Re: Wicket security and JavaMelody
I ended having to write a custom JDBC Realm since i have used a salt for
users passwords.
import org.apache.catalina.realm.JDBCRealm;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import
org.springframework.security.authentication.encoding.ShaPasswordEncoder;
import java.security.Principal;
/**
* @author
*/
public class EazyregnskabRealm extends JDBCRealm {
private static final Log log =
LogFactory.getLog(EazyregnskabRealm.class);
ShaPasswordEncoder encoder = new ShaPasswordEncoder(256);
@Override
protected String getName() {
return this.getClass().getSimpleName();
}
@Override
public synchronized Principal authenticate(String username, String
credentials) {
String unDigestedPassword = credentials;
String digestedPassword =
encoder.encodePassword(unDigestedPassword, username);
return super.authenticate(username, digestedPassword);
}
}
web.xml
BASIC
Monitoring
USER
MONITOR
Monitoring
/monitoring
MONITOR
server.xml
The EazyregnskabRealm.class must be made into a jar, this and all other
dependencies should be put in the tomcat lib folder. Hope someone else can
use this.
Med venlig hilsen / Best regards
Tommy Sadiq Hinrichsen
Selvstændig IT-udvikler
HD-ØP
Humlebækgade 16, 1.tv.
2200 København N
Tlf: 26 24 14 36
Mangler du en billig anlægsgartner, så prøv http://www.sl-haveanlaeg.dk
2013/8/19 Tommy Sadiq Hinrichsen
> I use for authorizing wicket pages, but javaMelody's monitoring page is
> not a wicket page.
>
>
> Med venlig hilsen / Best regards
>
> Tommy Sadiq Hinrichsen
> Selvstændig IT-udvikler
> HD-ØP
>
> Humlebækgade 16, 1.tv.
> 2200 København N
> Tlf: 26 24 14 36
>
> Mangler du en billig anlægsgartner, så prøv http://www.sl-haveanlaeg.dk
>
>
> 2013/8/19 Martin Grigorov
>
>> Hi,
>>
>>
>> On Mon, Aug 19, 2013 at 1:09 PM, Tommy Sadiq Hinrichsen <
>> tommy.ly...@gmail.com> wrote:
>>
>> > Hi
>> >
>> > I'm using Wicket security for authorization and authentication.
>> >
>>
>> Do you already use it for authorizing other pages ?
>>
>>
>> >
>> > I have included java melody to monitor the tomcat server where the web
>> app
>> > is running and i would like to limit access to the monitoring page. Is
>> > there some way to do that with wicket security?
>> >
>>
>> Just like for authorizing any other page.
>>
>>
>> Check http://wicketguide.comsysto.com/guide/chapter19.html for intro to
>> security in Wicket.
>>
>>
>> >
>> > Med venlig hilsen / Best regards
>> >
>> > Tommy Sadiq Hinrichsen
>> > Selvstændig IT-udvikler
>> > HD-ØP
>> >
>> > Humlebækgade 16, 1.tv.
>> > 2200 København N
>> > Tlf: 26 24 14 36
>> >
>> > Mangler du en billig anlægsgartner, så prøv http://www.sl-haveanlaeg.dk
>> >
>>
>
>
Re: Wicket security and JavaMelody
I use for authorizing wicket pages, but javaMelody's monitoring page is not a wicket page. Med venlig hilsen / Best regards Tommy Sadiq Hinrichsen Selvstændig IT-udvikler HD-ØP Humlebækgade 16, 1.tv. 2200 København N Tlf: 26 24 14 36 Mangler du en billig anlægsgartner, så prøv http://www.sl-haveanlaeg.dk 2013/8/19 Martin Grigorov > Hi, > > > On Mon, Aug 19, 2013 at 1:09 PM, Tommy Sadiq Hinrichsen < > tommy.ly...@gmail.com> wrote: > > > Hi > > > > I'm using Wicket security for authorization and authentication. > > > > Do you already use it for authorizing other pages ? > > > > > > I have included java melody to monitor the tomcat server where the web > app > > is running and i would like to limit access to the monitoring page. Is > > there some way to do that with wicket security? > > > > Just like for authorizing any other page. > > > Check http://wicketguide.comsysto.com/guide/chapter19.html for intro to > security in Wicket. > > > > > > Med venlig hilsen / Best regards > > > > Tommy Sadiq Hinrichsen > > Selvstændig IT-udvikler > > HD-ØP > > > > Humlebækgade 16, 1.tv. > > 2200 København N > > Tlf: 26 24 14 36 > > > > Mangler du en billig anlægsgartner, så prøv http://www.sl-haveanlaeg.dk > > >
Re: Wicket security and JavaMelody
Hi, On Mon, Aug 19, 2013 at 1:09 PM, Tommy Sadiq Hinrichsen < tommy.ly...@gmail.com> wrote: > Hi > > I'm using Wicket security for authorization and authentication. > Do you already use it for authorizing other pages ? > > I have included java melody to monitor the tomcat server where the web app > is running and i would like to limit access to the monitoring page. Is > there some way to do that with wicket security? > Just like for authorizing any other page. Check http://wicketguide.comsysto.com/guide/chapter19.html for intro to security in Wicket. > > Med venlig hilsen / Best regards > > Tommy Sadiq Hinrichsen > Selvstændig IT-udvikler > HD-ØP > > Humlebækgade 16, 1.tv. > 2200 København N > Tlf: 26 24 14 36 > > Mangler du en billig anlægsgartner, så prøv http://www.sl-haveanlaeg.dk >
Wicket security and JavaMelody
Hi I'm using Wicket security for authorization and authentication. I have included java melody to monitor the tomcat server where the web app is running and i would like to limit access to the monitoring page. Is there some way to do that with wicket security? Med venlig hilsen / Best regards Tommy Sadiq Hinrichsen Selvstændig IT-udvikler HD-ØP Humlebækgade 16, 1.tv. 2200 København N Tlf: 26 24 14 36 Mangler du en billig anlægsgartner, så prøv http://www.sl-haveanlaeg.dk
Re: Wicket Security examples
We have Wicket running with Shiro since version 1.4, and it's still doing fine under 6.7. Due to time restrictions I haven't looked into wicket-shiro for a long time, but no problems have surfaced. Natalie -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-Security-examples-tp4659398p4659474.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket Security examples
> Also, I'm interested in hearing anyone's insight into using Apache Shiro with Wicket. Our senior management is pretty keen on seeing us implement a security framework that has a more powerful set of features. I've found Shiro to be "mostly" easy to implement, with the exception of managing multiple authentication realms. I was also curious to know, considering the age of Wicket Shiro, whether or not that plug-in will work with Wicket 6.8 or if it's restricted to 1.5 or earlier. Are there any problems with Wicket Auth/Roles that might be better handled with a security framework like Apache Shiro? You might want to have a look at Spring Security, when you are comparing different Security Frameworks. For most use cases, Wicket Auth/Roles will probably suffice, though. If you want to have look, I made a little example project integrating Spring Security and Wicket at https://github.com/thombergs/wicket-spring-security-example. Regards, Tom -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-Security-examples-tp4659398p4659470.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
RE: Wicket Security examples
Not sure how I missed that, thanks Martijn. -Original Message- From: Martijn Dashorst [mailto:martijn.dasho...@gmail.com] Sent: Tuesday, June 11, 2013 12:52 PM To: users@wicket.apache.org Subject: Re: Wicket Security examples http://www.wicket-library.com/wicket-examples/index.html See the authentication-1 through authentication-3 examples. Martijn On Tue, Jun 11, 2013 at 7:18 PM, Michael Chandler wrote: > Good morning, > > I'm having a hard time finding some solid example implementations of Wicket > Auth/Roles, specifically regarding authentication. I think the documentation > on the link below is well spelled out, but it would be nice to see an example > of Authentication. > > http://wicket.apache.org/learn/projects/authroles.html > > The current authentication example that is linked on that page returns a 404. > > Also, I'm interested in hearing anyone's insight into using Apache Shiro with > Wicket. Our senior management is pretty keen on seeing us implement a > security framework that has a more powerful set of features. I've found > Shiro to be "mostly" easy to implement, with the exception of managing > multiple authentication realms. I was also curious to know, considering the > age of Wicket Shiro, whether or not that plug-in will work with Wicket 6.8 or > if it's restricted to 1.5 or earlier. Are there any problems with Wicket > Auth/Roles that might be better handled with a security framework like Apache > Shiro? > > https://github.com/wicketstuff/core/tree/core-1.5.x/jdk-1.5-parent/shi > ro-security > > Thanks so much for any input you can offer. > > Regards, > > Mike -- Become a Wicket expert, learn from the best: http://wicketinaction.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket Security examples
http://www.wicket-library.com/wicket-examples/index.html See the authentication-1 through authentication-3 examples. Martijn On Tue, Jun 11, 2013 at 7:18 PM, Michael Chandler wrote: > Good morning, > > I'm having a hard time finding some solid example implementations of Wicket > Auth/Roles, specifically regarding authentication. I think the documentation > on the link below is well spelled out, but it would be nice to see an example > of Authentication. > > http://wicket.apache.org/learn/projects/authroles.html > > The current authentication example that is linked on that page returns a 404. > > Also, I'm interested in hearing anyone's insight into using Apache Shiro with > Wicket. Our senior management is pretty keen on seeing us implement a > security framework that has a more powerful set of features. I've found > Shiro to be "mostly" easy to implement, with the exception of managing > multiple authentication realms. I was also curious to know, considering the > age of Wicket Shiro, whether or not that plug-in will work with Wicket 6.8 or > if it's restricted to 1.5 or earlier. Are there any problems with Wicket > Auth/Roles that might be better handled with a security framework like Apache > Shiro? > > https://github.com/wicketstuff/core/tree/core-1.5.x/jdk-1.5-parent/shiro-security > > Thanks so much for any input you can offer. > > Regards, > > Mike -- Become a Wicket expert, learn from the best: http://wicketinaction.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Wicket Security examples
Good morning, I'm having a hard time finding some solid example implementations of Wicket Auth/Roles, specifically regarding authentication. I think the documentation on the link below is well spelled out, but it would be nice to see an example of Authentication. http://wicket.apache.org/learn/projects/authroles.html The current authentication example that is linked on that page returns a 404. Also, I'm interested in hearing anyone's insight into using Apache Shiro with Wicket. Our senior management is pretty keen on seeing us implement a security framework that has a more powerful set of features. I've found Shiro to be "mostly" easy to implement, with the exception of managing multiple authentication realms. I was also curious to know, considering the age of Wicket Shiro, whether or not that plug-in will work with Wicket 6.8 or if it's restricted to 1.5 or earlier. Are there any problems with Wicket Auth/Roles that might be better handled with a security framework like Apache Shiro? https://github.com/wicketstuff/core/tree/core-1.5.x/jdk-1.5-parent/shiro-security Thanks so much for any input you can offer. Regards, Mike
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
Wicket security for 1.4 is no longer maintained and it was never released as part of WicketStuff core. If you want to use wicket security on 1.4, I suggest you build it yourself from https://github.com/dashorst/wicketstuff-security . This is where we put it before adding it to WicketStuff core. Starting with 1.5, wicket security is part of core and released together with the other modules. The WicketStuff maven repository is no longer available, as far as I know. Best regards, Emond On Thursday 19 April 2012 12:20:48 Martin Grigorov wrote: > Hi, > > Check wicketstuff-security-** modules at > http://repo1.maven.org/maven2/org/wicketstuff/ > > On Thu, Apr 19, 2012 at 12:01 PM, Leonardo D'Alimonte > > wrote: > > Hi everybody, > > > > I'm still having troubles downloading Swarm 1.4 from the Wicketstuff Maven > > repository, GitHub alerts me that "File Not Found"... > > Is this version (i know isn't the latest..) so difficult to recover?? > > > > Thanks, > > Leonardo > > > > -- > > View this message in context: > > http://apache-wicket.1842946.n4.nabble.com/RELEASE-WASP-SWARM-Wicket-secu > > rity-1-4-1-released-roadmap-for-future-direction-tp2543742p4570279.html > > Sent from the Users forum mailing list archive at Nabble.com. > > > > - > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
