THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Why use Spring Security (Formerly known as Acegi)?
Acegi Spring Security is a pretty complete solution for all kinds of security needs. It is very configurable and supports many authentication sources out of the box. These include: database queries, LDAP queries and CAS. It can be a bit complex to set up, but following the how to below should get you started quickly.
The example below shows how you can use Acegi Spring Security in combination with Wicket-auth-roles. Acegi Spring Security takes care of the authentication, Wicket-auth-roles does authorization. By this I mean that Acegi Spring Security looks up the user (including roles, full name, etc.), validates the password, and keeps track of the current user in the session. Wicket-auth-roles validates whether the current user has access to a particular page, or even a particular component.
The advantage of this setup is that you get to use a lot of Acegi Spring Security functionality out of the box. There are the mentioned authentication sources, but you can also add security to services that are called by your Wicket application. You do this by adding an Acegi security Spring Security proxy to your spring beans. Acegi's security Spring Security proxies allow role based access (e.g. access granted if you have role x) but can also filter the results of a service call (e.g. remove data from a list that must not be seen by current user). See the Acegi manual for more information.
Why not use Acegi?
A new Wicket project is currently in the works. You can read more about it on http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security. Please investigate whether it will suite your needs better.
Complete example
Spring Security manual for more information.
Why not use Spring Security?
A new Wicket project is currently in the works. You can read more about it on http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security. Please investigate whether it will suit your needs better.
For those still wanting to use Spring Security, there is an howto on getting Swarm working with Spring Security http://wicketstuff.org/confluence/display/STUFFWIKI/Swarm+and+Acegi+HowTo
See the examples below for how to setup your project.
- Wicket 1.3.5, Spring 2.5.5, Spring Security 2.0.4 on JDK 5.0
- Wicket 1.2.6, Spring 2.0.5, Acegi 1.0.2 on JDK 1.4
Example Wicket 1.3.5
This example uses Maven 2 for dependency management.
Maven 2 pom.xml
| Code Block | ||||
|---|---|---|---|---|
| ||||
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>2.0.4</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-support</artifactId>
</exclusion>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket</artifactId>
<version>${wicket.version}</version>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-spring</artifactId>
<version>${wicket.version}</version>
<exclusions>
<exclusion>
<artifactId>spring</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-spring-annot</artifactId>
<version>${wicket.version}</version>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-extensions</artifactId>
<version>${wicket.version}</version>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-auth-roles</artifactId>
<version>${wicket.version}</version>
</dependency>
|
A nasty thing of Spring security is that is brings in its own Spring version 2.0.8. Since we want 2.5.5 we need to exclude it.
Spring Security setup
Since Spring Security has a very exhaustive documentation available I refer to the manual for in depth information about Spring Security. This example merely shows how to configure Spring Security with Wicket.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>wicket.filter</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>wicket.filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
|
It is important to add springSecurityFilterChain mapping higher in code than the Wicket filter mappin. Wicket filter is only passing filter call down by filter chain if it is unable to handle request itself.
Spring security version 3 and wicket 1.4
| Code Block | ||||
|---|---|---|---|---|
| ||||
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<display-name>example</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>wicket.example</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>org.wicket.example.WicketApplication
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>wicket.example</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
|
Spring 2 context
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
<bean id="myApplication" class="com.foo.bar.MyApplication" />
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter
</value>
</property>
</bean>
<bean id="httpSessionContextIntegrationFilter"
class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
<property name="allowSessionCreation" value="false"/>
</bean>
<security:authentication-provider alias="authenticationManager">
<security:user-service>
<security:user password="admin" name="admin" authorities="ROLE_ADMIN" />
</security:user-service>
</security:authentication-provider>
</beans>
|
Spring 3 context
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:http create-session="never" auto-config="true" >
<security:remember-me/>
<security:intercept-url pattern="/**"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<!-- TODO change this to reference our real user service -->
<security:user-service>
<security:user name="admin" password="admin"
authorities="ROLE_ADMIN, ROLE_USER" />
<security:user name="user" password="user"
authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<security:global-method-security secured-annotations="enabled" />
</beans>
|
The only filter we need defined from Acegi is the HttpSessionContextIntegrationFilter. This filter will ensure that the SecurityContext is transported to and from the HttpSession onto the Thread context. All authorization is delegated to the wicket-auth-roles module which uses Annotations (@AuthorizeInstantiation).
