...
| Code Block |
|---|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<!-- Only needed to secure resources...
<filter>
<filter-name>spring.securityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>filterChainProxy</param-value>
</init-param>
</filter>
-->
<filter>
<filter-name>wicket.filter</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
</filter>
<!--
<filter-mapping>
<filter-name>spring.securityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<filter-mapping>
<filter-name>wicket.filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
|
Adding the spring.securityFilterChain is only necessary if you also want to secure static resources.Spring security version 3 and wicket 1.4
| Code Block |
|---|
| xml |
|---|
| xml | title | spring-context.xml |
|---|
|
<?xml version="1.0" encoding="UTF-8"?>
<beans
<web-app xmlns="http://wwwjava.springframeworksun.orgcom/xml/schemans/beansj2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://wwwjava.springframeworksun.orgcom/xml/schemans/beansj2ee http://wwwjava.springframeworksun.orgcom/xml/schemans/beansj2ee/springweb-beans-app_2_4.xsd"
version="2.4">
<display-name>example</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>wicket.example</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>org.wicket.example.WicketApplication
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>wicket.example</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
|
Adding the spring.securityFilterChain is only necessary if you also want to secure static resources.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | spring-context.xml |
|---|
|
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<bean id="myApplication" class="com.foo.bar.MyApplication" />
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<bean id="myApplication" class="com.foo.bar.MyApplication" />
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
PATTERN_TYPE_APACHE_ANT<property name="filterInvocationDefinitionSource">
<value>
/**=httpSessionContextIntegrationFilter
<CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter
</value>
</property>
</bean>
<bean id="httpSessionContextIntegrationFilter"
class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
<property name="allowSessionCreation" value="false"/>
</bean>
<security:authentication-provider>
<security:user-service>
<security:user password="admin" name="admin" authorities="ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</beans>
|
The only filter we need defined from Acegi is the HttpSessionContextIntegrationFilter. This filter will ensure that the SecurityContext is transported to and from the HttpSession onto the Thread context. All authorization is delegated to the wicket-auth-roles module which uses Annotations (@AuthorizeInstantiation).
Using the authentication-provider XML element we register an AuthenticationManager in the Spring context. In this case we use a simple in-memory user service using the user-service element.
Wicket setup
WebSession
Spring 3 context
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| 1 | applicationContext-security.xml |
|---|
|
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:http create-session="never" auto-config="true" >
<security:remember-me/>
<security:intercept-url pattern="/**"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<!-- TODO change this to reference our real user service -->
<security:user-service>
<security:user name="admin" password="admin"
authorities="ROLE_ADMIN, ROLE_USER" />
<security:user name="user" password="user"
authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<security:global-method-security secured-annotations="enabled" />
</beans>
|
The only filter we need defined from Acegi is the HttpSessionContextIntegrationFilter. This filter will ensure that the SecurityContext is transported to and from the HttpSession onto the Thread context. All authorization is delegated to the wicket-auth-roles module which uses Annotations (@AuthorizeInstantiation).
Using the authentication-provider XML element we register an AuthenticationManager in the Spring context. In this case we use a simple in-memory user service using the user-service element.
