You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by hrbaer <he...@gmail.com> on 2011/03/29 18:37:10 UTC
flexible authentication
Hi all,
my web application is using the wicket authentication approach
(AuthenticatedWebSession) and all my "secure" java files are marked with
"@AuthorizeInstantiation("ADMIN")"
So once I added this annotation there is no chance to bypass the
authentication.
But what if there is the need to be flixible? What if for some users the
page A should be secure and for others don't?
Let's assume there is is page with e.g. contact informations and a user can
decide for his own if the page should be accessible with or without
authentication. How can I achieve that without using the wicket approach? At
the moment it don't think that the wicket approach is the right one?!
Thanks in advance.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/flexible-authentication-tp3415413p3415413.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: flexible authentication
Posted by Daniel Neugebauer <ma...@energiequant.de>.
Hi!
We have the same situation in one of our web applications (profile pages
may be hidden for everyone except the profile owner). Since I wasn't
able to find a clean way to check such conditions from our page
authorization strategy, I added that to the checks I already had in the
page constructor method (other checks are to catch invalid indices
etc.). If the validation fails I redirect the user to a friendly-written
error page and call return to stop the method afterwards.
Maybe it's possible to get the page parameters by accessing the request
cycle directly from an authorization strategy?
However, if there are more situations like that I would expect the
authorization strategy to become big and cluttered very fast, so I don't
think such checks should go there but instead be performed by the page
class they are meant for. If the same checks are performed in different
classes, they could go into a (static) method, maybe in a super class.
If there's (yet) another good place to put such checks in, I would be
interested in it as well. :)
Bye,
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: flexible authentication
Posted by Bertrand Guay-Paquet <be...@step.polymtl.ca>.
If I understand correctly, Marc wants to build a contact details page
which can either be public (unprotected), private or semi-private (think
Facebook privacy settings) based on a user preference, most likely
stored in a database.
I am also trying to implement a similar mechanism and I am having
trouble finding how to achieve this with the IAuthorizationStrategy. A
pre-condition to achieving such an authorization check is to have access
to the Page constructor parameters (PageParameters or otherwise).
Without them, I can't see how it is possible to retrieve the privacy
settings of a user's detail page.
IAuthorizationStrategy#isInstantiationAuthorized(Class<T>
componentClass) is called in the constructor of Component. At that time,
Page#getPageParameters() cannot be used because its constructor has not
been executed. Is there another way to access the PageParameters for the
current Page instanciation? What about if the page is created with
another constructor which receives model objects?
Marc, if you find an appropriate way to deal with this, could you please
provide some hints? Also, please correct me if I misunderstood your purpose.
Regards,
Bertrand
On 29/03/2011 5:27 PM, MZemeck@osc.state.ny.us wrote:
> I think you could do it by using a "base role" that all users receive,
> then add additional roles to tighten it down. You would then need to fake
> authentication of the "base" users by calling session.authenticate("user",
> "pass") and assigning the "BASE" role, even though the user won't
> explicitly log in. Users who do log in will receive the correct role such
> as "ADMIN"
>
> Some users secure (ADMIN), some users wide-open (BASE)
> @AuthorizeInstantiation({"ADMIN", "BASE"})
>
> All users secure
> @AuthorizeInstantiation("ADMIN")
>
> You might also consider subclassing the page and marking that with the
> annotation, then handle the response to the secured or unsecured version
> by checking if the user is signed in. I'm not sure where you are going
> with this because I'm not sure why you have the requirement of being
> secure for some users but not secure for others.
>
>
>
>
> From: hrbaer<he...@gmail.com>
> To: users@wicket.apache.org
> Date: 03/29/2011 12:37 PM
> Subject: flexible authentication
>
>
>
> Hi all,
>
> my web application is using the wicket authentication approach
> (AuthenticatedWebSession) and all my "secure" java files are marked with
> "@AuthorizeInstantiation("ADMIN")"
> So once I added this annotation there is no chance to bypass the
> authentication.
>
> But what if there is the need to be flixible? What if for some users the
> page A should be secure and for others don't?
>
> Let's assume there is is page with e.g. contact informations and a user
> can
> decide for his own if the page should be accessible with or without
> authentication. How can I achieve that without using the wicket approach?
> At
> the moment it don't think that the wicket approach is the right one?!
>
> Thanks in advance.
>
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/flexible-authentication-tp3415413p3415413.html
>
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
>
>
>
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if
> you have received this communication in error and delete this email from
> your system. If you are not the intended recipient, you are requested not
> to disclose, copy, distribute or take any action in reliance on the
> contents of this information.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: flexible authentication
Posted by hrbaer <he...@gmail.com>.