Using the authentication-provider XML element we register an AuthenticationManager in the Spring context. In this case we use a simple in-memory user service using the user-service element.
Wicket setup
WebSession
| Code Block | ||
|---|---|---|
| ||
public class MyAuthenticatedWebSession extends AuthenticatedWebSession {
private static final Logger logger = Logger.getLogger(MyAuthenticatedWebSession.class);
@SpringBean(name="authenticationManager")
private AuthenticationManager authenticationManager;
public MyAuthenticatedWebSession(Request request) {
super(request);
injectDependencies();
ensureDependenciesNotNull();
}
private void ensureDependenciesNotNull() {
if (authenticationManager == null) {
throw new IllegalStateException("AdminSession requires an authenticationManager.");
}
}
private void injectDependencies() {
InjectorHolder.getInjector().inject(this);
}
@Override
public boolean authenticate(String username, String password) {
boolean authenticated = false;
try {
Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
SecurityContextHolder.getContext().setAuthentication(authentication);
authenticated = authentication.isAuthenticated();
} catch (AuthenticationException e) {
logger.warn(format("User '%s' failed to login. Reason: %s", username, e.getMessage()));
authenticated = false;
}
return authenticated;
}
@Override
public Roles getRoles() {
Roles roles = new Roles();
getRolesIfSignedIn(roles);
return roles;
}
private void getRolesIfSignedIn(Roles roles) {
if (isSignedIn()) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
addRolesFromAuthentication(roles, authentication);
}
}
private void addRolesFromAuthentication(Roles roles, Authentication authentication) {
for (GrantedAuthority authority : authentication.getAuthorities()) {
roles.add(authority.getAuthority());
}
}
}
|
Spring 2 Application
| Code Block | ||
|---|---|---|
| ||
public class MyWebApplication extends AuthenticatedWebApplication implements ApplicationContextAware {
private ApplicationContext context;
boolean isInitialized = false;
@Override
protected void init() {
if (!isInitialized) {
super.init();
setListeners();
isInitialized = true;
}
}
private void setListeners() {
addComponentInstantiationListener(new SpringComponentInjector(this, context));
}
@Override
public Class<?> getHomePage() {
return HomePage.class;
}
public void setApplicationContext(ApplicationContext context) throws BeansException {
this.context = context;
}
@Override
protected Class<? extends WebPage> getSignInPageClass() {
return LoginPage.class;
}
@Override
protected Class<? extends AuthenticatedWebSession> getWebSessionClass() {
return MyAuthenticatedWebSession.class;
}
}
|
Spring 3 Application
| Code Block | ||
|---|---|---|
| ||
public class MyWebApplicationSpring3 extends AuthenticatedWebApplication {
boolean isInitialized = false;
@Override
protected void init() {
if (!isInitialized) {
super.init();
setListeners();
isInitialized = true;
}
}
private void setListeners() {
addComponentInstantiationListener(new SpringComponentInjector(this));
}
@Override
public Class<?> getHomePage() {
return HomePage.class;
}
@Override
protected Class<? extends WebPage> getSignInPageClass() {
return LoginPage.class;
}
@Override
protected Class<? extends AuthenticatedWebSession> getWebSessionClass() {
return MyAuthenticatedWebSession.class;
}
}
|
| Code Block | ||
|---|---|---|
| ||
class LoginForm extends Form {
private String username;
private String password;
public LoginForm(String id) {
super(id);
setModel(new CompoundPropertyModel(this));
add(new RequiredTextField("username"));
add(new PasswordTextField("password"));
}
@Override
protected void onSubmit() {
AuthenticatedWebSession session = AuthenticatedWebSession.get();
if(session.signIn(username, password)) {
setDefaultResponsePageIfNecessary();
} else {
error(getString("login.failed"));
}
}
private void setDefaultResponsePageIfNecessary() {
if(!continueToOriginalDestination()) {
setResponsePage(getApplication().getHomePage());
}
}
}
|
| Code Block | ||
|---|---|---|
| ||
@AuthorizeInstantiation("ROLE_ADMIN")
public class SecuredPage extends WebPage {
//omitted, since not relevant
}
|
As stated before the above code examples show the very minimal and a basic setup of how to configure Spring Security with Wicket. For more advanced configuration regarding authentication-provider mechanisms I refer to Spring Security manual.
