Using forms defined in panels
Hi all, I have a newbie question ... In the free online guide for Wicket - best practices section,2 listings are provided as examples of how to encapsulate components in panels: (http://wicket.apache.org/guide/guide/bestpractices.html#bestpractices_1) Listing 3:// Good component public class RegistrationInputPanel extends Panel{ public RegistrationInputPanel(String id, IModelRegistration regModel) { super(id, regModel); IModelRegistration compound = new CompoundPropertyModelRegistration(regmodel) FormRegistration form = new FormRegistration(form, compound); // Correct: Add components to Form over the instance variable form.add(new TextField(username)); form.add(new TextField(firstname)); form.add(new TextField(lastname)); add(form); } } Listing 4:public class RegistrationPage extends Page { public RegistrationPage(IModelRegistration regModel) { Form? form = new Form(form); form.add(new RegistrationInputPanel(registration, regModel); form.add(new SubmitButton(register) { public void onSubmit() { // do something } }); add(form); } } I infer from this example that it is possible in Wicket to decouple the physical definition of a form (listing 3) from the code which is executed when a form is submitted (listing 4). I suppose the point is that different pages can reuse the same physical form and implement their own form submission logic. Is it possible for the // do something in listing 4 to access the values of username, firstname lastname submitted through the form defined in listing 3? If the answer is yes, then could anyone provide a snippet of code demonstrating how to do this? I've had a search and have not found an obvious way! Thanks, Andrew.
Re: Browser Page Refresh Not Really Refreshing
Sent from my HTC One SV - Reply message - From: dhongyt davidhtr...@gmail.com To: users@wicket.apache.org Subject: Browser Page Refresh Not Really Refreshing Date: Tue, Oct 15, 2013 8:55 AM I have a wicket page that contains a dataview of subscriptions. Any user that subscribes will show up on this page. If I am already on the page and someone else create a subscription and I do a browser refresh, like CTRL+R or F5 the user subscription does not show up. I would have to click on the actually page link again for the new data to show up. Is this because I need to set my headers to not cache? -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Browser-Page-Refresh-Not-Really-Refreshing-tp4661826.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
RE: Oracle Wicket Starter Application Project
Hi, if anyone is interested, I've ported my Oracle/Wicket starter application to Postgresql. There is a similar philosophy - the 'one big application user' architecture is rejected - applications users are database users, so that security can be enforced on every tier. It is at: https://github.com/andrewah/Wicket---Postgresql-Template Cheers, Andrew. From: andre...@hotmail.com To: users@wicket.apache.org Subject: Oracle Wicket Starter Application Project Date: Tue, 21 Dec 2010 22:14:07 + Hi, I've put together a project based on Wicket Oracle which I'd hope could serve as a good starting point for applications based on these 2 technologies. My background is in writing large applications based upon Oracle I wrote this to learn about Wicket Java and also to prove to myself that best practices from the database world - which sadly I've rarely seen implemented in modern web applications! - such as: - using individual database users to represent real users - giving end-to-end authentication allowing the use of features such as SQL Trace fine grained auditing - using database roles to restrict access to data, and not relying wholly on application enforced security are compatible with modern web application frameworks. Wicket definitely didn't give me too many headaches! It's on github at: https://github.com/andrewah/Wicket---Oracle-Template It'd be fair to say that some of my Java may not be of the highest standard, so if anyone has the inclination to look at this, any constructive feedback would be appreciated. Cheers, Andrew.
RE: Oracle Wicket Starter Application Project
Hi, Does that mean that the number of open connections always equals the number of signed in users? Not necessarily - it depends on the way that you build it - using oracle proxy users (http://download.oracle.com/docs/cd/E11882_01/network.112/e16543/authentication.htm#sthref402) means that user A could use the connection of user B i.e. - you can still have the benefits of connection pooling and the database will be aware of who is logged in. But actually I've used a feature called connection labelling (http://download.oracle.com/docs/cd/E11882_01/java.112/e12265/label.htm#BABGJEEA) which means that yes, the number of opened connections will equal the number of signed in users. At runtime, you could issue the following query to see who is connected at any given time: select * from v$session So if you want to determine whether user X can see button Y, you have to query the database for particular role membership? I've designed my app such that the session object extends org.apache.wicket.authentication.AuthenticatedWebSession. A successful login causes a list of roles to be stored in the session, Wicket can then enforce security at the application level as normal, using the @AuthorizeInstantiation annotations. I don't have anything against application enforced security - in fact I think that it is absolutely necessary. In Oracle, you can see what roles have been granted to a given user with: select grantee your_user, granted_role from dba_role_privs where grantee = 'EELCO'; There is a report section in my template app, and a report called User Privileges which lists the roles granted ( object privileges are conferred by those roles) to a given user. ... One of the motivations behind this was to find out what was involved in creating an application broadly consistent with the recommendations of the Oracle Security Guide ( see http://download.oracle.com/docs/cd/E11882_01/network.112/e16543/app_devs.htm#DBSEG133) - mainly because I've been hamstrung many times by applications not following this sort of advice, and because colleagues have told me that it was too much trouble. Thanks, Andrew. From: eelco.hillen...@gmail.com Date: Tue, 21 Dec 2010 16:12:55 -0800 Subject: Re: Oracle Wicket Starter Application Project To: users@wicket.apache.org - using individual database users to represent real users - giving end-to-end authentication allowing the use of features such as SQL Trace fine grained auditing Does that mean that the number of open connections always equals the number of signed in users? - using database roles to restrict access to data, and not relying wholly on application enforced security So if you want to determine whether user X can see button Y, you have to query the database for particular role membership? Cheers, Eelco - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