Hi, Check wicketstuff-security-** modules at http://repo1.maven.org/maven2/org/wicketstuff/ On Thu, Apr 19, 2012 at 12:01 PM, Leonardo D'Alimonte wrote: > Hi everybody, > > I'm still having troubles downloading Swarm 1.4 from the Wicketstuff Maven > repository, GitHub alerts me that "File Not Found"... > Is this version (i know isn't the latest..) so difficult to recover?? > > Thanks, > Leonardo > > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/RELEASE-WASP-SWARM-Wicket-security-1-4-1-released-roadmap-for-future-direction-tp2543742p4570279.html > Sent from the Users forum mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > -- Martin Grigorov jWeekend Training, Consulting, Development http://jWeekend.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
Hi everybody, I'm still having troubles downloading Swarm 1.4 from the Wicketstuff Maven repository, GitHub alerts me that "File Not Found"... Is this version (i know isn't the latest..) so difficult to recover?? Thanks, Leonardo -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/RELEASE-WASP-SWARM-Wicket-security-1-4-1-released-roadmap-for-future-direction-tp2543742p4570279.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
Great! The main repository (http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security/swarm/) seems to miss the latest release of Swarm, I can see only 1.4-SNAPSHOT/ and with incomplete dependencies...anyway the mirror repository works perfectly :) Leonardo Martijn Dashorst wrote: > > All is working now. > > Martijn > > On Tue, Nov 1, 2011 at 3:48 PM, Martijn Dashorst > <martijn.dashorst@> wrote: >> On Tue, Nov 1, 2011 at 3:41 PM, Martijn Dashorst >> <martijn.dashorst@> wrote: >>> It is not your problem, but strange enough the main page just works... >> >> It appears that mij hosting provider has reset/blocked the account for >> the mysql database. Investigating how to reset the password. >> >> Martijn >> > > > > -- > Become a Wicket expert, learn from the best: http://wicketinaction.com > > - > To unsubscribe, e-mail: users-unsubscribe@.apache > For additional commands, e-mail: users-help@.apache > -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/RELEASE-WASP-SWARM-Wicket-security-1-4-1-released-roadmap-for-future-direction-tp2543742p3983473.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
All is working now. Martijn On Tue, Nov 1, 2011 at 3:48 PM, Martijn Dashorst wrote: > On Tue, Nov 1, 2011 at 3:41 PM, Martijn Dashorst > wrote: >> It is not your problem, but strange enough the main page just works... > > It appears that mij hosting provider has reset/blocked the account for > the mysql database. Investigating how to reset the password. > > Martijn > -- Become a Wicket expert, learn from the best: http://wicketinaction.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
Sounds good, the workaround of adding mirror repository to the pom works finally. Now I'm going on having discussions with properties file inside the project and resolving JUnit errors. Leonardo Martijn Dashorst wrote: > > On Tue, Nov 1, 2011 at 3:41 PM, Martijn Dashorst > <martijn.dashorst@> wrote: >> It is not your problem, but strange enough the main page just works... > > It appears that mij hosting provider has reset/blocked the account for > the mysql database. Investigating how to reset the password. > > Martijn > > - > To unsubscribe, e-mail: users-unsubscribe@.apache > For additional commands, e-mail: users-help@.apache > -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/RELEASE-WASP-SWARM-Wicket-security-1-4-1-released-roadmap-for-future-direction-tp2543742p3964178.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
On Tue, Nov 1, 2011 at 3:41 PM, Martijn Dashorst wrote: > It is not your problem, but strange enough the main page just works... It appears that mij hosting provider has reset/blocked the account for the mysql database. Investigating how to reset the password. Martijn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
On Tue, Nov 1, 2011 at 3:32 PM, Leonardo D'Alimonte wrote: > Martin, > > you mean this machine goes on 503 error often: > http://wicketstuff.org/maven/mirror ? > I found lots of errors here instead: > http://wicketinaction.com/2010/05/wicket-security-wasp-and-swarm-1-4-released/ > Every time I try to connect there it answers: "Error establishing a database > connection", don't know if it's a problem of mine.. It is not your problem, but strange enough the main page just works... Martijn > > > Leonardo > > > Martin Grigorov-4 wrote: >> >> On Tue, Nov 1, 2011 at 3:12 PM, Martijn Dashorst >> <martijn.dashorst@> wrote: >>> On Tue, Nov 1, 2011 at 1:59 PM, Martijn Dashorst >>> <martijn.dashorst@> wrote: >>>> Try >>>> >>>> http://wicketstuff.org/maven/mirror >>>> >>>> I've uploaded our internal artifactory wicketstuff cache. >>> >>> Note that this directory will go away once I find out how to do a >>> rsync on the box (not installed or available on path). If/when that >>> happens the artifacts will become available under the >>> http://wicketstuff.org/maven/repository moniker. >>> >>> Martijn >>> >>> (should we run an artifactory at that machine instead?) >> >> That machine most of the time returns 503 ... >> >>> >>> - >>> To unsubscribe, e-mail: users-unsubscribe@.apache >>> For additional commands, e-mail: users-help@.apache >>> >>> >> >> >> >> -- >> Martin Grigorov >> jWeekend >> Training, Consulting, Development >> http://jWeekend.com >> >> - >> To unsubscribe, e-mail: users-unsubscribe@.apache >> For additional commands, e-mail: users-help@.apache >> > > > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/RELEASE-WASP-SWARM-Wicket-security-1-4-1-released-roadmap-for-future-direction-tp2543742p3963720.html > Sent from the Users forum mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > -- Become a Wicket expert, learn from the best: http://wicketinaction.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
Martin, you mean this machine goes on 503 error often: http://wicketstuff.org/maven/mirror ? I found lots of errors here instead: http://wicketinaction.com/2010/05/wicket-security-wasp-and-swarm-1-4-released/ Every time I try to connect there it answers: "Error establishing a database connection", don't know if it's a problem of mine.. Leonardo Martin Grigorov-4 wrote: > > On Tue, Nov 1, 2011 at 3:12 PM, Martijn Dashorst > <martijn.dashorst@> wrote: >> On Tue, Nov 1, 2011 at 1:59 PM, Martijn Dashorst >> <martijn.dashorst@> wrote: >>> Try >>> >>> http://wicketstuff.org/maven/mirror >>> >>> I've uploaded our internal artifactory wicketstuff cache. >> >> Note that this directory will go away once I find out how to do a >> rsync on the box (not installed or available on path). If/when that >> happens the artifacts will become available under the >> http://wicketstuff.org/maven/repository moniker. >> >> Martijn >> >> (should we run an artifactory at that machine instead?) > > That machine most of the time returns 503 ... > >> >> - >> To unsubscribe, e-mail: users-unsubscribe@.apache >> For additional commands, e-mail: users-help@.apache >> >> > > > > -- > Martin Grigorov > jWeekend > Training, Consulting, Development > http://jWeekend.com > > ----- > To unsubscribe, e-mail: users-unsubscribe@.apache > For additional commands, e-mail: users-help@.apache > -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/RELEASE-WASP-SWARM-Wicket-security-1-4-1-released-roadmap-for-future-direction-tp2543742p3963720.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
On Tue, Nov 1, 2011 at 3:12 PM, Martijn Dashorst wrote: > On Tue, Nov 1, 2011 at 1:59 PM, Martijn Dashorst > wrote: >> Try >> >> http://wicketstuff.org/maven/mirror >> >> I've uploaded our internal artifactory wicketstuff cache. > > Note that this directory will go away once I find out how to do a > rsync on the box (not installed or available on path). If/when that > happens the artifacts will become available under the > http://wicketstuff.org/maven/repository moniker. > > Martijn > > (should we run an artifactory at that machine instead?) That machine most of the time returns 503 ... > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > -- Martin Grigorov jWeekend Training, Consulting, Development http://jWeekend.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
On Tue, Nov 1, 2011 at 1:59 PM, Martijn Dashorst wrote: > Try > > http://wicketstuff.org/maven/mirror > > I've uploaded our internal artifactory wicketstuff cache. Note that this directory will go away once I find out how to do a rsync on the box (not installed or available on path). If/when that happens the artifacts will become available under the http://wicketstuff.org/maven/repository moniker. Martijn (should we run an artifactory at that machine instead?) - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
Try http://wicketstuff.org/maven/mirror I've uploaded our internal artifactory wicketstuff cache. Martijn On Tue, Nov 1, 2011 at 1:05 PM, Leonardo D'Alimonte wrote: > Hi Martjin! > > I'm trying to upgrade our project based on Wicket and Wicket-security > (Swarm) from version 1.3.6 to 1.4.18 > and from version 1.3.0 to 1.4.1 (Swarm)...work not so easy, because if I > follow your link to the the Wicketstuff repo, the only version I can find is > the 1.4-SNAPSHOT. If I had in my pom.xml the dependency to 1.4.1 version of > Swarm, Maven is happy and is capable to find it, but it download only the > pom, not the jar and all the dependencies. What I'm doing wrong? > > Thanks in advance.. > Leonardo > > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/RELEASE-WASP-SWARM-Wicket-security-1-4-1-released-roadmap-for-future-direction-tp2543742p3963284.html > Sent from the Users forum mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > -- Become a Wicket expert, learn from the best: http://wicketinaction.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
Hi Martjin! I'm trying to upgrade our project based on Wicket and Wicket-security (Swarm) from version 1.3.6 to 1.4.18 and from version 1.3.0 to 1.4.1 (Swarm)...work not so easy, because if I follow your link to the the Wicketstuff repo, the only version I can find is the 1.4-SNAPSHOT. If I had in my pom.xml the dependency to 1.4.1 version of Swarm, Maven is happy and is capable to find it, but it download only the pom, not the jar and all the dependencies. What I'm doing wrong? Thanks in advance.. Leonardo -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/RELEASE-WASP-SWARM-Wicket-security-1-4-1-released-roadmap-for-future-direction-tp2543742p3963284.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Wicket Security (Swarm/Wasp) 1.4.2 released
Releasing the Wicket Security project used to be a simple mvn release:prepare; mvn release:perform, but apparently something has changed where finding and fixing a bug took all of 30 minutes and releasing the software took over 3 hours with Maven's release plugin (times two developers). While I'm not sure what changed why the ssh wagon stopped working, the process was aggravated by the move to git (and the old pom's insistence on still thinking in SVN terms). Since the project needs to be in its own GIT repository for the release plugin to work, we moved it out of the wicketstuff sandbox, and temporarily put it in a git repository under https://github.com/dashorst/wicketstuff-security The reason for the release was a rare infinite loop that was caused by a race condition [1]. This occurred on our systems for the first time in about 4 years of production use. The release has been uploaded to the wicketstuff.org maven repository and can be obtained here: http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security/ The future will hold the following: - integrate build into wicketstuff core - move to a new package structure to fit inside wicketstuff core (including groupid) - upgrade to wicket 1.5 Emond and Martijn [1] https://github.com/dashorst/wicketstuff-security/commit/c38e017aed780b29993524b5bdcb3d427b3ba216 - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Best Wicket security practice
Apache shiro is one more - http://shiro.apache.org/ On Wed, Feb 9, 2011 at 3:14 AM, sakthi vel wrote: > Hello All, > > There are few security things in wicket like SWARM, Spring security with > wicket and so on. > Could anyone tell the best security practice in wicket and any possible > links would be great. >
Best Wicket security practice
Hello All, There are few security things in wicket like SWARM, Spring security with wicket and so on. Could anyone tell the best security practice in wicket and any possible links would be great.
