Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
On 5/29/07, Jan Kriesten [EMAIL PROTECTED] wrote: Why re-invent the wheel with Wasp/Swarm? The same question could be asked when acegi was introduced, or any other security framework for that matter. The simple answer is because it things differently and hopes to solves problems not addressed by other frameworks. Without having any further knowledge of acegi, one of the differences is component oriented security as opposed to url based. wicket is after all component based so why fiddle with urls. Second swarm was designed from the ground to interact with wicket whereas acegi requires you to go through several hoops just to get some simple stuff done. Third configuring a security framework is often not a simple task, i like to think swarm does a better job. Just to name a few of the selling points without going into a my framework is better then yours war. :) Maurice - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
What makes me wonder is, using Acegi as a Filter means not to use component-based authorization. But it should be possible to integrate Acegi into the application and all Filter-gotchas should be resolvable. Or am I missing something? You're right, if you really want, you can use URL based authorization. Why re-invent the wheel with Wasp/Swarm? I don't know about Wasp/Swarm particularly, but I'm guessing you wonder about why do component-level auhtorization rather then URL based authorization. First, there are advantages to URL based auth: * widely supported, including through servlet containers and libs like Acegi * good when you mix technologies as this way you have one solution for all But the disadvantages are pretty grave: * severely limits your options as you'll pretty much have to get back to page-based development. URL based authorization only works for course grained cases, and won't work with e.g. when you do component replacement[1] and Ajax. * it leaks abstraction. With Wicket you can abstract much of your functionality to self contained components, including the relevant authorization if you like. This opens the door for really fine grained auth models, and with such components you'll never have to worry where they are used, as you'll know that the functionality can't be exposed in the wrong places. Great when you work with teams. You'll loose this when you do URL based auth, as then you'll have to be aware what's actually on your pages at any time. * for this to work with Wicket you'll have to work with URL mounting. And re-organizing the mounts can break security. My 2c, Eelco [1] http://chillenious.wordpress.com/2006/07/16/on-page-navigation/ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
hi maurice, i didn't want to stat a framework war... ;-) my point was just to understand why you started a new thing. i'm currently in the process of selecting a authentication/authorization framework, too. it should be highly flexible, so it can integrated in very different environments. still, the component oriented security should be reflectable. what i was thinking about was - instead of using acegi as a filter and use it on urls - integrate it in the wicket-app and act on top of the components. this sounds like the wasp/swarm-concepts, only that acegi is the base. what i really dislike about acegi is the spring/xml-stuff. but that's another story... ;-) best regards, --- jan. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
hi eelco, You're right, if you really want, you can use URL based authorization. you got me wrong, i was thinking to integrate acegi into the app like wasp/swarm is doing and so have an acegi-interface that can be used on component-level. so, best of both worlds. best regards, --- jan. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
On 5/29/07, Jan Kriesten [EMAIL PROTECTED] wrote: what i was thinking about was - instead of using acegi as a filter and use it on urls - integrate it in the wicket-app and act on top of the components. this sounds like the wasp/swarm-concepts, only that acegi is the base. what i really dislike about acegi is the spring/xml-stuff. but that's another story... ;-) If you take the spring/xml and the URL based authorization out of Acegi, what is left? Not a stab at Acegi, just asking. Martijn -- Join the wicket community at irc.freenode.net: ##wicket Wicket 1.2.6 contains a very important fix. Download Wicket now! http://wicketframework.org - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
I am sorry if i made you think i was accusing you of starting a framework war, i was merely stating i didn't want to start one :). I am only just reading up on acegi, but what i learned so far is that acegi was designed for spring just like swarm is for wicket so trying to integrate either in the other framework should provide for quite a challenge. Maurice On 5/29/07, Jan Kriesten [EMAIL PROTECTED] wrote: hi maurice, i didn't want to stat a framework war... ;-) my point was just to understand why you started a new thing. i'm currently in the process of selecting a authentication/authorization framework, too. it should be highly flexible, so it can integrated in very different environments. still, the component oriented security should be reflectable. what i was thinking about was - instead of using acegi as a filter and use it on urls - integrate it in the wicket-app and act on top of the components. this sounds like the wasp/swarm-concepts, only that acegi is the base. what i really dislike about acegi is the spring/xml-stuff. but that's another story... ;-) best regards, --- jan. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
what i was thinking about was - instead of using acegi as a filter and use it on urls - integrate it in the wicket-app and act on top of the components. this sounds like the wasp/swarm-concepts, only that acegi is the base. It's definitively possible to use Acegi ACL stuff with Wicket's auth model. You'll have to build it yourself, but once you know you're way around Acegi and you exactly what your requirements are, implementing it shouldn't be too difficult. Eelco - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