Example Wicket 1.2.6
This example is extracted from a production system running on Wicket 1.2.6, Spring 2.0.5 and Acegi 1.0.2 on a 1.4 JVM. Wicket-auth-roles requires Java 5, but is quite simple to port it to Java 1.4 by removing everything related to annotations. If you do not want to port Wicket-auth-roles, this example requires that you use Java 5.
Classpath
The code in this HOWTO works with the following jars. Newer and older versions probably work, but you'll have to try to find out.
...
In addition, you'll need to inject some Spring beans into your wicket classes. This example assumes (but does not show) you are injecting these into the application. You'll need more jars for this. See here for more information on integrating Wicket with Spring.
Acegi basic setup
First of all you need to set up Acegi. Somewhere in your Spring configs add:
| No Format |
|---|
<!-- Proxy to a set of filters that enforce authentication and authorization. -->
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter
</value>
</property>
</bean>
<!-- Maintains security context between requests (using the session). -->
<bean id="httpSessionContextIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
<property name="forceEagerSessionCreation" value="true"/>
</bean>
<!-- Users cache for Acegi (Ehcache). -->
<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
<property name="cache">
<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager" ref="cacheManager"/>
<property name="cacheName" value="your.application.name.USER_CACHE"/>
</bean>
</property>
</bean>
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
|
...
Add the following to your web.xml:
| No Format |
|---|
<filter>
<filter-name>Acegi HTTP Request Security Filter</filter-name>
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Acegi HTTP Request Security Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
|
...
| No Format |
|---|
public class YourAppUserDetailsLdapImpl implements YourAppUserDetails, org.acegisecurity.userdetails.ldap.LdapUserDetails {
private static final String LDAP_ATTRIBUTENAME_MAIL = "mail";
private static final String LDAP_ATTRIBUTENAME_DISPLAYNAME = "displayname";
/** The wrapped <code>LdapUserDetails</code> instance. */
private final LdapUserDetails ldapUserDetails;
private String email;
private String displayname;
/**
* Wrap the given Acegi <code>LdapUserDetails</code> instance. This class adds the additional properties
* <code>email</code> and <code>displayname</code> that are fetched from the <code>LdapUserDetails</code>
* {@link org.acegisecurity.userdetails.ldap.LdapUserDetails#getAttributes() attributes}.
*
* Note: an e-mail address is mandatory, full name is not.
*
* @param ldapUserDetails the wrapped user details instance
*/
public YourAppUserDetailsLdapImpl(final LdapUserDetails ldapUserDetails) {
this.ldapUserDetails = ldapUserDetails;
Attributes attributes = this.ldapUserDetails.getAttributes();
// Fetch e-mail address from attributes (required, exception is thrown if not available).
