You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Tom Norton <to...@gmail.com> on 2014/03/28 20:37:30 UTC
Does wicket have parameter-based security?
Let's say I have a page called: /order-details/${orderId}.
Let's also say I want to ensure that some customer named Bob can only see
the order-details pages for the orders he placed, but not any of the
order-details pages for orders that John placed.
I already know wicket has role-based security. Does wicket also have some
form of parameter-based security? Am I barking up the wrong tree? Should
this security check be inside a hibernate on-load event listener instead?
Thanks,
Tom
Re: Does wicket have parameter-based security?
Posted by armandoxxx <ar...@dropchop.com>.
hey
we use Apache SHIRO project for all security on wicket applications ...
apache shiro has targets (part of permission) to resolve this kind of
issues.
you can also write custom shiro filter to let wicket know if problems with
authorization accured .. or let shiro handle it in his own way ;)
Regards
Armando
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Does-wicket-have-parameter-based-security-tp4665174p4665208.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Does wicket have parameter-based security?
Posted by Stefan Renz <s....@efonds.com>.
Hi,
Tom Norton wrote:
> Let's say I have a page called: /order-details/${orderId}.
>
> Let's also say I want to ensure that some customer named Bob can only see
> the order-details pages for the orders he placed, but not any of the
> order-details pages for orders that John placed.
>
> I already know wicket has role-based security. Does wicket also have some
> form of parameter-based security? Am I barking up the wrong tree? Should
> this security check be inside a hibernate on-load event listener instead?
I'm not aware of a built-in mechanism. After all, wicket couldn't know
about the meaning of a parameter...
We check access in the page constructor, either explicity there (call a
DAO, or call a Service), or by using a behavior that does the check if
the check needs to be elsewhere. If violated, we throw an
AuthrozationException.
But I'd be interested on how you would pass the query parameter value to
a Hibernate event listener. Aren't they registered rather statically
with the SessionFactory?
>
> Thanks,
> Tom
>
Hope this helps, bye
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Does wicket have parameter-based security?
Posted by Ernesto Reinaldo Barreiro <re...@gmail.com>.
Hi Tom,
I do not see any reason preventing you from delivering a custom
IAuthorizationStrategy that does what you want.
On Fri, Mar 28, 2014 at 8:37 PM, Tom Norton <
tomwnorton.mailing.lists@gmail.com> wrote:
> Let's say I have a page called: /order-details/${orderId}.
>
> Let's also say I want to ensure that some customer named Bob can only see
> the order-details pages for the orders he placed, but not any of the
> order-details pages for orders that John placed.
>
> I already know wicket has role-based security. Does wicket also have some
> form of parameter-based security? Am I barking up the wrong tree? Should
> this security check be inside a hibernate on-load event listener instead?
>
> Thanks,
> Tom
>
--
Regards - Ernesto Reinaldo Barreiro