Thanks for all the good hints ... let me check the links/advices.
Hopefully there is no need to ask any further questions :)
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/flexible-authentication-tp3415413p3416489.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: flexible authentication
Posted by MZ...@osc.state.ny.us.
I think you could do it by using a "base role" that all users receive,
then add additional roles to tighten it down. You would then need to fake
authentication of the "base" users by calling session.authenticate("user",
"pass") and assigning the "BASE" role, even though the user won't
explicitly log in. Users who do log in will receive the correct role such
as "ADMIN"
Some users secure (ADMIN), some users wide-open (BASE)
@AuthorizeInstantiation({"ADMIN", "BASE"})
All users secure
@AuthorizeInstantiation("ADMIN")
You might also consider subclassing the page and marking that with the
annotation, then handle the response to the secured or unsecured version
by checking if the user is signed in. I'm not sure where you are going
with this because I'm not sure why you have the requirement of being
secure for some users but not secure for others.
From: hrbaer <he...@gmail.com>
To: users@wicket.apache.org
Date: 03/29/2011 12:37 PM
Subject: flexible authentication
Hi all,
my web application is using the wicket authentication approach
(AuthenticatedWebSession) and all my "secure" java files are marked with
"@AuthorizeInstantiation("ADMIN")"
So once I added this annotation there is no chance to bypass the
authentication.
But what if there is the need to be flixible? What if for some users the
page A should be secure and for others don't?
Let's assume there is is page with e.g. contact informations and a user
can
decide for his own if the page should be accessible with or without
authentication. How can I achieve that without using the wicket approach?
At
the moment it don't think that the wicket approach is the right one?!
Thanks in advance.
--
View this message in context:
http://apache-wicket.1842946.n4.nabble.com/flexible-authentication-tp3415413p3415413.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Notice: This communication, including any attachments, is intended solely
for the use of the individual or entity to which it is addressed. This
communication may contain information that is protected from disclosure
under State and/or Federal law. Please notify the sender immediately if
you have received this communication in error and delete this email from
your system. If you are not the intended recipient, you are requested not
to disclose, copy, distribute or take any action in reliance on the
contents of this information.
Re: flexible authentication
Posted by Hans Lesmeister <ha...@lessy-software.de>.
Take a look at IAuthorizationStrategy and ist implementations. It is
extremely easy to create your own implementation and make it more dynamic.
The existing implementations can be used as starting point.
Cheers
Hans
Am 29.03.11 17:51 schrieb "hrbaer" unter <he...@gmail.com>:
> it's not about to bash the framework.
>
> Because I'm still a beginner I just want to make sure that this approach is
> not working for me. It seems like the "demo" implementation just allows two
> options:
> - need authentication
> - don't need authentication
> but there is no option to make it more flexible.
>
> What I'm interested in is if there is any chance to use "out of the box"
> functionality of wicket to solve this issue.
>
> Thanks in advance.
>
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/flexible-authentication-tp3415413p3
> 415452.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: flexible authentication
Posted by hrbaer <he...@gmail.com>.
it's not about to bash the framework.
Because I'm still a beginner I just want to make sure that this approach is
not working for me. It seems like the "demo" implementation just allows two
options:
- need authentication
- don't need authentication
but there is no option to make it more flexible.
What I'm interested in is if there is any chance to use "out of the box"
functionality of wicket to solve this issue.
Thanks in advance.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/flexible-authentication-tp3415413p3415452.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: flexible authentication
Posted by Igor Vaynberg <ig...@gmail.com>.
the "wicket approach" is 2 or 3 classes that implement the
infrastructure. the use well defined public interfaces to implement
it. if it doesnt work for you, then simply roll your own
implementation.
-igor
On Tue, Mar 29, 2011 at 9:37 AM, hrbaer <he...@gmail.com> wrote:
> Hi all,
>
> my web application is using the wicket authentication approach
> (AuthenticatedWebSession) and all my "secure" java files are marked with
> "@AuthorizeInstantiation("ADMIN")"
> So once I added this annotation there is no chance to bypass the
> authentication.
>
> But what if there is the need to be flixible? What if for some users the
> page A should be secure and for others don't?
>
> Let's assume there is is page with e.g. contact informations and a user can
> decide for his own if the page should be accessible with or without
> authentication. How can I achieve that without using the wicket approach? At
> the moment it don't think that the wicket approach is the right one?!
>
> Thanks in advance.
>
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/flexible-authentication-tp3415413p3415413.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org