try {
Attribute mailAttribute = attributes.get(LDAP_ATTRIBUTENAME_MAIL);
email = (String) (mailAttribute == null ? null : mailAttribute.get());
if (email == null) {
String errorMessage = "No attribute named '" + LDAP_ATTRIBUTENAME_MAIL
+ "' found for user '" + ldapUserDetails.getUsername() + "'.";
throw new RuntimeException(errorMessage);
}
} catch (NamingException e) {
String errorMessage = "NamingException while attempting to retrieve value for attribute '"
+ LDAP_ATTRIBUTENAME_MAIL + "' for user '" + ldapUserDetails.getUsername() + "'.";
throw new RuntimeException(errorMessage, e);
}
// Get Display name
try {
Attribute displaynameAttribute = attributes.get(LDAP_ATTRIBUTENAME_DISPLAYNAME);
displayname = (String) (displaynameAttribute == null ? null : displaynameAttribute.get());
} catch (NamingException e) {
LOG.warn("NamingException while attempting to retrieve value for attribute '"
+ LDAP_ATTRIBUTENAME_DISPLAYNAME
+ "' for user '" + ldapUserDetails.getUsername() + "'. Setting displayname to null.");
}
}
/** {@inheritDoc} */
public String getEmail() {
return email;
}
/** {@inheritDoc} */
public String getDisplayname() {
return displayname;
}
/**
* @return this user's authorities (i.e. roles)
*/
public GrantedAuthority[] getAuthorities() {
return ldapUserDetails.getAuthorities();
}
/**
* @return this user's password
*/
public String getPassword() {
return ldapUserDetails.getPassword();
}
/**
* @return this user's user name
*/
public String getUsername() {
return ldapUserDetails.getUsername();
}
/** {@inheritDoc} */
public boolean isAccountNonExpired() {
return ldapUserDetails.isAccountNonExpired();
}
/** {@inheritDoc} */
public boolean isAccountNonLocked() {
return ldapUserDetails.isAccountNonLocked();
}
/** {@inheritDoc} */
public boolean isCredentialsNonExpired() {
return ldapUserDetails.isCredentialsNonExpired();
}
/** {@inheritDoc} */
public boolean isEnabled() {
return ldapUserDetails.isEnabled();
}
/**
* @return this user's LDAP attributes
*/
public Attributes getAttributes() {
return ldapUserDetails.getAttributes();
}
/**
* Returns any LDAP response controls that were part of the user authentication process. See
* <a href="ftp://ftp.isi.edu/in-notes/rfc2251.txt" >RFC 2251</a> for a description of controls.
* @return LDAP response controls
*/
public Control[] getControls() {
return ldapUserDetails.getControls();
}
/**
* @return this user's distinguished name
*/
public String getDn() {
return ldapUserDetails.getDn();
}
}
|
...
Finally the configuration of the LDAP authenticatoin provider. Again this is done in a Spring config file:
| No Format |
|---|
<!-- Authentication manager, configured with one provider that retrieves authentication information
from an LDAP instance. -->
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="ldapAuthenticationProvider"/>
</list>
</property>
</bean>
<!-- Example query against Active Directory, uses sAMAccountName as username -->
<bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="ou=users,${__ldap.basedn}" />
<constructor-arg index="1" value="(&(objectclass=person)(sAMAccountName={0}))" />
<constructor-arg index="2" ref="initialDirContextFactory" />
<property name="searchSubtree" value="false" />
</bean>
<!-- Authentication provider for authentication via LDAP. -->
<bean id="ldapAuthenticationProvider" class="com.example.app.security.YourAppLdapAuthenticationProvider">
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="initialDirContextFactory"/>
<property name="userSearch" ref="userSearch" />
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="initialDirContextFactory"/>
<constructor-arg>
<value>ou=groups,${__ldap.basedn}</value>
</constructor-arg>
<property name="groupSearchFilter" value="member={0}"/>
</bean>
</constructor-arg>
</bean>
<!-- Initial context factory for JNDI queries to LDAP server. -->
<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
<constructor-arg value="ldap://${__ldap.host}:${__ldap.port}/"/>
<property name="managerDn" value="${__ldap.manager.cn}"/>
<property name="managerPassword" value="${__ldap.manager.pass}"/>
</bean>
<!-- Read LDAP properties from a file. -->
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="placeholderPrefix" value="${__"/>
<property name="location" value="classpath:ldap.properties"/>
</bean>
|
...
| Note |
|---|
TODO: describe how roles are structured in LDAP tree. |
Wicket setup
Your application's session should extend wicket.authentication.AuthenticatedWebSession from Wicket-auth-roles instead of Wicket's WebSession.
