roles.USER".

Thanks - I've commited the change.


Regards,
Kevin

Re: Wicket Viewer's security: problem with custom authenticator

[Dan Haywood <dk...@gmail.com>]

Authorization is performed by Wicket.  If you look at 
org.apache.isis.viewer.wicket.ui.pages.entity.EntityPage you'll see it 
protected by a role of "org.starobjects.wicket.roles.USER".

Therefore your 
org.apache.isis.core.commons.authentication.AuthenticationSession 
returned by your authenticator must return a session with a role whose 
string is that above (via #getRoles()).

NB: I'll raise a ticket to change that string literal to be 
"org.apache.isis.viewer.wicket.roles.USER".

Dan

On 05/07/2011 19:27, Kevin Meyer - KMZ wrote:
> Hi Dan,
>
> I recall you writing before that you've done something special with
> Wicket - which seems to be causing me some grief. As hinted at
> previously, I've written a SqlAuthenticator, which I specify via
> isis.properties, and which works with the HTML viewer.
>
> isis.authentication=objstore.dflt.saip.authentication.SqlAuthenticationManagerInstaller
>
> But on the Wicket viewer, I get a:
>
> "Access Denied
> You do not have access to the page you requested.
> Return to home page"
>
> after a successful login.
>
> Any advice?
>
> Regards,
> Kevin
>
>
> PS:
> I also notice that the (wicket form?) parser strips leading and trailing
> spaces from the login details - so my passwords that stars/end with
> spaces never matches.
>
>
>