RE: Oracle Wicket Starter Application Project
Funnily I did recently get certified as an Oracle DBA (for what that's worth!) but actually I'm a developer who has got more involved in the dba stuff over time, mainly because of the performance problems suffered by various employers. I'm a fan of Tom Kyte's writings (eg http://asktom.oracle.com/pls/apex/f?p=100:11:0P11_QUESTION_ID:25405782527721) - although I'm sure they aren't to everyone's taste - but have never actually seen all of his recommendations implemented. However, I've experienced the repercussions of trying to work with systems in which (for example) the database doesn't know who is logged in. It can really make tracing, tuning auditing much more difficult than it needs to be! I guess that initially I was interested in seeing what was involved in implementing a system which followed the Oracle recommendations. Date: Tue, 21 Dec 2010 19:31:26 -0500 Subject: Re: Oracle Wicket Starter Application Project From: ja...@carmanconsulting.com To: users@wicket.apache.org Let me guess, you're a dba? On Dec 21, 2010 5:14 PM, Andrew Hall andre...@hotmail.com wrote: Hi, I've put together a project based on Wicket Oracle which I'd hope could serve as a good starting point for applications based on these 2 technologies. My background is in writing large applications based upon Oracle I wrote this to learn about Wicket Java and also to prove to myself that best practices from the database world - which sadly I've rarely seen implemented in modern web applications! - such as: - using individual database users to represent real users - giving end-to-end authentication allowing the use of features such as SQL Trace fine grained auditing - using database roles to restrict access to data, and not relying wholly on application enforced security are compatible with modern web application frameworks. Wicket definitely didn't give me too many headaches! It's on github at: https://github.com/andrewah/Wicket---Oracle-Template It'd be fair to say that some of my Java may not be of the highest standard, so if anyone has the inclination to look at this, any constructive feedback would be appreciated. Cheers, Andrew.
RE: Oracle Wicket Starter Application Project
Hi Martijn, as a disclaimer, I do make my living based on my Oracle knowledge, but don't think that I am blindly devoted. They have failed the market in many ways. I'm very fond of postgresql and the approach I take to development with that DB is very similar to the one I take with Oracle. I disagree that DBAs get extra work when applications use database roles. They should be used to either allow/disallow access to a given piece of functionality. This is a part of application design, and developers are responsible for that. If we decide to use fine grained auditing, virtual private databases, then yes, I can imagine DBAs getting involved, but not roles.We have a responsibility to our employers to secure data to the best of our abilities, and if that means using proprietary features then so be it. The points made in the Oracle security guide address potential vulnerabilities that cannot be addressed by the application's code alone - but require applications to be designed in a certain way in order to mitigate them completely - which is why at the very least, they are worthy of consideration. I think that the advice given by Oracle in the security guide is sound, and somewhat independent of any given database product. Do Oracle benefit from the advice they give? - of course that they do, but we shouldn't dismiss advice simply because a vendor gives it. For example, it surely can't be considered a good thing to have a hard coded username password in plain text in our code, as we probably have to in the 'on big application user' approach! Where I currently work , we are looking to move away from php / Oracle forms / Oracle reports I'm pushing heavily for Wicket as I very much enjoy the approach that you guys have taken. Cheers, Andrew. From: martijn.dasho...@gmail.com Date: Wed, 22 Dec 2010 11:08:06 +0100 Subject: Re: Oracle Wicket Starter Application Project To: users@wicket.apache.org On Wed, Dec 22, 2010 at 10:55 AM, Andrew Hall andre...@hotmail.com wrote: One of the motivations behind this was to find out what was involved in creating an application broadly consistent with the recommendations of the Oracle Security Guide (see http://download.oracle.com/docs/cd/E11882_01/network.112/e16543/app_devs.htm#DBSEG133) - mainly because I've been hamstrung many times by applications not following this sort of advice, and because colleagues have told me that it was too much trouble. Well, of course Oracle is going to tell you to use database security. Oracle would also suggest to use an Oracle database to store your information, because otherwise you won't be able to use the Oracle features ;-) DBA's also like to follow this advise because it provides them with $work. That said, it is refreshing to see a different perspective and to learn the possibilities that are available to us. Good to know that for companies that wants to secure data access at the database layer, this is still possible using their long time hero Oracle and the new kid on the block Wicket Martijn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