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
For the names, I'd probably go for "Wicket Keeper" or playaround with services like this: http://acronymcreator.net A few samples from first shot of "framework formerly know as wicket security" : FRESh: Framework foRmerly wickEt Security FEISty: Framework formErly wIcket Security FLAWlEsS: Framework formerLy As WickEt Security ROAST: fRamework fOrmerly As SecuriTy regards Nino 2010/9/17 Martijn Dashorst : > The Wicket Security project WASP/SWARM has released a new version: 1.4.1 > > News worthy changes: > > * Moved code from SwarmStrategy to AbstractSwarmStrategy to allow > reuse with different implementations > * Logout now uses Session.invalidate() instead of invalidateNow(), to > prevent problems with the request logger > * Spring example is now based on Spring 3 > * Wicket dependency upgraded to 1.4.12 > > You can download the release from the Wicket stuff repository: > > http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security/ > > Or upgrade using the following in your pom: > > > org.apache.wicket.wicket-security > swarm > 1.4.1 > > > > ROADMAP > > > Milestone 1.5-M1 > > As Wicket Security will not be adopted into core, we'll be changing > the package name and project name going forward. We're still not sure > about the final name, but these two are the runners up: > > - Chitin > - Wicket Keeper > > Both are nice names, and both have their pros and cons. Let us know > which one you prefer. > > Furthermore we'll be adding new annotations such that you'll be able > to authorize your pages using a Java class (for the principal) and an > annotation on your page to specify which principals are required. This > will eliminate the need for the policy files. > > Future milestones > > * Support for Wicket 1.5 > * A new home > * Deployment to maven central instead of wicketstuff repo > > We expect to release the first milestone in a week or so. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
I haven't been following this that closely (I've only been acquainted with Wicket for a few days) but on installing Wasp and Swarm and then (on learning it wouldn't be a final solution) giving up on it to go back to wicket-auth-roles as a simpler solution, might there be another possibility? Why not work on finalising a wicket-security package that is comprised on a security API (with no implementation), then have Wasp, Swarm, some kind of Spring bridge, etc. as competing implementations? That would permit a stable security solution to be provided via API whilst not "polluting" the core with an unproven solution, or with a solution that will always have application-specific alternatives. Just an idea anyway. As to name, please choose one that isn't too cute. It doesn't have to be a brand, just a recognisable name or just an acronym with a reasonable explication. Ichiro On 9/17/10, Martijn Dashorst wrote: > The Wicket Security project WASP/SWARM has released a new version: 1.4.1 > > News worthy changes: > > * Moved code from SwarmStrategy to AbstractSwarmStrategy to allow > reuse with different implementations > * Logout now uses Session.invalidate() instead of invalidateNow(), to >prevent problems with the request logger > * Spring example is now based on Spring 3 > * Wicket dependency upgraded to 1.4.12 > > You can download the release from the Wicket stuff repository: > > http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security/ > > Or upgrade using the following in your pom: > > > org.apache.wicket.wicket-security > swarm > 1.4.1 > > > > ROADMAP > > > Milestone 1.5-M1 > > As Wicket Security will not be adopted into core, we'll be changing > the package name and project name going forward. We're still not sure > about the final name, but these two are the runners up: > > - Chitin > - Wicket Keeper > > Both are nice names, and both have their pros and cons. Let us know > which one you prefer. > > Furthermore we'll be adding new annotations such that you'll be able > to authorize your pages using a Java class (for the principal) and an > annotation on your page to specify which principals are required. This > will eliminate the need for the policy files. > > Future milestones > > * Support for Wicket 1.5 > * A new home > * Deployment to maven central instead of wicketstuff repo > > We expect to release the first milestone in a week or so. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
[RELEASE] WASP/SWARM/Wicket security 1.4.1 released, roadmap for future direction
The Wicket Security project WASP/SWARM has released a new version: 1.4.1 News worthy changes: * Moved code from SwarmStrategy to AbstractSwarmStrategy to allow reuse with different implementations * Logout now uses Session.invalidate() instead of invalidateNow(), to prevent problems with the request logger * Spring example is now based on Spring 3 * Wicket dependency upgraded to 1.4.12 You can download the release from the Wicket stuff repository: http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security/ Or upgrade using the following in your pom: org.apache.wicket.wicket-security swarm 1.4.1 ROADMAP Milestone 1.5-M1 As Wicket Security will not be adopted into core, we'll be changing the package name and project name going forward. We're still not sure about the final name, but these two are the runners up: - Chitin - Wicket Keeper Both are nice names, and both have their pros and cons. Let us know which one you prefer. Furthermore we'll be adding new annotations such that you'll be able to authorize your pages using a Java class (for the principal) and an annotation on your page to specify which principals are required. This will eliminate the need for the policy files. Future milestones * Support for Wicket 1.5 * A new home * Deployment to maven central instead of wicketstuff repo We expect to release the first milestone in a week or so. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket Security
The code is here: https://wicket-stuff.svn.sourceforge.net/svnroot/wicket-stuff/trunk/wicket-security The is example/ folder in it. On Wed, Aug 11, 2010 at 6:29 PM, sakthi vel wrote: > Hello, > > Could anyone tell about the features of wicket security and how it can be > implemented in wicket applications. > Possibly any references would be great. >
Wicket Security
Hello, Could anyone tell about the features of wicket security and how it can be implemented in wicket applications. Possibly any references would be great.
Re: [announce] Wicket Security 1.4 released!
Personally I think the hive file is sufficient. Also annotations take more time to compile :) 2010/6/11 Papegaaij [via Apache Wicket] < ml-node+2251368-1151411741-232...@n4.nabble.com > > On Wednesday 09 June 2010 21:30:39 ViShap wrote: > > I just stumbled upon this announce and didn't have the time to dig deep > > into the code, and the links you suggested don't mention anything, so i > > have a short question: > > > > Is it possible to use annotations instead of that manual hive-file? > > > > If not: Is it planned or if not, why is it discarded? > > With wicket-security 1.4, this is not possible. We (at Topicus) developed a > > set of annotations to replace the hive file, but at this moment it is not > clear if (or what part) of that set of annotations can be moved to wicket- > security and when I will have the time to do it. This will not be part of > 1.4, > but perhaps 1.5. > > Best regards, > Emond > > - > To unsubscribe, e-mail: [hidden > email]<http://user/SendEmail.jtp?type=node&node=2251368&i=0> > For additional commands, e-mail: [hidden > email]<http://user/SendEmail.jtp?type=node&node=2251368&i=1> > > > > -- > View message @ > http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-released-tp2237419p2251368.html > To start a new topic under Wicket - User, email > ml-node+1842947-1066186228-232...@n4.nabble.com > To unsubscribe from Wicket - User, click > here<http://apache-wicket.1842946.n4.nabble.com/subscriptions/Unsubscribe.jtp?code=bWV1bGVtYW5zLmRhdmlkQGdtYWlsLmNvbXwxODQyOTQ3fC0xOTcyOTcxMjQ2>. > > > -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-released-tp2237419p2251509.html Sent from the Wicket - User mailing list archive at Nabble.com.
Re: [announce] Wicket Security 1.4 released!
On Wednesday 09 June 2010 21:30:39 ViShap wrote: > I just stumbled upon this announce and didn't have the time to dig deep > into the code, and the links you suggested don't mention anything, so i > have a short question: > > Is it possible to use annotations instead of that manual hive-file? > > If not: Is it planned or if not, why is it discarded? With wicket-security 1.4, this is not possible. We (at Topicus) developed a set of annotations to replace the hive file, but at this moment it is not clear if (or what part) of that set of annotations can be moved to wicket- security and when I will have the time to do it. This will not be part of 1.4, but perhaps 1.5. Best regards, Emond - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [announce] Wicket Security 1.4 released!
I just stumbled upon this announce and didn't have the time to dig deep into the code, and the links you suggested don't mention anything, so i have a short question: Is it possible to use annotations instead of that manual hive-file? If not: Is it planned or if not, why is it discarded? Thanks, Markus
RE: [announce] Wicket Security 1.4 released!
Just catching up on emails - thanks! Much appreciated!!! -Ben -Original Message- From: Martijn Dashorst [mailto:martijn.dasho...@gmail.com] Sent: Monday, May 31, 2010 9:08 AM To: users@wicket.apache.org Subject: [announce] Wicket Security 1.4 released! We are proud to release Wicket Security 1.4 final. Wicket Security is an attempt to create an out of the box reusable authenticating and authorization framework for Apache Wicket. It contains several projects which can be used standalone or in conjunction with each other. After testing the codebase for a while we did not find any issues. Differences between the 1.4-rc1 release: - upgraded dependencies to newest working versions (JUnit 4.x does not work with Spring) - versioned maven plugins to appease the Maven 3 gods. Many thanks go to Olger Warnier for the initial port of Wicket Security to Wicket 1.4. The release is available from the usual Wicket Stuff maven repository: http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security If you already depend on Wicket Security, all you need to do is modify the version of your dependencies in your Maven poms: wicketstuff http://wicketstuff.org/maven/repository true true org.apache.wicket.wicket-security swarm 1.4 compile Note that with future releases we will move to a new groupId and package name (since org.apache.wicket is reserved for Apache Wicket, and not 3rd party projects). The future of the Wicket Security project is to remain a standalone project (it will not be adopted by Apache Wicket), and will continue to be maintained by Topicus. If you wish to join please let us know! Emond & Martijn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: wicket clustering wicket-security
On Wednesday 02 June 2010 15:54:50 david_ wrote: > Maybe someone knows who I can contact about this? > I wicket-security developer maybe? Unfortunately we don't use multiple applications in the same servlet container. So, I can't really help you with this. Maurice probably would have known how to do it, but unfortunately we can't ask him anymore. I'm almost sure that it should be possible (wicket-security even supports multiple logins on the same application). Perhaps some of the old documentation at http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security can help you, or perhaps the examples? What I do see in WaspSession is this: if (securityStrategy.isUserAuthenticated()) dirty(); else invalidateNow(); I don't know what that is supposed to do, but it seems you are hitting the wrong branch of the if statement. Good luck with it, Emond - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: wicket clustering wicket-security
Maybe someone knows who I can contact about this? I wicket-security developer maybe? thanks! -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2240161.html Sent from the Wicket - User mailing list archive at Nabble.com.
