Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
try org.wicketstuff wicket-shiro 1.4-SNAPSHOT On Tue, May 11, 2010 at 3:15 AM, PDiefent wrote: > > where can I find the wicket-shiro-example stuff? > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2173369.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > -- Fernando Wermus. www.linkedin.com/in/fernandowermus
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Martin, how many patches have you submitted? ;) On Tue, May 11, 2010 at 3:59 AM, Martin Grigorov wrote: > On Mon, 2010-05-10 at 23:32 -0700, Les Hazlewood wrote: >> Just a quick note to Wicket and Wicket-Stuff Shiro users: >> >> Shiro 1.0 is right around the corner. We should be code-complete for >> 1.0 in a day or two and then we being the ASF voting process to >> release the software. A concrete (non snapshot) release is coming >> very soon! >> >> Best, >> >> Les > You said the same 4 months ago ;-) >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
If it's any consolation, we only have a few remaining issues in Jira that should be finished today and tomorrow. 4 months ago, there was still over 50+ issues to resolve ;) Security frameworks are hard to get right - better to have a great 1.0 release than a crappy one :) On Tue, May 11, 2010 at 12:59 AM, Martin Grigorov wrote: > On Mon, 2010-05-10 at 23:32 -0700, Les Hazlewood wrote: >> Just a quick note to Wicket and Wicket-Stuff Shiro users: >> >> Shiro 1.0 is right around the corner. We should be code-complete for >> 1.0 in a day or two and then we being the ASF voting process to >> release the software. A concrete (non snapshot) release is coming >> very soon! >> >> Best, >> >> Les > You said the same 4 months ago ;-) >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
On Mon, 2010-05-10 at 23:32 -0700, Les Hazlewood wrote: > Just a quick note to Wicket and Wicket-Stuff Shiro users: > > Shiro 1.0 is right around the corner. We should be code-complete for > 1.0 in a day or two and then we being the ASF voting process to > release the software. A concrete (non snapshot) release is coming > very soon! > > Best, > > Les You said the same 4 months ago ;-) > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Just a quick note to Wicket and Wicket-Stuff Shiro users: Shiro 1.0 is right around the corner. We should be code-complete for 1.0 in a day or two and then we being the ASF voting process to release the software. A concrete (non snapshot) release is coming very soon! Best, Les - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
where can I find the wicket-shiro-example stuff? -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2173369.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to check out trunk and build yourself) and has three different SNAPSHOT dependencies. I can't talk for wicket-shiro, but using plain Shiro from your Wicket project is quite straightforward. Use the integration from wicket-shiro as a pointer and integrate everything directly into your project. I did it this way and am very happy with it so far. Cheers, Adrian - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
you can try shiro. There is a shiro-wicket-web-app example which could help you. On Mon, May 10, 2010 at 9:54 AM, PDiefent wrote: > > Thanks for this fast respnse. I will have a deeper look at it. > Actually I hoped to find a much more simple solution, because I wanted to > avoid Spring in my application and only use it for authentication ... > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2165351.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > -- Fernando Wermus. www.linkedin.com/in/fernandowermus
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Thanks for this fast respnse. I will have a deeper look at it. Actually I hoped to find a much more simple solution, because I wanted to avoid Spring in my application and only use it for authentication ... -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2165351.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
I recently updated the spring-security module for Brix to SS 3.0.1. There's probably some nibbles in there for some of the more advanced kinds of security situations (like component-based authorizations against SS 3). http://code.google.com/p/brix-cms-plugins/source/browse/#svn/trunk/examples/example-springsecurity is the browsable source for the example project. Check out Brix while you are there! :B On May 7, 2010, at 8:48 AM, PDiefent wrote: > > I have also problems integrating security into my Wicket project. I wanted to > use simple authentication form the application server as I used many times > before with JSF applications, but it didn't work. > > Spring security sounds very good, but since I don't use spring in my Wicket > application I didn't manage to get the examples form above to work. > > It would be nice, if anyone could post a little example application as a > kick start especially with Wicket 1.4.x > > Thanks, Peter > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2134111.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