...
| No Format |
|---|
import org.acegisecurity.*;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
public class YourAppSession extends AuthenticatedWebSession {
public YourAppSession(final AuthenticatedWebApplication application) {
super(application);
}
/**
* Attempts to authenticate a user that has provided the given username and password.
* @param username current username
* @param password current password
* @return <code>true</code> if authentication succeeds, <code>false</code> otherwise
*/
public boolean authenticate(String username, String password) {
String u = username == null ? "" : username;
String p = password == null ? "" : password;
// Create an Acegi authentication request.
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(u, p);
// Attempt authentication.
try {
AuthenticationManager authenticationManager =
((YourAppApplication) getApplication()).getAuthenticationManager();
Authentication authResult = authenticationManager.authenticate(authRequest);
setAuthentication(authResult);
LOG.info("Login by user '" + username + "'.");
return true;
} catch (BadCredentialsException e) {
LOG.info("Failed login by user '" + username + "'.");
setAuthentication(null);
return false;
} catch (AuthenticationException e) {
LOG.error("Could not authenticate a user", e);
setAuthentication(null);
throw e;
} catch (RuntimeException e) {
LOG.error("Unexpected exception while authenticating a user", e);
setAuthentication(null);
throw e;
}
}
/**
* @return the currently logged in user, or null when no user is logged in
*/
public YourAppUserDetails getUser() {
YourAppUserDetails user = null;
if (isSignedIn()) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
user = (YourAppUserDetails) authentication.getPrincipal();
}
return user;
}
/**
* Returns the current user roles.
* @return current user roles
*/
public Roles getRoles() {
if (isSignedIn()) {
Roles roles = new Roles();
// Retrieve the granted authorities from the current authentication. These correspond one on
// one with user roles.
GrantedAuthority[] authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
for (int i = 0; i < authorities.length; i++) {
GrantedAuthority authority = authorities[i];
roles.add(authority.getAuthority());
}
return roles;
}
return null;
}
/**
* Signout, invalidates the session. After a signout, you should redirect the browser to the home page.
*/
public void signout() {
YourAppUserDetails user = getUser();
if (user != null) {
LOG.info("Logout by user '" + user.getUsername() + "'.");
}
setAuthentication(null);
invalidate();
}
/**
* Sets the acegi authentication.
* @param authentication the authentication or null to clear
*/
private void setAuthentication(Authentication authentication) {
SecurityContextHolder.getContext().setAuthentication(authentication);
}
/**
* @return the current YourApp session
*/
public static YourAppSession getYourAppSession() {
return (YourAppSession) Session.get();
}
}
|
In order to weave the extended session into you your Wicket application, your application should extend Wicket-auth-roles's Authenticated AuthenticatedWebApplication. (See method getWebSessionClass below.) The other function of the appliction instance is to configure which components need authentication. There are 2 ways to do so. This example runs on Java 1.4 and therefore you can only use the {MetaDataRoleAuthorizationStrategy}}. If you are running on Java 5 or higher, you can also use the annotations based approach. Look at the source code in Wicket-auth-roles-example for inspiration.
...
| No Format |
|---|
login.errors.alreadysignedin=You are already singed in, please singout if you which to sign as another user. login.errors.invalidCredentials=Invalid user name and/or password. |
Hiding components
We have now seen how to completely disallow access to a page (or any component) and redirect to the signin page as soon as it is accessed. I will now show how to hide components on a page depending on the roles of the user.
| Note |
|---|
TODO: finish this section with a menu as example |
Questions?
Please send questions to the wicket user mailing list.