THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <!-- Only needed to secure resources... <filter> <filter-name>spring.securityFilterChain<name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetBeanName</param-name> <param-value>filterChainProxy</param-value> </init-param> </filter> --> <filter> <filter-name>wicket.filter</filter-name> <filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class> </filter> <!-- <filter-mapping> <filter-name>spring.securityFilterChain<name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> --> <filter-mapping> <filter-name>wicket.filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app> |
Adding the spring.securityFilterChain is only necessary if you also want to secure static resourcesIt is important to add springSecurityFilterChain mapping higher in code than the Wicket filter mappin. Wicket filter is only passing filter call down by filter chain if it is unable to handle request itself.
Spring security version 3 and wicket 1.4
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:http create-session="never" auto-config="true" >
<security:remember-me/>
<security:intercept-url pattern="/**"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<!-- TODO change this to reference our real user service -->
<security:user-service>
<security:user name="admin" password="admin"
authorities="ROLE_ADMIN, ROLE_USER" />
<security:user name="user" password="user"
authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<security:global-method-security secured-annotations="enabled" />
</beans>
|
...
Code Block | ||
---|---|---|
| ||
public class MyAuthenticatedWebSession extends AuthenticatedWebSession {
private static final Logger logger = Logger.getLogger(MyAuthenticatedWebSession.class);
@SpringBean(name="authenticationManager")
private AuthenticationManager authenticationManager;
public MyAuthenticatedWebSession(Request request) {
super(request);
injectDependencies();
ensureDependenciesNotNull();
}
private void ensureDependenciesNotNull() {
if (authenticationManager == null) {
throw new IllegalStateException("AdminSession requires an authenticationManager.");
}
}
private void injectDependencies() {
InjectorHolder.getInjector().inject(this);
}
@Override
public boolean authenticate(String username, String password) {
boolean authenticated = false;
try {
Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
SecurityContextHolder.getContext().setAuthentication(authentication);
authenticated = authentication.isAuthenticated();
} catch (AuthenticationException e) {
logger.warn(format("User '%s' failed to login. Reason: %s", username, e.getMessage()));
authenticated = false;
}
return authenticated;
}
@Override
public Roles getRoles() {
Roles roles = new Roles();
getRolesIfSignedIn(roles);
return roles;
}
private void getRolesIfSignedIn(Roles roles) {
if (isSignedIn()) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
addRolesFromAuthentication(roles, authentication);
}
}
private void addRolesFromAuthentication(Roles roles, Authentication authentication) {
for (GrantedAuthority authority : authentication.getAuthorities()) {
roles.add(authority.getAuthority());
}
}
}
|
...
Code Block | ||
---|---|---|
| ||
public class MyWebApplicationSpring3 extends AuthenticatedWebApplication {
boolean isInitialized = false;
@Override
protected void init() {
if (!isInitialized) {
super.init();
setListeners();
isInitialized = true;
}
}
private void setListeners() {
addComponentInstantiationListener(new SpringComponentInjector(this));
}
@Override
public Class<?> getHomePage() {
return HomePage.class;
}
@Override
protected Class<? extends WebPage> getSignInPageClass() {
return LoginPage.class;
}
@Override
protected Class<? extends AuthenticatedWebSession> getWebSessionClass() {
return MyAuthenticatedWebSession.class;
}
}
|
...