I have also problems integrating security into my Wicket project. I wanted to use simple authentication form the application server as I used many times before with JSF applications, but it didn't work. Spring security sounds very good, but since I don't use spring in my Wicket application I didn't manage to get the examples form above to work. It would be nice, if anyone could post a little example application as a kick start especially with Wicket 1.4.x Thanks, Peter -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2134111.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Martijn wrote: > > Confluence and JIRA for Wicket Stuff have been down since the JIRA > attacks. I've enabled service to Confluence as I didn't see any files > that were tampered with, nor was there any indication that it had been > compromised in other installations. > > Confluence hasn't been updated with the release status because of this. I had no idea there was a JIRA attack. That explains a lot. > That said, we (the current Wicket Security maintainers) are 90% sure > that we'll move Wicket Security over to github, and host the > documentation there. ok, sounds like a good move. Thanks for a great project, by the way. I'm starting to like it more and more now. :) /Jimi -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2075000.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Confluence and JIRA for Wicket Stuff have been down since the JIRA attacks. I've enabled service to Confluence as I didn't see any files that were tampered with, nor was there any indication that it had been compromised in other installations. Confluence hasn't been updated with the release status because of this. That said, we (the current Wicket Security maintainers) are 90% sure that we'll move Wicket Security over to github, and host the documentation there. Martijn On Wed, Apr 28, 2010 at 3:11 PM, Jimi wrote: > > Reinout wrote: >> Op dinsdag 27-04-2010 om 16:20 uur [tijdzone -0700], schreef Jimi: >> >> > 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old >> > discussion labeled "is wicket-auth-roles discontinued?". And the >> comments on >> > the "Getting started with Swarm" wiki page is from 2007 and 2008, plus >> that >> > they talk about Acegi (the old name for Spring Security) and the project >> has >> > dependencies to Wicket 1.3 and Spring 2.0. >> >> This lives on as a wicket-stuff subproject. >> Just yesterday a new version, 1.4rc1 was announced on this list: >> >> http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-rc1-released-tt2067350.html#a2067350 > > Interesting... I looked for postings about wicket security in this mailing > list before that posting, during Monday, and when I wrote my posting > yesterday I didn't think to look again to see if any more security related > postings had come in. But apparently it had... =) > > Now I also found this posting about Wicket Security: > > http://apache-wicket.1842946.n4.nabble.com/Future-of-Wicket-Security-WASP-SWARM-tt1908153.html#a1908153 > > And I tend to agree with the last post, by Antoine. Wicketstuff feels a bit > like a playground, with production ready projects mixed with crude > copy-paste-example projects. > > By the way, isn't > http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security the > "official" web site for it? Because it doesn't mention 1.4rc1 > > Regards > /Jimi > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2069145.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > -- Become a Wicket expert, learn from the best: http://wicketinaction.com Apache Wicket 1.4 increases type safety for web applications Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.7 - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Reinout wrote: > Op dinsdag 27-04-2010 om 16:20 uur [tijdzone -0700], schreef Jimi: > > > 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old > > discussion labeled "is wicket-auth-roles discontinued?". And the > comments on > > the "Getting started with Swarm" wiki page is from 2007 and 2008, plus > that > > they talk about Acegi (the old name for Spring Security) and the project > has > > dependencies to Wicket 1.3 and Spring 2.0. > > This lives on as a wicket-stuff subproject. > Just yesterday a new version, 1.4rc1 was announced on this list: > > http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-rc1-released-tt2067350.html#a2067350 Interesting... I looked for postings about wicket security in this mailing list before that posting, during Monday, and when I wrote my posting yesterday I didn't think to look again to see if any more security related postings had come in. But apparently it had... =) Now I also found this posting about Wicket Security: http://apache-wicket.1842946.n4.nabble.com/Future-of-Wicket-Security-WASP-SWARM-tt1908153.html#a1908153 And I tend to agree with the last post, by Antoine. Wicketstuff feels a bit like a playground, with production ready projects mixed with crude copy-paste-example projects. By the way, isn't http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security the "official" web site for it? Because it doesn't mention 1.4rc1 Regards /Jimi -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2069145.