Versions Compared

Old Version 13

changes.mady.by.user Unknown User (lvonk)

Saved on

compared with

New Version 14

changes.mady.by.user Unknown User (jvanerp)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed the Spring configuration as the one Lars provided leaked the SecurityContext on the thread in the container.

...

Code Block
xml
xml
titleweb.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
	version="2.4">


	<filter>
		<filter-name>spring.securityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
		<init-param>
			<param-name>targetBeanName</param-name>
			<param-value>springSecurityFilterChain</param-value>
		</init-param>
	</filter>

	<filter>
		<filter-name>wicket.filter</filter-name>
		<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>spring.securityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<filter-mapping>
		<filter-name>wicket.filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
</web-app>

...

Code Block
xml
xml
titlespring-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

	<bean id="myApplication" class="com.foo.bar.MyApplication" />

	<security:http auto-config="false">
		<security:intercept-url pattern="/login*" filters="none" />
		<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
		<security:form-login login-page="/login" />
	</security:http>        <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
            <property name="filterInvocationDefinitionSource">
                <value>
                    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                    PATTERN_TYPE_APACHE_ANT
                    /**=httpSessionContextIntegrationFilter
                </value>
            </property>
        </bean>

        <bean id="httpSessionContextIntegrationFilter"
              class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
            <property name="allowSessionCreation" value="false"/>
        </bean>

	<security:authentication-provider>
		<security:user-service>
			<security:user password="admin" name="admin" authorities="ROLE_ADMIN" />
		</security:user-service>
	</security:authentication-provider>

</beans>

The above example uses the spring security namespace. For those who were familiar with the Acegi way one might notice the huge improvement of XML setup. The above example states that all URLs, except the /login* are only accessible for users with the role ROLE_ADMINonly filter we need defined from Acegi is the HttpSessionContextIntegrationFilter. This filter will ensure that the SecurityContext is transported to and from the HttpSession onto the Thread context. All authorization is delegated to the wicket-auth-roles module which uses Annotations (@AuthorizeInstantiation).
Using the authentication-provider XML element we register an AuthenticationManager in the Spring context. In this case we use a simple in-memory user service using the user-service element.

...