Re: wicket clustering wicket-security
The WaspSession is responsible for authorization of secured pages and components. For some reason if a user logs in on webapp-A and another user tries to access a bookmarkable url in webapp-B he is granted access. 2010/6/1 Igor Vaynberg-2 [via Apache Wicket] < ml-node+2239092-140489179-232...@n4.nabble.com > > not sure how to do it with wicket-security, but a way to do it > generically is to simply set the userid field you keep in your session > to null instead of invalidating the entire session > > -igor > > On Tue, Jun 1, 2010 at 11:56 AM, david_ <[hidden > email]<http://user/SendEmail.jtp?type=node&node=2239092&i=0>> > wrote: > > > > > How can I logoff an individual instance without affecting the other ones? > > > I use the org.apache.wicket.security.WaspSession.logoff() method which > > results in a normal invalidateNow(). > > > > > > 2010/6/1 Igor Vaynberg-2 [via Apache Wicket] < > > [hidden email] > > <http://user/SendEmail.jtp?type=node&node=2239092&i=1><[hidden > email] <http://user/SendEmail.jtp?type=node&node=2239092&i=2>> > >> > > > >> On Tue, Jun 1, 2010 at 11:17 AM, david_ <[hidden email]< > http://user/SendEmail.jtp?type=node&node=2239009&i=0>> > >> wrote: > >> > > >> > If I call getSession().getId() in each webapp (for example at the > >> indexpage) > >> > I get the same sessionId's in all applications. > >> > >> yep, that returns the id of the underlying http session which would be > >> the same for both wicket sessions > >> > >> > Another thing is, if two users are logged in in two different > >> applications > >> > and one of the two logs out the other one is also logged out. > >> > >> probably because your log out mechanism invalidates the underlying http > >> session > >> > >> -igor > >> > >> > > >> > > >> > > >> > 2010/6/1 Igor Vaynberg-2 [via Apache Wicket] < > >> > [hidden email] > >> > <http://user/SendEmail.jtp?type=node&node=2239009&i=1><[hidden > > >> email] <http://user/SendEmail.jtp?type=node&node=2239009&i=2>> > >> >> > >> > > >> >> each webapp has a single http session, however wicket's Session > >> >> objects will not be shared. > >> >> > >> >> -igor > >> >> > >> >> On Tue, Jun 1, 2010 at 2:38 AM, David Meulemans > >> >> <[hidden email] < > http://user/SendEmail.jtp?type=node&node=2238846&i=0>> > >> > >> >> wrote: > >> >> > I want to have multiple wicket applications to be clustered. > Because > >> I'm > >> >> > using ehcache it is necessary to merge the applications into one > .war > >> >> file > >> >> > because ehcache needs to be initiated in the same scope as the > other > >> >> > applications.Now the session is shared among all applications. > >> >> > Is there a way to avoid this? > >> >> > > >> >> > >> >> - > > >> >> To unsubscribe, e-mail: [hidden email]< > >> http://user/SendEmail.jtp?type=node&node=2238846&i=1> > >> >> For additional commands, e-mail: [hidden email]< > >> http://user/SendEmail.jtp?type=node&node=2238846&i=2> > >> >> > >> >> > >> >> > >> >> -- > >> >> View message @ > >> >> > >> > http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2238846.html > >> >> To start a new topic under Wicket - User, email > >> >> [hidden email] > >> >> <http://user/SendEmail.jtp?type=node&node=2239009&i=3><[hidden > > >> email] <http://user/SendEmail.jtp?type=node&node=2239009&i=4>> > >> >> To unsubscribe from Wicket - User, click here< > >> > http://apache-wicket.1842946.n4.nabble.com/subscriptions/Unsubscribe.jtp?code=bWV1bGVtYW5zLmRhdmlkQGdtYWlsLmNvbXwxODQyOTQ3fC0xOTcyOTcxMjQ2>. > > >> > >> >> > >> >> > >> >> > >> > > >> > -- > >> > View this message in context: > >> > http://ap
Re: wicket clustering wicket-security
not sure how to do it with wicket-security, but a way to do it generically is to simply set the userid field you keep in your session to null instead of invalidating the entire session -igor On Tue, Jun 1, 2010 at 11:56 AM, david_ wrote: > > How can I logoff an individual instance without affecting the other ones? > I use the org.apache.wicket.security.WaspSession.logoff() method which > results in a normal invalidateNow(). > > > 2010/6/1 Igor Vaynberg-2 [via Apache Wicket] < > ml-node+2239009-1783456523-232...@n4.nabble.com >> > >> On Tue, Jun 1, 2010 at 11:17 AM, david_ <[hidden >> email]<http://user/SendEmail.jtp?type=node&node=2239009&i=0>> >> wrote: >> > >> > If I call getSession().getId() in each webapp (for example at the >> indexpage) >> > I get the same sessionId's in all applications. >> >> yep, that returns the id of the underlying http session which would be >> the same for both wicket sessions >> >> > Another thing is, if two users are logged in in two different >> applications >> > and one of the two logs out the other one is also logged out. >> >> probably because your log out mechanism invalidates the underlying http >> session >> >> -igor >> >> > >> > >> > >> > 2010/6/1 Igor Vaynberg-2 [via Apache Wicket] < >> > [hidden email] >> > <http://user/SendEmail.jtp?type=node&node=2239009&i=1><[hidden >> email] <http://user/SendEmail.jtp?type=node&node=2239009&i=2>> >> >> >> > >> >> each webapp has a single http session, however wicket's Session >> >> objects will not be shared. >> >> >> >> -igor >> >> >> >> On Tue, Jun 1, 2010 at 2:38 AM, David Meulemans >> >> <[hidden email] <http://user/SendEmail.jtp?type=node&node=2238846&i=0>> >> >> >> wrote: >> >> > I want to have multiple wicket applications to be clustered. Because >> I'm >> >> > using ehcache it is necessary to merge the applications into one .war >> >> file >> >> > because ehcache needs to be initiated in the same scope as the other >> >> > applications.Now the session is shared among all applications. >> >> > Is there a way to avoid this? >> >> > >> >> >> >> - >> >> To unsubscribe, e-mail: [hidden email]< >> http://user/SendEmail.jtp?type=node&node=2238846&i=1> >> >> For additional commands, e-mail: [hidden email]< >> http://user/SendEmail.jtp?type=node&node=2238846&i=2> >> >> >> >> >> >> >> >> ------ >> >> View message @ >> >> >> http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2238846.html >> >> To start a new topic under Wicket - User, email >> >> [hidden email] >> >> <http://user/SendEmail.jtp?type=node&node=2239009&i=3><[hidden >> email] <http://user/SendEmail.jtp?type=node&node=2239009&i=4>> >> >> To unsubscribe from Wicket - User, click here< >> http://apache-wicket.1842946.n4.nabble.com/subscriptions/Unsubscribe.jtp?code=bWV1bGVtYW5zLmRhdmlkQGdtYWlsLmNvbXwxODQyOTQ3fC0xOTcyOTcxMjQ2>. >> >> >> >> >> >> >> >> > >> > -- >> > View this message in context: >> http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2238976.html >> > Sent from the Wicket - User mailing list archive at Nabble.com. >> > >> >> - >> To unsubscribe, e-mail: [hidden >> email]<http://user/SendEmail.jtp?type=node&node=2239009&i=5> >> For additional commands, e-mail: [hidden >> email]<http://user/SendEmail.jtp?type=node&node=2239009&i=6> >> >> >> >> -- >> View message @ >> http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2239009.html >> To start a new topic under Wicket - User, email >> ml-node+1842947-1066186228-232...@n4.nabble.com >> To unsubscribe from Wicket - User, click >> here<http://apache-wicket.1842946.n4.nabble.com/subscriptions/Unsubscribe.jtp?code=bWV1bGVtYW5zLmRhdmlkQGdtYWlsLmNvbXwxODQyOTQ3fC0xOTcyOTcxMjQ2>. >> >> >> > > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2239030.html > Sent from the Wicket - User mailing list archive at Nabble.com. > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: wicket clustering wicket-security
How can I logoff an individual instance without affecting the other ones? I use the org.apache.wicket.security.WaspSession.logoff() method which results in a normal invalidateNow(). 2010/6/1 Igor Vaynberg-2 [via Apache Wicket] < ml-node+2239009-1783456523-232...@n4.nabble.com > > On Tue, Jun 1, 2010 at 11:17 AM, david_ <[hidden > email]<http://user/SendEmail.jtp?type=node&node=2239009&i=0>> > wrote: > > > > If I call getSession().getId() in each webapp (for example at the > indexpage) > > I get the same sessionId's in all applications. > > yep, that returns the id of the underlying http session which would be > the same for both wicket sessions > > > Another thing is, if two users are logged in in two different > applications > > and one of the two logs out the other one is also logged out. > > probably because your log out mechanism invalidates the underlying http > session > > -igor > > > > > > > > > 2010/6/1 Igor Vaynberg-2 [via Apache Wicket] < > > [hidden email] > > <http://user/SendEmail.jtp?type=node&node=2239009&i=1><[hidden > email] <http://user/SendEmail.jtp?type=node&node=2239009&i=2>> > >> > > > >> each webapp has a single http session, however wicket's Session > >> objects will not be shared. > >> > >> -igor > >> > >> On Tue, Jun 1, 2010 at 2:38 AM, David Meulemans > >> <[hidden email] <http://user/SendEmail.jtp?type=node&node=2238846&i=0>> > > >> wrote: > >> > I want to have multiple wicket applications to be clustered. Because > I'm > >> > using ehcache it is necessary to merge the applications into one .war > >> file > >> > because ehcache needs to be initiated in the same scope as the other > >> > applications.Now the session is shared among all applications. > >> > Is there a way to avoid this? > >> > > >> > >> ----- > >> To unsubscribe, e-mail: [hidden email]< > http://user/SendEmail.jtp?type=node&node=2238846&i=1> > >> For additional commands, e-mail: [hidden email]< > http://user/SendEmail.jtp?type=node&node=2238846&i=2> > >> > >> > >> > >> -- > >> View message @ > >> > http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2238846.html > >> To start a new topic under Wicket - User, email > >> [hidden email] > >> <http://user/SendEmail.jtp?type=node&node=2239009&i=3><[hidden > email] <http://user/SendEmail.jtp?type=node&node=2239009&i=4>> > >> To unsubscribe from Wicket - User, click here< > http://apache-wicket.1842946.n4.nabble.com/subscriptions/Unsubscribe.jtp?code=bWV1bGVtYW5zLmRhdmlkQGdtYWlsLmNvbXwxODQyOTQ3fC0xOTcyOTcxMjQ2>. > > >> > >> > >> > > > > -- > > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2238976.html > > Sent from the Wicket - User mailing list archive at Nabble.com. > > > > - > To unsubscribe, e-mail: [hidden > email]<http://user/SendEmail.jtp?type=node&node=2239009&i=5> > For additional commands, e-mail: [hidden > email]<http://user/SendEmail.jtp?type=node&node=2239009&i=6> > > > > -- > View message @ > http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2239009.html > To start a new topic under Wicket - User, email > ml-node+1842947-1066186228-232...@n4.nabble.com > To unsubscribe from Wicket - User, click > here<http://apache-wicket.1842946.n4.nabble.com/subscriptions/Unsubscribe.jtp?code=bWV1bGVtYW5zLmRhdmlkQGdtYWlsLmNvbXwxODQyOTQ3fC0xOTcyOTcxMjQ2>. > > > -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2239030.html Sent from the Wicket - User mailing list archive at Nabble.com.
Re: wicket clustering wicket-security
On Tue, Jun 1, 2010 at 11:17 AM, david_ wrote: > > If I call getSession().getId() in each webapp (for example at the indexpage) > I get the same sessionId's in all applications. yep, that returns the id of the underlying http session which would be the same for both wicket sessions > Another thing is, if two users are logged in in two different applications > and one of the two logs out the other one is also logged out. probably because your log out mechanism invalidates the underlying http session -igor > > > > 2010/6/1 Igor Vaynberg-2 [via Apache Wicket] < > ml-node+2238846-1446394513-232...@n4.nabble.com >> > >> each webapp has a single http session, however wicket's Session >> objects will not be shared. >> >> -igor >> >> On Tue, Jun 1, 2010 at 2:38 AM, David Meulemans >> <[hidden email] <http://user/SendEmail.jtp?type=node&node=2238846&i=0>> >> wrote: >> > I want to have multiple wicket applications to be clustered. Because I'm >> > using ehcache it is necessary to merge the applications into one .war >> file >> > because ehcache needs to be initiated in the same scope as the other >> > applications.Now the session is shared among all applications. >> > Is there a way to avoid this? >> > >> >> - >> To unsubscribe, e-mail: [hidden >> email]<http://user/SendEmail.jtp?type=node&node=2238846&i=1> >> For additional commands, e-mail: [hidden >> email]<http://user/SendEmail.jtp?type=node&node=2238846&i=2> >> >> >> >> -- >> View message @ >> http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2238846.html >> To start a new topic under Wicket - User, email >> ml-node+1842947-1066186228-232...@n4.nabble.com >> To unsubscribe from Wicket - User, click >> here<http://apache-wicket.1842946.n4.nabble.com/subscriptions/Unsubscribe.jtp?code=bWV1bGVtYW5zLmRhdmlkQGdtYWlsLmNvbXwxODQyOTQ3fC0xOTcyOTcxMjQ2>. >> >> >> > > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2238976.html > Sent from the Wicket - User mailing list archive at Nabble.com. > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: wicket clustering wicket-security
If I call getSession().getId() in each webapp (for example at the indexpage) I get the same sessionId's in all applications. Another thing is, if two users are logged in in two different applications and one of the two logs out the other one is also logged out. 2010/6/1 Igor Vaynberg-2 [via Apache Wicket] < ml-node+2238846-1446394513-232...@n4.nabble.com > > each webapp has a single http session, however wicket's Session > objects will not be shared. > > -igor > > On Tue, Jun 1, 2010 at 2:38 AM, David Meulemans > <[hidden email] <http://user/SendEmail.jtp?type=node&node=2238846&i=0>> > wrote: > > I want to have multiple wicket applications to be clustered. Because I'm > > using ehcache it is necessary to merge the applications into one .war > file > > because ehcache needs to be initiated in the same scope as the other > > applications.Now the session is shared among all applications. > > Is there a way to avoid this? > > > > - > To unsubscribe, e-mail: [hidden > email]<http://user/SendEmail.jtp?type=node&node=2238846&i=1> > For additional commands, e-mail: [hidden > email]<http://user/SendEmail.jtp?type=node&node=2238846&i=2> > > > > -- > View message @ > http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2238846.html > To start a new topic under Wicket - User, email > ml-node+1842947-1066186228-232...@n4.nabble.com > To unsubscribe from Wicket - User, click > here<http://apache-wicket.1842946.n4.nabble.com/subscriptions/Unsubscribe.jtp?code=bWV1bGVtYW5zLmRhdmlkQGdtYWlsLmNvbXwxODQyOTQ3fC0xOTcyOTcxMjQ2>. > > > -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/wicket-clustering-wicket-security-tp2238257p2238976.html Sent from the Wicket - User mailing list archive at Nabble.com.