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Those two classes are here: http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/security/ They're part of my "advanced wicket" demo code. The project already h On Wed, Apr 28, 2010 at 6:18 AM, Giovanni wrote: > James, can you share your SpringSecurityWebApplication and > SpringSecurityWebSession > classes? > > If you also write a small tutorial on how to use them, it will be great. > > Best regards, > giovanni > > > > > > > From: James Carman > To: users@wicket.apache.org > Sent: Wed, April 28, 2010 1:51:57 AM > Subject: Re: Wicket + security, what are the best options? Spring Security > reached almost all the way... > > I have a SpringSecurityWebApplication and SpringSecurityWebSession > class you can use if you want. > > On Tue, Apr 27, 2010 at 7:49 PM, Ben Tilford wrote: >> You can use Spring security with wicket auth-roles, I works out pretty nice >> compared to the alternatives. iirc You need do your normal Spring >> setup, extend AuthenticatedWicketApplication, and AuthenticatedSession >> which has an authenticate method you'll call your UserDetails bean from. >> >> Outdated Link >> https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5 >> >> >> On Tue, Apr 27, 2010 at 7:20 PM, Jimi wrote: >> >>> >>> Hi, >>> >>> I'm curious to know what security frameworks you guys are using. >>> >>> The reason I'm asking is because I recently tried out Spring Security >>> together with a simple wicket web application, and was amazed on how easy >>> it >>> was. I applied the steps mentioned in their Pet Clinic tutorial >>> ( >>> http://static.springsource.org/spring-security/site/petclinic-tutorial.html >>> ) >>> more or less exactly as they are, and I didn't have to write a single line >>> of code. All was done using configuration. And even when I replaced the >>> hard >>> coded list of users (with their passwords and groups) with my custom >>> authentication provider (or actually custom UserDetailsService) I only had >>> two write two simple classes that implemented two very simple and logical >>> interfaces respectively, that used my pre existing hibernate configuration >>> and POJOs. >>> >>> BUT... when I wanted to replace the auto generated login screen (which >>> worked great, but just didn't look very appealing) with a custom login page >>> I quickly ran into trouble. If the login was successful then all was fine. >>> But for the cases when the login failed for some reason (like incorrect >>> username/password or database being down) I was having problems accessing >>> the error cause. Because as far as I could tell this message (actually an >>> Exception subclass) was only available as a http session attribute. And it >>> seems that Wicket does everything to hide those from the user, discourages >>> the use of the getHttpServletRequest() and the session attributes of the >>> wicket session object only seems to include attributes with a specific >>> wicket-prefix (like "wicket:wicket.myProject:") which of course caused my >>> precious Spring Security session attributes to be unavailable. >>> >>> It was then I started thinking that Spring Security maybe isn't the best >>> security framework together with Wicket. So I started looking around for >>> other alternatives. Wicket-security/WASP/SWARM (still not sure what is >>> what) >>> and "wicket auth roles" where the first two, and some time later I also >>> heard about wicket-shiro. >>> >>> But all these three seemed to have one or more of the following down sides >>> that irritated me when I evaluated them: >>> >>> 1. Missing official site. [wicket auth roles] At least I can't find it. >>> >>> 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old >>> discussion labeled "is wicket-auth-roles discontinued?". And the comments >>> on >>> the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that >>> they talk about Acegi (the old name for Spring Security) and the project >>> has >>> dependencies to Wicket 1.3 and Spring 2.0. >>> >>> 3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to >>> check
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Those two classes are here: http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/security/ They're part of my "advanced wicket" demo code. The project already has them set up and working, so you can look there for a tutorial. On Wed, Apr 28, 2010 at 6:18 AM, Giovanni wrote: > James, can you share your SpringSecurityWebApplication and > SpringSecurityWebSession > classes? > > If you also write a small tutorial on how to use them, it will be great. > > Best regards, > giovanni > > > > > > > From: James Carman > To: users@wicket.apache.org > Sent: Wed, April 28, 2010 1:51:57 AM > Subject: Re: Wicket + security, what are the best options? Spring Security > reached almost all the way... > > I have a SpringSecurityWebApplication and SpringSecurityWebSession > class you can use if you want. > > On Tue, Apr 27, 2010 at 7:49 PM, Ben Tilford wrote: >> You can use Spring security with wicket auth-roles, I works out pretty nice >> compared to the alternatives. iirc You need do your normal Spring >> setup, extend AuthenticatedWicketApplication, and AuthenticatedSession >> which has an authenticate method you'll call your UserDetails bean from. >> >> Outdated Link >> https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5 >> >> >> On Tue, Apr 27, 2010 at 7:20 PM, Jimi wrote: >> >>> >>> Hi, >>> >>> I'm curious to know what security frameworks you guys are using. >>> >>> The reason I'm asking is because I recently tried out Spring Security >>> together with a simple wicket web application, and was amazed on how easy >>> it >>> was. I applied the steps mentioned in their Pet Clinic tutorial >>> ( >>> http://static.springsource.org/spring-security/site/petclinic-tutorial.html >>> ) >>> more or less exactly as they are, and I didn't have to write a single line >>> of code. All was done using configuration. And even when I replaced the >>> hard >>> coded list of users (with their passwords and groups) with my custom >>> authentication provider (or actually custom UserDetailsService) I only had >>> two write two simple classes that implemented two very simple and logical >>> interfaces respectively, that