Wicket setup
WebSession
| Code Block |
|---|
| tile | MyAuthenticatedWebSession |
|---|
|
public class MyAuthenticatedWebSession extends AuthenticatedWebSession {
private static final Logger logger = Logger.getLogger(MyAuthenticatedWebSession.class);
@SpringBean
private AuthenticationManager authenticationManager;
public MyAuthenticatedWebSession(Request request) {
super(request);
injectDependencies();
ensureDependenciesNotNull();
}
private void ensureDependenciesNotNull() {
if (authenticationManager == null) {
throw new IllegalStateException("AdminSession requires an authenticationManager.");
}
}
private void injectDependencies() {
InjectorHolder.getInjector().inject(this);
}
@Override
public boolean authenticate(String username, String password) {
boolean authenticated = false;
try {
Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
SecurityContextHolder.getContext().setAuthentication(authentication);
authenticated = authentication.isAuthenticated();
} catch (AuthenticationException e) {
logger.warn(format("User '%s' failed to login. Reason: %s", username, e.getMessage()));
authenticated = false |
| Code Block |
|---|
| tile | MyAuthenticatedWebSession |
|---|
|
public class MyAuthenticatedWebSession extends AuthenticatedWebSession {
private static final Logger logger = Logger.getLogger(MyAuthenticatedWebSession.class);
@SpringBean
private AuthenticationManager authenticationManager;
public MyAuthenticatedWebSession(Request request) {
super(request);
injectDependencies();}
ensureDependenciesNotNull()return authenticated;
}
private void ensureDependenciesNotNull() {@Override
public Roles if (authenticationManager == nullgetRoles() {
Roles roles throw= new IllegalStateException("AdminSession requires an authenticationManager."Roles();
}
}
private void injectDependencies() {
getRolesIfSignedIn(roles);
InjectorHolder.getInjector().inject(this)return roles;
}
@Override
publicprivate booleanvoid authenticategetRolesIfSignedIn(String username, String passwordRoles roles) {
if boolean authenticated = false;
(isSignedIn()) {
try {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationTokenaddRolesFromAuthentication(usernameroles, password)authentication);
}
}
private void SecurityContextHolder.getContext().setAuthentication(authentication);addRolesFromAuthentication(Roles roles, Authentication authentication) {
for (GrantedAuthority authority authenticated: = authentication.isAuthenticatedgetAuthorities();
) {
} catch (AuthenticationException e) {roles.add(authority.getAuthority());
}
logger.warn(format("User '%s' failed to login. Reason: %s", username, e.getMessage()));}
}
|
| Code Block |
|---|
| title | MyWebApplication.java |
|---|
|
public class MyWebApplication extends AuthenticatedWebApplication implements ApplicationContextAware {
private ApplicationContext context;
boolean authenticatedisInitialized = false;
@Override
}
protected void init() {
return authenticated;
if (!isInitialized) }{
@Override
public Roles getRolessuper.init() {;
Roles roles = new RolessetListeners();
getRolesIfSignedIn(roles)isInitialized = true;
return roles;}
}
private void getRolesIfSignedInsetListeners(Roles roles) {
ifaddComponentInstantiationListener(new (isSignedIn(SpringComponentInjector(this, context)) {;
}
@Override
public Class<?> getHomePage() {
Authentication authentication =return SecurityContextHolder.getContext().getAuthentication()HomePage.class;
}
public void setApplicationContext(ApplicationContext addRolesFromAuthentication(roles, authentication);context) throws BeansException {
}this.context = context;
}
private void addRolesFromAuthentication(Roles roles, Authentication authentication@Override
protected Class<? extends WebPage> getSignInPageClass() {
for (GrantedAuthority authority : authentication.getAuthorities()) {return LoginPage.class;
}
@Override
protected Class<? extends AuthenticatedWebSession> roles.add(authority.getAuthority());
getWebSessionClass() {
return }MyAuthenticatedWebSession.class;
}
}
|
| Code Block |
|---|
| title | MyWebApplicationMyWebApplicationSpring3.java |
|---|
|
public class MyWebApplicationMyWebApplicationSpring3 extends AuthenticatedWebApplication implements ApplicationContextAware {
private ApplicationContext context;
boolean isInitialized = false;
@Override
protected void init() {
if (!isInitialized) {
super.init();
setListeners();
isInitialized = true;
}
}
private void setListeners() {
addComponentInstantiationListener(new SpringComponentInjector(this, context));
}
@Override
public Class<?> getHomePage() {
return HomePage.class;
}
public void setApplicationContext(ApplicationContext context) throws BeansException {
this.context = context;
}
@Override
protected Class<? extends WebPage> getSignInPageClass() {
return LoginPage.class;
}
@Override
protected Class<? extends AuthenticatedWebSession> getWebSessionClass() {
return MyAuthenticatedWebSession.class;
}
}
|
...