hi martijn, what i really dislike about acegi is the spring/xml-stuff. but that's another story... ;-) If you take the spring/xml and the URL based authorization out of Acegi, what is left? Not a stab at Acegi, just asking. hehe - now i'm having to argue pro acegi where i'm not yet finished finding out if it really is what i'm looking for. *ggg* first of all, what i dislike is the xml-/spring-injection-dependent configuration. everything else is not tight to spring, it can be used in any other environment. everything else is: acegi supports a wide range of authentication models. from http basic authentication headers, ldap to jaas - you just have to choose. also, the authorization is as customizable as is e.g. swarm. like in swarm, you have to define your policies. it's just an implementation detail, if you use it url- or component-based. so, when thinking about authentication/authorization, i don't think of a one-time-installation at one defined customer but how it can be integrated into a variety of heterogenous systems. having a wicket application running in a system using a service-oriented-approach, i might have to use a ticketing system (like cas) to handle authorization. acegi delivers such functionality. best regards, --- jan. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
hi eelco, It's definitively possible to use Acegi ACL stuff with Wicket's auth model. You'll have to build it yourself, but once you know you're way around Acegi and you exactly what your requirements are, implementing it shouldn't be too difficult. see my post to martijn - having the wicket's auth system on top of acegi would deliver an easier concept for complex systems (like soa etc). best regards, --- jan. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
True, Swarm does not yet provide blackbox authentication against ldap, cas or whatever else, but it allows you to customize your own authentication allowing you to implement any of those models. And the time not spend on fixing all your urls for acegi can now be spend on implementing cas or ldap for swarm :) Maurice On 5/29/07, Jan Kriesten [EMAIL PROTECTED] wrote: hi martijn, what i really dislike about acegi is the spring/xml-stuff. but that's another story... ;-) If you take the spring/xml and the URL based authorization out of Acegi, what is left? Not a stab at Acegi, just asking. hehe - now i'm having to argue pro acegi where i'm not yet finished finding out if it really is what i'm looking for. *ggg* first of all, what i dislike is the xml-/spring-injection-dependent configuration. everything else is not tight to spring, it can be used in any other environment. everything else is: acegi supports a wide range of authentication models. from http basic authentication headers, ldap to jaas - you just have to choose. also, the authorization is as customizable as is e.g. swarm. like in swarm, you have to define your policies. it's just an implementation detail, if you use it url- or component-based. so, when thinking about authentication/authorization, i don't think of a one-time-installation at one defined customer but how it can be integrated into a variety of heterogenous systems. having a wicket application running in a system using a service-oriented-approach, i might have to use a ticketing system (like cas) to handle authorization. acegi delivers such functionality. best regards, --- jan. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
On 5/29/07, Jan Kriesten [EMAIL PROTECTED] wrote: hi eelco, It's definitively possible to use Acegi ACL stuff with Wicket's auth model. You'll have to build it yourself, but once you know you're way around Acegi and you exactly what your requirements are, implementing it shouldn't be too difficult. see my post to martijn - having the wicket's auth system on top of acegi would deliver an easier concept for complex systems (like soa etc). Yeah, makes sense. Contributions are welcome of course. We don't mind having competing implementations; it'll only make them better :) Eelco - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
And the time not spend on fixing all your urls for acegi Acegi is layered. It has auth models that don't depend on URLs. For instance there is a fairly sophisticated (at least at first sight) ACL mechanism last time I looked. Eelco - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
hi eelco, Yeah, makes sense. Contributions are welcome of course. We don't mind having competing implementations; it'll only make them better :) hehe, i'll keep you posted. ;-) --- jan. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
I don't mind the competition. But it might be a good idea if we can all agree on some common api. for that reason i made wasp. Off course nothing is written in stone so if you have some suggestions I'll be happy to listen to them. Just take a look at wasp, is all i ask. Maurice On 5/29/07, Jan Kriesten [EMAIL PROTECTED] wrote: hi eelco, Yeah, makes sense. Contributions are welcome of course. We don't mind having competing implementations; it'll only make them better :) hehe, i'll keep you posted. ;-) --- jan. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
I don't mind the competition. But it might be a good idea if we can all agree on some common api. for that reason i made wasp. Off course nothing is written in stone so if you have some suggestions I'll be happy to listen to them. Just take a look at wasp, is all i ask. Yeah, I agree that that's a good idea. Just don't fall into the design by committee trap ;) Eelco - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] Swarm - [was Wicket Acegi ?]
Don't worry, i like committees about as much as how far i can throw them :) Maurice On 5/29/07, Eelco Hillenius [EMAIL PROTECTED] wrote: I don't mind the competition. But it might be a good idea if we can all agree on some common api. for that reason i made wasp. Off course nothing is written in stone so if you have some suggestions I'll be happy to listen to them. Just take a look at wasp, is all i ask. Yeah, I agree that that's a good idea. Just don't fall into the design by committee trap ;) Eelco - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user