used my pre existing hibernate configuration >>> and POJOs. >>> >>> BUT... when I wanted to replace the auto generated login screen (which >>> worked great, but just didn't look very appealing) with a custom login page >>> I quickly ran into trouble. If the login was successful then all was fine. >>> But for the cases when the login failed for some reason (like incorrect >>> username/password or database being down) I was having problems accessing >>> the error cause. Because as far as I could tell this message (actually an >>> Exception subclass) was only available as a http session attribute. And it >>> seems that Wicket does everything to hide those from the user, discourages >>> the use of the getHttpServletRequest() and the session attributes of the >>> wicket session object only seems to include attributes with a specific >>> wicket-prefix (like "wicket:wicket.myProject:") which of course caused my >>> precious Spring Security session attributes to be unavailable. >>> >>> It was then I started thinking that Spring Security maybe isn't the best >>> security framework together with Wicket. So I started looking around for >>> other alternatives. Wicket-security/WASP/SWARM (still not sure what is >>> what) >>> and "wicket auth roles" where the first two, and some time later I also >>> heard about wicket-shiro. >>> >>> But all these three seemed to have one or more of the following down sides >>> that irritated me when I evaluated them: >>> >>> 1. Missing official site. [wicket auth roles] At least I can't find it. >>> >>> 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old >>> discussion labeled "is wicket-auth-roles discontinued?". And the comments >>> on >>> the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that >>> they talk about Acegi (the old name for Spring Security) and the project >>> has >>> dependencies to Wicket 1.3 and Spring 2.0. >>> >>> 3. Doesn't seem stable. [wicket-
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Op dinsdag 27-04-2010 om 16:20 uur [tijdzone -0700], schreef Jimi: > 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old > discussion labeled "is wicket-auth-roles discontinued?". And the comments on > the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that > they talk about Acegi (the old name for Spring Security) and the project has > dependencies to Wicket 1.3 and Spring 2.0. This lives on as a wicket-stuff subproject. Just yesterday a new version, 1.4rc1 was announced on this list: http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-rc1-released-tt2067350.html#a2067350 regards, -- Reinout van Schouwen - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Thanks for that kind suggestion, but I already have working SecurityWebApplication and SecurityWebSession implementations. And my problem was never a lack of code examples, but instead my problem was the need for so much boilerplate code in the first place. I get the feeling most of this code can be exactly the same for a lot of projects, and then it would be logical to have a shared base for all these projects, maybe as a part of SWARM/WASP, or wicket auth roles or wicket-shiro. Regards /Jimi > I have a SpringSecurityWebApplication and SpringSecurityWebSession > class you can use if you want. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068916.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
James, can you share your SpringSecurityWebApplication and SpringSecurityWebSession classes? If you also write a small tutorial on how to use them, it will be great. Best regards, giovanni From: James Carman To: users@wicket.apache.org Sent: Wed, April 28, 2010 1:51:57 AM Subject: Re: Wicket + security, what are the best options? Spring Security reached almost all the way... I have a SpringSecurityWebApplication and SpringSecurityWebSession class you can use if you want. On Tue, Apr 27, 2010 at 7:49 PM, Ben Tilford wrote: > You can use Spring security with wicket auth-roles, I works out pretty nice > compared to the alternatives. iirc You need do your normal Spring > setup, extend AuthenticatedWicketApplication, and AuthenticatedSession > which has an authenticate method you'll call your UserDetails bean from. > > Outdated Link > https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5 > > > On Tue, Apr 27, 2010 at 7:20 PM, Jimi wrote: > >> >> Hi, >> >> I'm curious to know what security frameworks you guys are using. >> >> The reason I'm asking is because I recently tried out Spring Security >> together with a simple wicket web application, and was amazed on how easy >> it >> was. I applied the steps mentioned in their Pet Clinic tutorial >> ( >> http://static.springsource.org/spring-security/site/petclinic-tutorial.html >> ) >> more or less exactly as they are, and I didn't have to write a single line >> of code. All was done using configuration. And even when I replaced the >> hard >> coded list of users (with their passwords and groups) with my custom >> authentication provider (or actually custom UserDetailsService) I only had >> two write two simple classes that implemented two very simple and logical >> interfaces respectively, that used my pre existing hibernate configuration >> and POJOs. >> >> BUT... when I wanted to replace the auto generated login screen (which >> worked great, but just didn't look very appealing) with a custom login page >> I quickly ran into trouble. If the login was successful then all was fine. >> But for the cases when the login failed for some reason (like incorrect >> username/password or database being down) I was having problems accessing >> the error cause. Because as far as I could tell this message (actually an >> Exception subclass) was only available as a http session attribute. And it >> seems that Wicket does everything to hide those from the user, discourages >> the use of the getHttpServletRequest() and the session attributes of the >> wicket session object only seems to include attributes with a specific >> wicket-prefix (like "wicket:wicket.myProject:") which of course caused my >> precious Spring Security session attributes to be unavailable. >> >> It was then I started thinking that Spring Security maybe isn't the best >> security framework together with Wicket. So I started looking around for >> other alternatives. Wicket-security/WASP/SWARM (still not sure what is >> what) >> and "wicket auth roles" where the first two, and some time later I also >> heard about wicket-shiro. >> >> But all these three seemed to have one or more of the following down sides >> that irritated me when I evaluated them: >> >> 1. Missing official site. [wicket auth roles] At least I can't find it. >> >> 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old >> discussion labeled "is wicket-auth-roles discontinued?". And the comments >> on >> the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that >> they talk about Acegi (the old name for Spring Security) and the project >> has >> dependencies to Wicket 1.3 and Spring 2.0. >> >> 3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to >> check out trunk and build yourself) and has three different SNAPSHOT >> dependencies. >> >> 4. Seems to require a lot of different project specific java classes. [all >> three]. >> >> >> The last point, number 4, is a really big down side if you ask me. Keep in >> mind that I was able to integrate Spring Security almost completely in my >> wicket web application with very little new java code needed. And that is a >> good thing, because project specific code is of course much less tested and >> tried compared to official stable code of reputable frameworks. Plus that I >> don't have to reinvent the wheel
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Thanks for the link. I've already looked at that page and besides the fact that alot of the xml/code is missing in the beginning (like web.xml) I was shocked by the amount of boilerplate code needed to get the wicket side working. That tells me that either 1) people actually copy-paste all this boilerplate code and maybe do minor modifications for their project 2) people use this code as a guide, and write a lot of the implementation them selfs 3) there is some easier (but undocumented) way to use wicket auth-roles (or WASP/SWARM or wicket-shiro), with way less boilerplate code needed. Maybe . 4) people use some other framework 1 and 2 seems just plain wrong, the way I see it. If 3 or 4 is the case I would love to hear about it from someone. /Jimi > You can use Spring security with wicket auth-roles, I works out pretty > nice > compared to the alternatives. iirc You need do your normal Spring > setup, extend AuthenticatedWicketApplication, and AuthenticatedSession > which has an authenticate method you'll call your UserDetails bean from. > > Outdated Link > https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5 -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068908.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
html >> , >> but after creating class after class after class of in-my-eyes boilerplate >> code I got the overwhelming feeling that I was making my project more and >> more dirty. And, more importantly, I got the feeling that this shouldn't be >> so complicated. Other people surely have done this before, and maybe there >> is a good, stable and official framework/plugin/whatever that makes Spring >> Security and Wicket integration into a breeze. Which it really was when I >> followed the Pet Clinic tutorial (see URL above), since that used the auto >> generated login form. >> >> So, any input from you guys? What do you use to secure your wicket web >> sites? Or maybe someone can explain how to best solve my Wicket+Spring >> Security problem with the "hidden" http session attributes? >> >> Also, I hope I didn't step on anybody's toes with my list of down sides. >> Maybe I just haven't found the right web pages that document these >> frameworks(?) and how easy it can be to use them. Tips more then welcome! >> >> Regards >> /Jimi Hullegård >> -- >> View this message in context: >> http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068415.html >> Sent from the Wicket - User mailing list archive at Nabble.com. >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
I > followed the Pet Clinic tutorial (see URL above), since that used the auto > generated login form. > > So, any input from you guys? What do you use to secure your wicket web > sites? Or maybe someone can explain how to best solve my Wicket+Spring > Security problem with the "hidden" http session attributes? > > Also, I hope I didn't step on anybody's toes with my list of down sides. > Maybe I just haven't found the right web pages that document these > frameworks(?) and how easy it can be to use them. Tips more then welcome! > > Regards > /Jimi Hullegård > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068415.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Wicket + security, what are the best options? Spring Security reached almost all the way...