Re: wicket clustering wicket-security
each webapp has a single http session, however wicket's Session objects will not be shared. -igor On Tue, Jun 1, 2010 at 2:38 AM, David Meulemans wrote: > I want to have multiple wicket applications to be clustered. Because I'm > using ehcache it is necessary to merge the applications into one .war file > because ehcache needs to be initiated in the same scope as the other > applications.Now the session is shared among all applications. > Is there a way to avoid this? > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
wicket clustering wicket-security
I want to have multiple wicket applications to be clustered. Because I'm using ehcache it is necessary to merge the applications into one .war file because ehcache needs to be initiated in the same scope as the other applications.Now the session is shared among all applications. Is there a way to avoid this?
Re: [announce] Wicket Security 1.4 released!
http://wicketstuff.org/confluence/display/STUFFWIKI/Getting+started+with+Swarm http://wicketstuff.org/wicketsecurity/ https://wicket-stuff.svn.sourceforge.net/svnroot/wicket-stuff/trunk/wicket-security-examples On Tue, Jun 1, 2010 at 8:24 AM, Paul Szulc wrote: > true, some kind of quick start could be useful > > On Mon, May 31, 2010 at 8:00 PM, Joe Fawzy wrote: > >> Hi >> i heard a lot about this project but have no opportunity to play with it >> i think a (detailed) tutorial or a getting start guide is required(for >> someone like me) to begin using this >> >> any pointers? >> >> thanks >> Joe >> >> On Mon, May 31, 2010 at 5:07 PM, Martijn Dashorst < >> martijn.dasho...@gmail.com> wrote: >> >> > We are proud to release Wicket Security 1.4 final. >> > >> > Wicket Security is an attempt to create an out of the box reusable >> > authenticating and authorization framework for Apache Wicket. It >> > contains several projects which can be used standalone or in >> > conjunction with each other. >> > >> > After testing the codebase for a while we did not find any issues. >> > >> > Differences between the 1.4-rc1 release: >> > - upgraded dependencies to newest working versions (JUnit 4.x does >> > not work with Spring) >> > - versioned maven plugins to appease the Maven 3 gods. >> > >> > Many thanks go to Olger Warnier for the initial port of Wicket >> > Security to Wicket 1.4. >> > >> > The release is available from the usual Wicket Stuff maven repository: >> > >> > >> > >> http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security >> > >> > If you already depend on Wicket Security, all you need to do is modify >> > the version of your dependencies in your Maven poms: >> > >> > >> > wicketstuff >> > http://wicketstuff.org/maven/repository >> > >> > true >> > >> > >> > true >> > >> > >> > >> > >> > org.apache.wicket.wicket-security >> > swarm >> > 1.4 >> > compile >> > >> > >> > Note that with future releases we will move to a new groupId and >> > package name (since org.apache.wicket is reserved for Apache Wicket, >> > and not 3rd party projects). >> > >> > The future of the Wicket Security project is to remain a standalone >> > project (it will not be adopted by Apache Wicket), and will continue >> > to be maintained by Topicus. If you wish to join please let us know! >> > >> > Emond & Martijn >> > >> > - >> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> > For additional commands, e-mail: users-h...@wicket.apache.org >> > >> > >> > > > > -- > Best regards, > Paul Szulc > > http://paulszulc.wordpress.com > -- Become a Wicket expert, learn from the best: http://wicketinaction.com Apache Wicket 1.4 increases type safety for web applications Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.8 - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [announce] Wicket Security 1.4 released!
true, some kind of quick start could be useful On Mon, May 31, 2010 at 8:00 PM, Joe Fawzy wrote: > Hi > i heard a lot about this project but have no opportunity to play with it > i think a (detailed) tutorial or a getting start guide is required(for > someone like me) to begin using this > > any pointers? > > thanks > Joe > > On Mon, May 31, 2010 at 5:07 PM, Martijn Dashorst < > martijn.dasho...@gmail.com> wrote: > > > We are proud to release Wicket Security 1.4 final. > > > > Wicket Security is an attempt to create an out of the box reusable > > authenticating and authorization framework for Apache Wicket. It > > contains several projects which can be used standalone or in > > conjunction with each other. > > > > After testing the codebase for a while we did not find any issues. > > > > Differences between the 1.4-rc1 release: > > - upgraded dependencies to newest working versions (JUnit 4.x does > > not work with Spring) > > - versioned maven plugins to appease the Maven 3 gods. > > > > Many thanks go to Olger Warnier for the initial port of Wicket > > Security to Wicket 1.4. > > > > The release is available from the usual Wicket Stuff maven repository: > > > > > > > http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security > > > > If you already depend on Wicket Security, all you need to do is modify > > the version of your dependencies in your Maven poms: > > > > > >wicketstuff > >http://wicketstuff.org/maven/repository > > > >true > > > > > >true > > > > > > > > > >org.apache.wicket.wicket-security > > swarm > >1.4 > >compile > > > > > > Note that with future releases we will move to a new groupId and > > package name (since org.apache.wicket is reserved for Apache Wicket, > > and not 3rd party projects). > > > > The future of the Wicket Security project is to remain a standalone > > project (it will not be adopted by Apache Wicket), and will continue > > to be maintained by Topicus. If you wish to join please let us know! > > > > Emond & Martijn > > > > - > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > > -- Best regards, Paul Szulc http://paulszulc.wordpress.com
Re: [announce] Wicket Security 1.4 released!
I have been using wicket-security for months now, and I'm very happy about it! Finally the 1.4 release I've been waiting for :) I've gathered my information mostly from http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security It is not up to date, but has everything to start with. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-released-tp2237419p2238023.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: [announce] Wicket Security 1.4 released!
Hi i heard a lot about this project but have no opportunity to play with it i think a (detailed) tutorial or a getting start guide is required(for someone like me) to begin using this any pointers? thanks Joe On Mon, May 31, 2010 at 5:07 PM, Martijn Dashorst < martijn.dasho...@gmail.com> wrote: > We are proud to release Wicket Security 1.4 final. > > Wicket Security is an attempt to create an out of the box reusable > authenticating and authorization framework for Apache Wicket. It > contains several projects which can be used standalone or in > conjunction with each other. > > After testing the codebase for a while we did not find any issues. > > Differences between the 1.4-rc1 release: > - upgraded dependencies to newest working versions (JUnit 4.x does > not work with Spring) > - versioned maven plugins to appease the Maven 3 gods. > > Many thanks go to Olger Warnier for the initial port of Wicket > Security to Wicket 1.4. > > The release is available from the usual Wicket Stuff maven repository: > > > http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security > > If you already depend on Wicket Security, all you need to do is modify > the version of your dependencies in your Maven poms: > > >wicketstuff >http://wicketstuff.org/maven/repository > >true > > >true > > > > >org.apache.wicket.wicket-security >swarm >1.4 >compile > > > Note that with future releases we will move to a new groupId and > package name (since org.apache.wicket is reserved for Apache Wicket, > and not 3rd party projects). > > The future of the Wicket Security project is to remain a standalone > project (it will not be adopted by Apache Wicket), and will continue > to be maintained by Topicus. If you wish to join please let us know! > > Emond & Martijn > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
[announce] Wicket Security 1.4 released!
We are proud to release Wicket Security 1.4 final. Wicket Security is an attempt to create an out of the box reusable authenticating and authorization framework for Apache Wicket. It contains several projects which can be used standalone or in conjunction with each other. After testing the codebase for a while we did not find any issues. Differences between the 1.4-rc1 release: - upgraded dependencies to newest working versions (JUnit 4.x does not work with Spring) - versioned maven plugins to appease the Maven 3 gods. Many thanks go to Olger Warnier for the initial port of Wicket Security to Wicket 1.4. The release is available from the usual Wicket Stuff maven repository: http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security If you already depend on Wicket Security, all you need to do is modify the version of your dependencies in your Maven poms: wicketstuff http://wicketstuff.org/maven/repository true true org.apache.wicket.wicket-security swarm 1.4 compile Note that with future releases we will move to a new groupId and package name (since org.apache.wicket is reserved for Apache Wicket, and not 3rd party projects). The future of the Wicket Security project is to remain a standalone project (it will not be adopted by Apache Wicket), and will continue to be maintained by Topicus. If you wish to join please let us know! Emond & Martijn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Status of wicket-security
And that conversion is now completed. We are at wicket 1.4(.9) and everything seems to be fine. I think we can release wicket-security-1.4.0 today. If we don't get to it, expect the release next week. We will post an announcement on this list. Until then, you can use 1.4-rc1. Nothing has changed since then, because no bugs were found. Emond Papegaaij On Friday 28 May 2010 01:38:54 Jeremy Thomerson wrote: > See the second message at this link (the one from Martijn): > http://apache-wicket.1842946.n4.nabble.com/Wicket-1-4-upgrade-dependent-on- > Wicket-Security-1-4-td2031552.html > > Jeremy > > On Thu, May 27, 2010 at 6:30 PM, Marek Šabo wrote: > > Hi, > > > > I would like to know what's the status of wicket-security. I've been > > using it for couple of months but only for simple tasks. I would like to > > dig deeper but there is like on getting started and few mailing list > > entries. > > Is there someone who works on the project or is it fading? If so, what > > is the common choice for AA layer in wicket apps besides Spring Security? > > > > Regards, > > > > -- > > Marek Šabo > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Status of wicket-security
See the second message at this link (the one from Martijn): http://apache-wicket.1842946.n4.nabble.com/Wicket-1-4-upgrade-dependent-on-Wicket-Security-1-4-td2031552.html Jeremy On Thu, May 27, 2010 at 6:30 PM, Marek Šabo wrote: > Hi, > > I would like to know what's the status of wicket-security. I've been > using it for couple of months but only for simple tasks. I would like to > dig deeper but there is like on getting started and few mailing list > entries. > Is there someone who works on the project or is it fading? If so, what > is the common choice for AA layer in wicket apps besides Spring Security? > > Regards, > > -- > Marek Šabo > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > -- Jeremy Thomerson http://www.wickettraining.com
Status of wicket-security
Hi, I would like to know what's the status of wicket-security. I've been using it for couple of months but only for simple tasks. I would like to dig deeper but there is like on getting started and few mailing list entries. Is there someone who works on the project or is it fading? If so, what is the common choice for AA layer in wicket apps besides Spring Security? Regards, -- Marek Šabo - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
try org.wicketstuff wicket-shiro 1.4-SNAPSHOT On Tue, May 11, 2010 at 3:15 AM, PDiefent wrote: > > where can I find the wicket-shiro-example stuff? > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2173369.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > -- Fernando Wermus. www.linkedin.com/in/fernandowermus
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Martin, how many patches have you submitted? ;) On Tue, May 11, 2010 at 3:59 AM, Martin Grigorov wrote: > On Mon, 2010-05-10 at 23:32 -0700, Les Hazlewood wrote: >> Just a quick note to Wicket and Wicket-Stuff Shiro users: >> >> Shiro 1.0 is right around the corner. We should be code-complete for >> 1.0 in a day or two and then we being the ASF voting process to >> release the software. A concrete (non snapshot) release is coming >> very soon! >> >> Best, >> >> Les > You said the same 4 months ago ;-) >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
If it's any consolation, we only have a few remaining issues in Jira that should be finished today and tomorrow. 4 months ago, there was still over 50+ issues to resolve ;) Security frameworks are hard to get right - better to have a great 1.0 release than a crappy one :) On Tue, May 11, 2010 at 12:59 AM, Martin Grigorov wrote: > On Mon, 2010-05-10 at 23:32 -0700, Les Hazlewood wrote: >> Just a quick note to Wicket and Wicket-Stuff Shiro users: >> >> Shiro 1.0 is right around the corner. We should be code-complete for >> 1.0 in a day or two and then we being the ASF voting process to >> release the software. A concrete (non snapshot) release is coming >> very soon! >> >> Best, >> >> Les > You said the same 4 months ago ;-) >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
On Mon, 2010-05-10 at 23:32 -0700, Les Hazlewood wrote: > Just a quick note to Wicket and Wicket-Stuff Shiro users: > > Shiro 1.0 is right around the corner. We should be code-complete for > 1.0 in a day or two and then we being the ASF voting process to > release the software. A concrete (non snapshot) release is coming > very soon! > > Best, > > Les You said the same 4 months ago ;-) > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Just a quick note to Wicket and Wicket-Stuff Shiro users: Shiro 1.0 is right around the corner. We should be code-complete for 1.0 in a day or two and then we being the ASF voting process to release the software. A concrete (non snapshot) release is coming very soon! Best, Les - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
where can I find the wicket-shiro-example stuff? -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2173369.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to check out trunk and build yourself) and has three different SNAPSHOT dependencies. I can't talk for wicket-shiro, but using plain Shiro from your Wicket project is quite straightforward. Use the integration from wicket-shiro as a pointer and integrate everything directly into your project. I did it this way and am very happy with it so far. Cheers, Adrian - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
you can try shiro. There is a shiro-wicket-web-app example which could help you. On Mon, May 10, 2010 at 9:54 AM, PDiefent wrote: > > Thanks for this fast respnse. I will have a deeper look at it. > Actually I hoped to find a much more simple solution, because I wanted to > avoid Spring in my application and only use it for authentication ... > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2165351.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > -- Fernando Wermus. www.linkedin.com/in/fernandowermus