RE: Oracle Wicket Starter Application Project
Application security is crucial, but in my opinion it's no less important to have security around the data itself as well. These guys could have saved themselves from trouble by putting some security in the db ... http://www.computerweekly.com/blogs/public-sector/2007/09/npfit-security-warning-after-n.html#comments From: jer...@wickettraining.com Date: Tue, 21 Dec 2010 23:22:23 -0600 Subject: Re: Oracle Wicket Starter Application Project To: users@wicket.apache.org On Tue, Dec 21, 2010 at 6:12 PM, Eelco Hillenius eelco.hillen...@gmail.comwrote: - using database roles to restrict access to data, and not relying wholly on application enforced security So if you want to determine whether user X can see button Y, you have to query the database for particular role membership? Since he says wholly, I'm assuming he means that the DB stands as the last resort security. Ideally your application rules will apply the security constraints correctly. But, if someone finds a way to punch a hole in that security (i.e. change a primary key in the URL, which shouldn't be there anyway without security around it, but sometimes people do this, which leaves an app-level security vulnerability), the DB rules should kick in and disallow what you were trying (hacking) to do. -- Jeremy Thomerson http://wickettraining.com *Need a CMS for Wicket? Use Brix! http://brixcms.org*
RE: Oracle Wicket Starter Application Project
Hi Brian you're absolutely correct - I should have had the foresight to see that despite being fond of it, Gradle is still a niche product that Maven is a popular, well supported build tool. I actually swapped to Gradle from Maven not long back, so I have now included my pom.xml for Maven. You can grab it from github. You'll still need to download manually install the oracle jdbc ucp jars into your maven repository - they aren't available in the public repositories. Cheers, Andrew. Subject: Re: Oracle Wicket Starter Application Project From: topp...@codehaus.org Date: Tue, 21 Dec 2010 19:54:30 -0500 To: users@wicket.apache.org On Dec 21, 2010, at 5:14 PM, Andrew Hall wrote: It'd be fair to say that some of my Java may not be of the highest standard, so if anyone has the inclination to look at this, any constructive feedback would be appreciated. I've thought about how to use the database this way as well. Eelco has a great question about database connection pooling, and I thought I would browse the source to see what was going on in there. DBA or not, if the application could be made scalable this way, I'd be down (at least on PostgreSQL). Unfortunately, the project is using Gradle, which does not import into my IDE (IntelliJ IDEA). It probably doesn't make sense to start that particular religious war in this thread, but practically, if I can't pull in the project and all it's dependencies very easily, I'm going to be less inclined to put any effort into it Right Now. If some percentage of users think like me, then that is a percentage of users that will come very late to your ideas. $0.02... - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
RE: Oracle Wicket Starter Application Project
Use of all of the fancy database features, such as : fine grained auditingsqltracevirtual private database / fine grained access control all hinge on the database's ability to know who's logged in at any given time ... which isn't possible with the 'one big application user' architecture. Date: Wed, 22 Dec 2010 00:32:50 -0800 Subject: Re: Oracle Wicket Starter Application Project From: scott.sw...@gmail.com To: users@wicket.apache.org Not only that, but fine-grained data access allows a user to simply select * from some_table and get the data to which they are allowed access. E.g. each sales person can see the data for their region while an administrator or manager can see all of the regions. You can also build 6 apps that work with the same data and they will all have the same permissions when you log in as jthomerson. Scott On Tue, Dec 21, 2010 at 9:22 PM, Jeremy Thomerson jer...@wickettraining.com wrote: On Tue, Dec 21, 2010 at 6:12 PM, Eelco Hillenius eelco.hillen...@gmail.comwrote: - using database roles to restrict access to data, and not relying wholly on application enforced security So if you want to determine whether user X can see button Y, you have to query the database for particular role membership? Since he says wholly, I'm assuming he means that the DB stands as the last resort security. Ideally your application rules will apply the security constraints correctly. But, if someone finds a way to punch a hole in that security (i.e. change a primary key in the URL, which shouldn't be there anyway without security around it, but sometimes people do this, which leaves an app-level security vulnerability), the DB rules should kick in and disallow what you were trying (hacking) to do. -- Jeremy Thomerson http://wickettraining.com *Need a CMS for Wicket? Use Brix! http://brixcms.org* - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Oracle Wicket Starter Application Project
Hi, I've put together a project based on Wicket Oracle which I'd hope could serve as a good starting point for applications based on these 2 technologies. My background is in writing large applications based upon Oracle I wrote this to learn about Wicket Java and also to prove to myself that best practices from the database world - which sadly I've rarely seen implemented in modern web applications! - such as: - using individual database users to represent real users - giving end-to-end authentication allowing the use of features such as SQL Trace fine grained auditing - using database roles to restrict access to data, and not relying wholly on application enforced security are compatible with modern web application frameworks. Wicket definitely didn't give me too many headaches! It's on github at: https://github.com/andrewah/Wicket---Oracle-Template It'd be fair to say that some of my Java may not be of the highest standard, so if anyone has the inclination to look at this, any constructive feedback would be appreciated. Cheers, Andrew.