Hi, I'm curious to know what security frameworks you guys are using. The reason I'm asking is because I recently tried out Spring Security together with a simple wicket web application, and was amazed on how easy it was. I applied the steps mentioned in their Pet Clinic tutorial (http://static.springsource.org/spring-security/site/petclinic-tutorial.html) more or less exactly as they are, and I didn't have to write a single line of code. All was done using configuration. And even when I replaced the hard coded list of users (with their passwords and groups) with my custom authentication provider (or actually custom UserDetailsService) I only had two write two simple classes that implemented two very simple and logical interfaces respectively, that used my pre existing hibernate configuration and POJOs. BUT... when I wanted to replace the auto generated login screen (which worked great, but just didn't look very appealing) with a custom login page I quickly ran into trouble. If the login was successful then all was fine. But for the cases when the login failed for some reason (like incorrect username/password or database being down) I was having problems accessing the error cause. Because as far as I could tell this message (actually an Exception subclass) was only available as a http session attribute. And it seems that Wicket does everything to hide those from the user, discourages the use of the getHttpServletRequest() and the session attributes of the wicket session object only seems to include attributes with a specific wicket-prefix (like "wicket:wicket.myProject:") which of course caused my precious Spring Security session attributes to be unavailable. It was then I started thinking that Spring Security maybe isn't the best security framework together with Wicket. So I started looking around for other alternatives. Wicket-security/WASP/SWARM (still not sure what is what) and "wicket auth roles" where the first two, and some time later I also heard about wicket-shiro. But all these three seemed to have one or more of the following down sides that irritated me when I evaluated them: 1. Missing official site. [wicket auth roles] At least I can't find it. 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old discussion labeled "is wicket-auth-roles discontinued?". And the comments on the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that they talk about Acegi (the old name for Spring Security) and the project has dependencies to Wicket 1.3 and Spring 2.0. 3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to check out trunk and build yourself) and has three different SNAPSHOT dependencies. 4. Seems to require a lot of different project specific java classes. [all three]. The last point, number 4, is a really big down side if you ask me. Keep in mind that I was able to integrate Spring Security almost completely in my wicket web application with very little new java code needed. And that is a good thing, because project specific code is of course much less tested and tried compared to official stable code of reputable frameworks. Plus that I don't have to reinvent the wheel, considering the simple authentication and authorization demands of my project. The only thing stopping me was this stupid error message in the "unavailable" http session attribute. I actually started converting my project into a WASP/SWARM project, using the example project from http://out-println.blogspot.com/2009/02/wicket-swarm-spring-security-how-to.html, but after creating class after class after class of in-my-eyes boilerplate code I got the overwhelming feeling that I was making my project more and more dirty. And, more importantly, I got the feeling that this shouldn't be so complicated. Other people surely have done this before, and maybe there is a good, stable and official framework/plugin/whatever that makes Spring Security and Wicket integration into a breeze. Which it really was when I followed the Pet Clinic tutorial (see URL above), since that used the auto generated login form. So, any input from you guys? What do you use to secure your wicket web sites? Or maybe someone can explain how to best solve my Wicket+Spring Security problem with the "hidden" http session attributes? Also, I hope I didn't step on anybody's toes with my list of down sides. Maybe I just haven't found the right web pages that document these frameworks(?) and how easy it can be to use them. Tips more then welcome! Regards /Jimi Hullegård -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068415.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