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Thanks for this fast respnse. I will have a deeper look at it. Actually I hoped to find a much more simple solution, because I wanted to avoid Spring in my application and only use it for authentication ... -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2165351.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
I recently updated the spring-security module for Brix to SS 3.0.1. There's probably some nibbles in there for some of the more advanced kinds of security situations (like component-based authorizations against SS 3). http://code.google.com/p/brix-cms-plugins/source/browse/#svn/trunk/examples/example-springsecurity is the browsable source for the example project. Check out Brix while you are there! :B On May 7, 2010, at 8:48 AM, PDiefent wrote: > > I have also problems integrating security into my Wicket project. I wanted to > use simple authentication form the application server as I used many times > before with JSF applications, but it didn't work. > > Spring security sounds very good, but since I don't use spring in my Wicket > application I didn't manage to get the examples form above to work. > > It would be nice, if anyone could post a little example application as a > kick start especially with Wicket 1.4.x > > Thanks, Peter > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2134111.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
I have also problems integrating security into my Wicket project. I wanted to use simple authentication form the application server as I used many times before with JSF applications, but it didn't work. Spring security sounds very good, but since I don't use spring in my Wicket application I didn't manage to get the examples form above to work. It would be nice, if anyone could post a little example application as a kick start especially with Wicket 1.4.x Thanks, Peter -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2134111.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Martijn wrote: > > Confluence and JIRA for Wicket Stuff have been down since the JIRA > attacks. I've enabled service to Confluence as I didn't see any files > that were tampered with, nor was there any indication that it had been > compromised in other installations. > > Confluence hasn't been updated with the release status because of this. I had no idea there was a JIRA attack. That explains a lot. > That said, we (the current Wicket Security maintainers) are 90% sure > that we'll move Wicket Security over to github, and host the > documentation there. ok, sounds like a good move. Thanks for a great project, by the way. I'm starting to like it more and more now. :) /Jimi -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2075000.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Confluence and JIRA for Wicket Stuff have been down since the JIRA attacks. I've enabled service to Confluence as I didn't see any files that were tampered with, nor was there any indication that it had been compromised in other installations. Confluence hasn't been updated with the release status because of this. That said, we (the current Wicket Security maintainers) are 90% sure that we'll move Wicket Security over to github, and host the documentation there. Martijn On Wed, Apr 28, 2010 at 3:11 PM, Jimi wrote: > > Reinout wrote: >> Op dinsdag 27-04-2010 om 16:20 uur [tijdzone -0700], schreef Jimi: >> >> > 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old >> > discussion labeled "is wicket-auth-roles discontinued?". And the >> comments on >> > the "Getting started with Swarm" wiki page is from 2007 and 2008, plus >> that >> > they talk about Acegi (the old name for Spring Security) and the project >> has >> > dependencies to Wicket 1.3 and Spring 2.0. >> >> This lives on as a wicket-stuff subproject. >> Just yesterday a new version, 1.4rc1 was announced on this list: >> >> http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-rc1-released-tt2067350.html#a2067350 > > Interesting... I looked for postings about wicket security in this mailing > list before that posting, during Monday, and when I wrote my posting > yesterday I didn't think to look again to see if any more security related > postings had come in. But apparently it had... =) > > Now I also found this posting about Wicket Security: > > http://apache-wicket.1842946.n4.nabble.com/Future-of-Wicket-Security-WASP-SWARM-tt1908153.html#a1908153 > > And I tend to agree with the last post, by Antoine. Wicketstuff feels a bit > like a playground, with production ready projects mixed with crude > copy-paste-example projects. > > By the way, isn't > http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security the > "official" web site for it? Because it doesn't mention 1.4rc1 > > Regards > /Jimi > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2069145.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > -- Become a Wicket expert, learn from the best: http://wicketinaction.com Apache Wicket 1.4 increases type safety for web applications Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.7 - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Reinout wrote: > Op dinsdag 27-04-2010 om 16:20 uur [tijdzone -0700], schreef Jimi: > > > 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old > > discussion labeled "is wicket-auth-roles discontinued?". And the > comments on > > the "Getting started with Swarm" wiki page is from 2007 and 2008, plus > that > > they talk about Acegi (the old name for Spring Security) and the project > has > > dependencies to Wicket 1.3 and Spring 2.0. > > This lives on as a wicket-stuff subproject. > Just yesterday a new version, 1.4rc1 was announced on this list: > > http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-rc1-released-tt2067350.html#a2067350 Interesting... I looked for postings about wicket security in this mailing list before that posting, during Monday, and when I wrote my posting yesterday I didn't think to look again to see if any more security related postings had come in. But apparently it had... =) Now I also found this posting about Wicket Security: http://apache-wicket.1842946.n4.nabble.com/Future-of-Wicket-Security-WASP-SWARM-tt1908153.html#a1908153 And I tend to agree with the last post, by Antoine. Wicketstuff feels a bit like a playground, with production ready projects mixed with crude copy-paste-example projects. By the way, isn't http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security the "official" web site for it? Because it doesn't mention 1.4rc1 Regards /Jimi -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2069145.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Those two classes are here: http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/security/ They're part of my "advanced wicket" demo code. The project already h On Wed, Apr 28, 2010 at 6:18 AM, Giovanni wrote: > James, can you share your SpringSecurityWebApplication and > SpringSecurityWebSession > classes? > > If you also write a small tutorial on how to use them, it will be great. > > Best regards, > giovanni > > > > > > > From: James Carman > To: users@wicket.apache.org > Sent: Wed, April 28, 2010 1:51:57 AM > Subject: Re: Wicket + security, what are the best options? Spring Security > reached almost all the way... > > I have a SpringSecurityWebApplication and SpringSecurityWebSession > class you can use if you want. > > On Tue, Apr 27, 2010 at 7:49 PM, Ben Tilford wrote: >> You can use Spring security with wicket auth-roles, I works out pretty nice >> compared to the alternatives. iirc You need do your normal Spring >> setup, extend AuthenticatedWicketApplication, and AuthenticatedSession >> which has an authenticate method you'll call your UserDetails bean from. >> >> Outdated Link >> https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5 >> >> >> On Tue, Apr 27, 2010 at 7:20 PM, Jimi wrote: >> >>> >>> Hi, >>> >>> I'm curious to know what security frameworks you guys are using. >>> >>> The reason I'm asking is because I recently tried out Spring Security >>> together with a simple wicket web application, and was amazed on how easy >>> it >>> was. I applied the steps mentioned in their Pet Clinic tutorial >>> ( >>> http://static.springsource.org/spring-security/site/petclinic-tutorial.html >>> ) >>> more or less exactly as they are, and I didn't have to write a single line >>> of code. All was done using configuration. And even when I replaced the >>> hard >>> coded list of users (with their passwords and groups) with my custom >>> authentication provider (or actually custom UserDetailsService) I only had >>> two write two simple classes that implemented two very simple and logical >>> interfaces respectively, that used my pre existing hibernate configuration >>> and POJOs. >>> >>> BUT... when I wanted to replace the auto generated login screen (which >>> worked great, but just didn't look very appealing) with a custom login page >>> I quickly ran into trouble. If the login was successful then all was fine. >>> But for the cases when the login failed for some reason (like incorrect >>> username/password or database being down) I was having problems accessing >>> the error cause. Because as far as I could tell this message (actually an >>> Exception subclass) was only available as a http session attribute. And it >>> seems that Wicket does everything to hide those from the user, discourages >>> the use of the getHttpServletRequest() and the session attributes of the >>> wicket session object only seems to include attributes with a specific >>> wicket-prefix (like "wicket:wicket.myProject:") which of course caused my >>> precious Spring Security session attributes to be unavailable. >>> >>> It was then I started thinking that Spring Security maybe isn't the best >>> security framework together with Wicket. So I started looking around for >>> other alternatives. Wicket-security/WASP/SWARM (still not sure what is >>> what) >>> and "wicket auth roles" where the first two, and some time later I also >>> heard about wicket-shiro. >>> >>> But all these three seemed to have one or more of the following down sides >>> that irritated me when I evaluated them: >>> >>> 1. Missing official site. [wicket auth roles] At least I can't find it. >>> >>> 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old >>> discussion labeled "is wicket-auth-roles discontinued?". And the comments >>> on >>> the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that >>> they talk about Acegi (the old name for Spring Security) and the project >>> has >>> dependencies to Wicket 1.3 and Spring 2.0. >>> >>> 3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to >>> check
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Those two classes are here: http://svn.carmanconsulting.com/public/wicket-advanced/trunk/src/main/java/com/carmanconsulting/wicket/advanced/web/common/security/ They're part of my "advanced wicket" demo code. The project already has them set up and working, so you can look there for a tutorial. On Wed, Apr 28, 2010 at 6:18 AM, Giovanni wrote: > James, can you share your SpringSecurityWebApplication and > SpringSecurityWebSession > classes? > > If you also write a small tutorial on how to use them, it will be great. > > Best regards, > giovanni > > > > > > > From: James Carman > To: users@wicket.apache.org > Sent: Wed, April 28, 2010 1:51:57 AM > Subject: Re: Wicket + security, what are the best options? Spring Security > reached almost all the way... > > I have a SpringSecurityWebApplication and SpringSecurityWebSession > class you can use if you want. > > On Tue, Apr 27, 2010 at 7:49 PM, Ben Tilford wrote: >> You can use Spring security with wicket auth-roles, I works out pretty nice >> compared to the alternatives. iirc You need do your normal Spring >> setup, extend AuthenticatedWicketApplication, and AuthenticatedSession >> which has an authenticate method you'll call your UserDetails bean from. >> >> Outdated Link >> https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5 >> >> >> On Tue, Apr 27, 2010 at 7:20 PM, Jimi wrote: >> >>> >>> Hi, >>> >>> I'm curious to know what security frameworks you guys are using. >>> >>> The reason I'm asking is because I recently tried out Spring Security >>> together with a simple wicket web application, and was amazed on how easy >>> it >>> was. I applied the steps mentioned in their Pet Clinic tutorial >>> ( >>> http://static.springsource.org/spring-security/site/petclinic-tutorial.html >>> ) >>> more or less exactly as they are, and I didn't have to write a single line >>> of code. All was done using configuration. And even when I replaced the >>> hard >>> coded list of users (with their passwords and groups) with my custom >>> authentication provider (or actually custom UserDetailsService) I only had >>> two write two simple classes that implemented two very simple and logical >>> interfaces respectively, that used my pre existing hibernate configuration >>> and POJOs. >>> >>> BUT... when I wanted to replace the auto generated login screen (which >>> worked great, but just didn't look very appealing) with a custom login page >>> I quickly ran into trouble. If the login was successful then all was fine. >>> But for the cases when the login failed for some reason (like incorrect >>> username/password or database being down) I was having problems accessing >>> the error cause. Because as far as I could tell this message (actually an >>> Exception subclass) was only available as a http session attribute. And it >>> seems that Wicket does everything to hide those from the user, discourages >>> the use of the getHttpServletRequest() and the session attributes of the >>> wicket session object only seems to include attributes with a specific >>> wicket-prefix (like "wicket:wicket.myProject:") which of course caused my >>> precious Spring Security session attributes to be unavailable. >>> >>> It was then I started thinking that Spring Security maybe isn't the best >>> security framework together with Wicket. So I started looking around for >>> other alternatives. Wicket-security/WASP/SWARM (still not sure what is >>> what) >>> and "wicket auth roles" where the first two, and some time later I also >>> heard about wicket-shiro. >>> >>> But all these three seemed to have one or more of the following down sides >>> that irritated me when I evaluated them: >>> >>> 1. Missing official site. [wicket auth roles] At least I can't find it. >>> >>> 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old >>> discussion labeled "is wicket-auth-roles discontinued?". And the comments >>> on >>> the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that >>> they talk about Acegi (the old name for Spring Security) and the project >>> has >>> dependencies to Wicket 1.3 and Spring 2.0. >>> >>> 3. Doesn't seem stable. [wicket-
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Op dinsdag 27-04-2010 om 16:20 uur [tijdzone -0700], schreef Jimi: > 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old > discussion labeled "is wicket-auth-roles discontinued?". And the comments on > the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that > they talk about Acegi (the old name for Spring Security) and the project has > dependencies to Wicket 1.3 and Spring 2.0. This lives on as a wicket-stuff subproject. Just yesterday a new version, 1.4rc1 was announced on this list: http://apache-wicket.1842946.n4.nabble.com/announce-Wicket-Security-1-4-rc1-released-tt2067350.html#a2067350 regards, -- Reinout van Schouwen - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Thanks for that kind suggestion, but I already have working SecurityWebApplication and SecurityWebSession implementations. And my problem was never a lack of code examples, but instead my problem was the need for so much boilerplate code in the first place. I get the feeling most of this code can be exactly the same for a lot of projects, and then it would be logical to have a shared base for all these projects, maybe as a part of SWARM/WASP, or wicket auth roles or wicket-shiro. Regards /Jimi > I have a SpringSecurityWebApplication and SpringSecurityWebSession > class you can use if you want. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068916.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
James, can you share your SpringSecurityWebApplication and SpringSecurityWebSession classes? If you also write a small tutorial on how to use them, it will be great. Best regards, giovanni From: James Carman To: users@wicket.apache.org Sent: Wed, April 28, 2010 1:51:57 AM Subject: Re: Wicket + security, what are the best options? Spring Security reached almost all the way... I have a SpringSecurityWebApplication and SpringSecurityWebSession class you can use if you want. On Tue, Apr 27, 2010 at 7:49 PM, Ben Tilford wrote: > You can use Spring security with wicket auth-roles, I works out pretty nice > compared to the alternatives. iirc You need do your normal Spring > setup, extend AuthenticatedWicketApplication, and AuthenticatedSession > which has an authenticate method you'll call your UserDetails bean from. > > Outdated Link > https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5 > > > On Tue, Apr 27, 2010 at 7:20 PM, Jimi wrote: > >> >> Hi, >> >> I'm curious to know what security frameworks you guys are using. >> >> The reason I'm asking is because I recently tried out Spring Security >> together with a simple wicket web application, and was amazed on how easy >> it >> was. I applied the steps mentioned in their Pet Clinic tutorial >> ( >> http://static.springsource.org/spring-security/site/petclinic-tutorial.html >> ) >> more or less exactly as they are, and I didn't have to write a single line >> of code. All was done using configuration. And even when I replaced the >> hard >> coded list of users (with their passwords and groups) with my custom >> authentication provider (or actually custom UserDetailsService) I only had >> two write two simple classes that implemented two very simple and logical >> interfaces respectively, that used my pre existing hibernate configuration >> and POJOs. >> >> BUT... when I wanted to replace the auto generated login screen (which >> worked great, but just didn't look very appealing) with a custom login page >> I quickly ran into trouble. If the login was successful then all was fine. >> But for the cases when the login failed for some reason (like incorrect >> username/password or database being down) I was having problems accessing >> the error cause. Because as far as I could tell this message (actually an >> Exception subclass) was only available as a http session attribute. And it >> seems that Wicket does everything to hide those from the user, discourages >> the use of the getHttpServletRequest() and the session attributes of the >> wicket session object only seems to include attributes with a specific >> wicket-prefix (like "wicket:wicket.myProject:") which of course caused my >> precious Spring Security session attributes to be unavailable. >> >> It was then I started thinking that Spring Security maybe isn't the best >> security framework together with Wicket. So I started looking around for >> other alternatives. Wicket-security/WASP/SWARM (still not sure what is >> what) >> and "wicket auth roles" where the first two, and some time later I also >> heard about wicket-shiro. >> >> But all these three seemed to have one or more of the following down sides >> that irritated me when I evaluated them: >> >> 1. Missing official site. [wicket auth roles] At least I can't find it. >> >> 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old >> discussion labeled "is wicket-auth-roles discontinued?". And the comments >> on >> the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that >> they talk about Acegi (the old name for Spring Security) and the project >> has >> dependencies to Wicket 1.3 and Spring 2.0. >> >> 3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to >> check out trunk and build yourself) and has three different SNAPSHOT >> dependencies. >> >> 4. Seems to require a lot of different project specific java classes. [all >> three]. >> >> >> The last point, number 4, is a really big down side if you ask me. Keep in >> mind that I was able to integrate Spring Security almost completely in my >> wicket web application with very little new java code needed. And that is a >> good thing, because project specific code is of course much less tested and >> tried compared to official stable code of reputable frameworks. Plus that I >> don't have to reinvent the wheel
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
Thanks for the link. I've already looked at that page and besides the fact that alot of the xml/code is missing in the beginning (like web.xml) I was shocked by the amount of boilerplate code needed to get the wicket side working. That tells me that either 1) people actually copy-paste all this boilerplate code and maybe do minor modifications for their project 2) people use this code as a guide, and write a lot of the implementation them selfs 3) there is some easier (but undocumented) way to use wicket auth-roles (or WASP/SWARM or wicket-shiro), with way less boilerplate code needed. Maybe . 4) people use some other framework 1 and 2 seems just plain wrong, the way I see it. If 3 or 4 is the case I would love to hear about it from someone. /Jimi > You can use Spring security with wicket auth-roles, I works out pretty > nice > compared to the alternatives. iirc You need do your normal Spring > setup, extend AuthenticatedWicketApplication, and AuthenticatedSession > which has an authenticate method you'll call your UserDetails bean from. > > Outdated Link > https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5 -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068908.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
I have a SpringSecurityWebApplication and SpringSecurityWebSession class you can use if you want. On Tue, Apr 27, 2010 at 7:49 PM, Ben Tilford wrote: > You can use Spring security with wicket auth-roles, I works out pretty nice > compared to the alternatives. iirc You need do your normal Spring > setup, extend AuthenticatedWicketApplication, and AuthenticatedSession > which has an authenticate method you'll call your UserDetails bean from. > > Outdated Link > https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5 > > > On Tue, Apr 27, 2010 at 7:20 PM, Jimi wrote: > >> >> Hi, >> >> I'm curious to know what security frameworks you guys are using. >> >> The reason I'm asking is because I recently tried out Spring Security >> together with a simple wicket web application, and was amazed on how easy >> it >> was. I applied the steps mentioned in their Pet Clinic tutorial >> ( >> http://static.springsource.org/spring-security/site/petclinic-tutorial.html >> ) >> more or less exactly as they are, and I didn't have to write a single line >> of code. All was done using configuration. And even when I replaced the >> hard >> coded list of users (with their passwords and groups) with my custom >> authentication provider (or actually custom UserDetailsService) I only had >> two write two simple classes that implemented two very simple and logical >> interfaces respectively, that used my pre existing hibernate configuration >> and POJOs. >> >> BUT... when I wanted to replace the auto generated login screen (which >> worked great, but just didn't look very appealing) with a custom login page >> I quickly ran into trouble. If the login was successful then all was fine. >> But for the cases when the login failed for some reason (like incorrect >> username/password or database being down) I was having problems accessing >> the error cause. Because as far as I could tell this message (actually an >> Exception subclass) was only available as a http session attribute. And it >> seems that Wicket does everything to hide those from the user, discourages >> the use of the getHttpServletRequest() and the session attributes of the >> wicket session object only seems to include attributes with a specific >> wicket-prefix (like "wicket:wicket.myProject:") which of course caused my >> precious Spring Security session attributes to be unavailable. >> >> It was then I started thinking that Spring Security maybe isn't the best >> security framework together with Wicket. So I started looking around for >> other alternatives. Wicket-security/WASP/SWARM (still not sure what is >> what) >> and "wicket auth roles" where the first two, and some time later I also >> heard about wicket-shiro. >> >> But all these three seemed to have one or more of the following down sides >> that irritated me when I evaluated them: >> >> 1. Missing official site. [wicket auth roles] At least I can't find it. >> >> 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old >> discussion labeled "is wicket-auth-roles discontinued?". And the comments >> on >> the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that >> they talk about Acegi (the old name for Spring Security) and the project >> has >> dependencies to Wicket 1.3 and Spring 2.0. >> >> 3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to >> check out trunk and build yourself) and has three different SNAPSHOT >> dependencies. >> >> 4. Seems to require a lot of different project specific java classes. [all >> three]. >> >> >> The last point, number 4, is a really big down side if you ask me. Keep in >> mind that I was able to integrate Spring Security almost completely in my >> wicket web application with very little new java code needed. And that is a >> good thing, because project specific code is of course much less tested and >> tried compared to official stable code of reputable frameworks. Plus that I >> don't have to reinvent the wheel, considering the simple authentication and >> authorization demands of my project. The only thing stopping me was this >> stupid error message in the "unavailable" http session attribute. >> >> I actually started converting my project into a WASP/SWARM project, using >> the example project from >> >> http://out-println.blogspot.com/2009/02/wicket-swarm-spring-security-how-to.
Re: Wicket + security, what are the best options? Spring Security reached almost all the way...
You can use Spring security with wicket auth-roles, I works out pretty nice compared to the alternatives. iirc You need do your normal Spring setup, extend AuthenticatedWicketApplication, and AuthenticatedSession which has an authenticate method you'll call your UserDetails bean from. Outdated Link https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html#SpringSecurityandWicket-auth-roles-ExampleWicket1.3.5 On Tue, Apr 27, 2010 at 7:20 PM, Jimi wrote: > > Hi, > > I'm curious to know what security frameworks you guys are using. > > The reason I'm asking is because I recently tried out Spring Security > together with a simple wicket web application, and was amazed on how easy > it > was. I applied the steps mentioned in their Pet Clinic tutorial > ( > http://static.springsource.org/spring-security/site/petclinic-tutorial.html > ) > more or less exactly as they are, and I didn't have to write a single line > of code. All was done using configuration. And even when I replaced the > hard > coded list of users (with their passwords and groups) with my custom > authentication provider (or actually custom UserDetailsService) I only had > two write two simple classes that implemented two very simple and logical > interfaces respectively, that used my pre existing hibernate configuration > and POJOs. > > BUT... when I wanted to replace the auto generated login screen (which > worked great, but just didn't look very appealing) with a custom login page > I quickly ran into trouble. If the login was successful then all was fine. > But for the cases when the login failed for some reason (like incorrect > username/password or database being down) I was having problems accessing > the error cause. Because as far as I could tell this message (actually an > Exception subclass) was only available as a http session attribute. And it > seems that Wicket does everything to hide those from the user, discourages > the use of the getHttpServletRequest() and the session attributes of the > wicket session object only seems to include attributes with a specific > wicket-prefix (like "wicket:wicket.myProject:") which of course caused my > precious Spring Security session attributes to be unavailable. > > It was then I started thinking that Spring Security maybe isn't the best > security framework together with Wicket. So I started looking around for > other alternatives. Wicket-security/WASP/SWARM (still not sure what is > what) > and "wicket auth roles" where the first two, and some time later I also > heard about wicket-shiro. > > But all these three seemed to have one or more of the following down sides > that irritated me when I evaluated them: > > 1. Missing official site. [wicket auth roles] At least I can't find it. > > 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old > discussion labeled "is wicket-auth-roles discontinued?". And the comments > on > the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that > they talk about Acegi (the old name for Spring Security) and the project > has > dependencies to Wicket 1.3 and Spring 2.0. > > 3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to > check out trunk and build yourself) and has three different SNAPSHOT > dependencies. > > 4. Seems to require a lot of different project specific java classes. [all > three]. > > > The last point, number 4, is a really big down side if you ask me. Keep in > mind that I was able to integrate Spring Security almost completely in my > wicket web application with very little new java code needed. And that is a > good thing, because project specific code is of course much less tested and > tried compared to official stable code of reputable frameworks. Plus that I > don't have to reinvent the wheel, considering the simple authentication and > authorization demands of my project. The only thing stopping me was this > stupid error message in the "unavailable" http session attribute. > > I actually started converting my project into a WASP/SWARM project, using > the example project from > > http://out-println.blogspot.com/2009/02/wicket-swarm-spring-security-how-to.html > , > but after creating class after class after class of in-my-eyes boilerplate > code I got the overwhelming feeling that I was making my project more and > more dirty. And, more importantly, I got the feeling that this shouldn't be > so complicated. Other people surely have done this before, and maybe there > is a good, stable and official framework/plugin/whatever that makes Spring > Security and Wicket integration into a breeze. Which it really was when
Wicket + security, what are the best options? Spring Security reached almost all the way...
Hi, I'm curious to know what security frameworks you guys are using. The reason I'm asking is because I recently tried out Spring Security together with a simple wicket web application, and was amazed on how easy it was. I applied the steps mentioned in their Pet Clinic tutorial (http://static.springsource.org/spring-security/site/petclinic-tutorial.html) more or less exactly as they are, and I didn't have to write a single line of code. All was done using configuration. And even when I replaced the hard coded list of users (with their passwords and groups) with my custom authentication provider (or actually custom UserDetailsService) I only had two write two simple classes that implemented two very simple and logical interfaces respectively, that used my pre existing hibernate configuration and POJOs. BUT... when I wanted to replace the auto generated login screen (which worked great, but just didn't look very appealing) with a custom login page I quickly ran into trouble. If the login was successful then all was fine. But for the cases when the login failed for some reason (like incorrect username/password or database being down) I was having problems accessing the error cause. Because as far as I could tell this message (actually an Exception subclass) was only available as a http session attribute. And it seems that Wicket does everything to hide those from the user, discourages the use of the getHttpServletRequest() and the session attributes of the wicket session object only seems to include attributes with a specific wicket-prefix (like "wicket:wicket.myProject:") which of course caused my precious Spring Security session attributes to be unavailable. It was then I started thinking that Spring Security maybe isn't the best security framework together with Wicket. So I started looking around for other alternatives. Wicket-security/WASP/SWARM (still not sure what is what) and "wicket auth roles" where the first two, and some time later I also heard about wicket-shiro. But all these three seemed to have one or more of the following down sides that irritated me when I evaluated them: 1. Missing official site. [wicket auth roles] At least I can't find it. 2. Seems old. [wicket auth roles + WASP/SWARM] Found a two year old discussion labeled "is wicket-auth-roles discontinued?". And the comments on the "Getting started with Swarm" wiki page is from 2007 and 2008, plus that they talk about Acegi (the old name for Spring Security) and the project has dependencies to Wicket 1.3 and Spring 2.0. 3. Doesn't seem stable. [wicket-shiro] No maven repository (you have to check out trunk and build yourself) and has three different SNAPSHOT dependencies. 4. Seems to require a lot of different project specific java classes. [all three]. The last point, number 4, is a really big down side if you ask me. Keep in mind that I was able to integrate Spring Security almost completely in my wicket web application with very little new java code needed. And that is a good thing, because project specific code is of course much less tested and tried compared to official stable code of reputable frameworks. Plus that I don't have to reinvent the wheel, considering the simple authentication and authorization demands of my project. The only thing stopping me was this stupid error message in the "unavailable" http session attribute. I actually started converting my project into a WASP/SWARM project, using the example project from http://out-println.blogspot.com/2009/02/wicket-swarm-spring-security-how-to.html, but after creating class after class after class of in-my-eyes boilerplate code I got the overwhelming feeling that I was making my project more and more dirty. And, more importantly, I got the feeling that this shouldn't be so complicated. Other people surely have done this before, and maybe there is a good, stable and official framework/plugin/whatever that makes Spring Security and Wicket integration into a breeze. Which it really was when I followed the Pet Clinic tutorial (see URL above), since that used the auto generated login form. So, any input from you guys? What do you use to secure your wicket web sites? Or maybe someone can explain how to best solve my Wicket+Spring Security problem with the "hidden" http session attributes? Also, I hope I didn't step on anybody's toes with my list of down sides. Maybe I just haven't found the right web pages that document these frameworks(?) and how easy it can be to use them. Tips more then welcome! Regards /Jimi Hullegård -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Wicket-security-what-are-the-best-options-Spring-Security-reached-almost-all-the-way-tp2068415p2068415.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
RE: [announce] Wicket Security 1.4-rc1 released
This is excellent news - thanks! Best Regards, Ben -Original Message- From: Martijn Dashorst [mailto:martijn.dasho...@gmail.com] Sent: Tuesday, April 27, 2010 5:39 AM To: users@wicket.apache.org Subject: [announce] Wicket Security 1.4-rc1 released We have released Wicket Security 1.4-rc1. This release makes Wicket Security (more) compatible with Wicket 1.4. You can upgrade from 1.4-beta1 by updating the version in your poms to 1.4-rc1. Individual files can be retrieved from here: http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security Martijn & Emond - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
[announce] Wicket Security 1.4-rc1 released
We have released Wicket Security 1.4-rc1. This release makes Wicket Security (more) compatible with Wicket 1.4. You can upgrade from 1.4-beta1 by updating the version in your poms to 1.4-rc1. Individual files can be retrieved from here: http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security Martijn & Emond - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
RE: Wicket 1.4 upgrade - dependent on Wicket Security 1.4
Thanks Martijn - great to hear! Given your info, we are going to proceed with our own testing as well. We will make sure to report back with any issues that we come across. Thanks again, Ben -Original Message- From: Martijn Dashorst [mailto:martijn.dasho...@gmail.com] Sent: Friday, April 23, 2010 4:38 AM To: users@wicket.apache.org Subject: Re: Wicket 1.4 upgrade - dependent on Wicket Security 1.4 We're about to migrate our 800+ page application from 1.3.7 to 1.4.x which heavily uses Wicket Security. So while the codebase for Wicket Security 1.4 is already pretty stable we really want to ensure everything works before we put a final/stable sticker on Wicket Security 1.4. Expect a Wicket Security 1.4-beta release in the next week or two and a final release before the end of june (or possibly sooner). Martijn On Thu, Apr 22, 2010 at 10:02 PM, Ben Swenka wrote: > Hello, > > > > We've been using Wicket 1.3.7 for quite a while now. We've been waiting to > upgrade to Wicket 1.4 until Wicket Security 1.4 was in a released/production > state. > > > > Can anybody provide any insight into the current state of Wicket Security > 1.4? Would you recommend upgrading with the Beta 1 code, or waiting until > Wicket Security 1.4 is in release/production mode? > > > > Is there a rough timeline on when Wicket Security 1.4 will be in a > production/released status? > > > > Is anybody using Wicket 1.4/Wicket Security 1.4/Spring Security 2.0.x > together in production? > > > > Thank you very much, > > Ben Swenka > -- Become a Wicket expert, learn from the best: http://wicketinaction.com Apache Wicket 1.4 increases type safety for web applications Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.4 - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket 1.4 upgrade - dependent on Wicket Security 1.4
We're about to migrate our 800+ page application from 1.3.7 to 1.4.x which heavily uses Wicket Security. So while the codebase for Wicket Security 1.4 is already pretty stable we really want to ensure everything works before we put a final/stable sticker on Wicket Security 1.4. Expect a Wicket Security 1.4-beta release in the next week or two and a final release before the end of june (or possibly sooner). Martijn On Thu, Apr 22, 2010 at 10:02 PM, Ben Swenka wrote: > Hello, > > > > We’ve been using Wicket 1.3.7 for quite a while now. We’ve been waiting to > upgrade to Wicket 1.4 until Wicket Security 1.4 was in a released/production > state. > > > > Can anybody provide any insight into the current state of Wicket Security > 1.4? Would you recommend upgrading with the Beta 1 code, or waiting until > Wicket Security 1.4 is in release/production mode? > > > > Is there a rough timeline on when Wicket Security 1.4 will be in a > production/released status? > > > > Is anybody using Wicket 1.4/Wicket Security 1.4/Spring Security 2.0.x > together in production? > > > > Thank you very much, > > Ben Swenka > -- Become a Wicket expert, learn from the best: http://wicketinaction.com Apache Wicket 1.4 increases type safety for web applications Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.4 - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Wicket 1.4 upgrade - dependent on Wicket Security 1.4
Hello, We’ve been using Wicket 1.3.7 for quite a while now. We’ve been waiting to upgrade to Wicket 1.4 until Wicket Security 1.4 was in a released/production state. Can anybody provide any insight into the current state of Wicket Security 1.4? Would you recommend upgrading with the Beta 1 code, or waiting until Wicket Security 1.4 is in release/production mode? Is there a rough timeline on when Wicket Security 1.4 will be in a production/released status? Is anybody using Wicket 1.4/Wicket Security 1.4/Spring Security 2.0.x together in production? Thank you very much, Ben Swenka
Re: [release] Wicket Security 1.4-beta1
I've just checked in a major commit on wicket-security-1.4, adding generics, cleaning up the API where needed and introducing a project wide source code formatting. This commit has changed the API of wicket-security in some places. If it breaks for you, please let me know, so I can fix it or provide a solution in another way. If you do not want to test this commit, you can always stick to beta1, released last week. Best regards, Emond Papegaaij On Thursday 21 January 2010 10:48:36 Emond Papegaaij wrote: > Wicket Security 1.4-beta1 has just been released. > > This release contains all updates made by Olger Warnier in the last 6 > months to make Wicket Security work with Wicket 1.4 and the examples he > added. It also contains the new ComponentSubclassPermission, which makes > it possible to authorize a class and all its subclasses. But most > importantly: it is the first release for Wicket Security 1.4! > > To include Wicket Security (with Swarm) in your project, add: > > > org.apache.wicket.wicket-security > swarm > 1.4-beta1 > > > More information about Wicket Security can be found at: > http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security > > Although this release works with Wicket 1.4, it does not yet make use of > the generics provided in Wicket 1.4. This will be included in the next > release (beta2), which will follow shortly. > > Best regards, > > Martijn and Emond > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
On Monday 25 January 2010 15:59:53 James Carman wrote: > On Mon, Jan 25, 2010 at 9:50 AM, Emond Papegaaij > > Most of the complicated stuff is from SWARM, which indeed requires a lot > > of configuration. The difference between WASP and SWARM is not quite > > clear from the documentation, nor is the separation of the two. Some of > > the naming could use some improvement indeed :). The HiveMind manages the > > Hives used in the VM. A Hive contains all principals and permissions of > > an application and ultimately determines if a permission is granted or > > not. However, the Hive (and mind) are part of SWARM and should not be > > part of a general API. > > > > The main elements of WASP are: > > - A set of secure components > > - Several security checks > > - The ActionFactory, with a set of default actions > > - The WaspAuthorizationStrategy, which implements IAuthorizationStrategy > > > > With this, WASP only provides an interface to make you Wicket application > > secure. It has no implementation what-so-ever on how to check the > > security. Therefore, I think it is a good starting point for creating a > > general security API for Wicket. > > So, what does WASP add to wicket-auth-roles that it doesn't have > already? Is it generic enough that we should just put it into > wicket-auth-roles (or a new wicket-security module)? I really don't > like the name WASP. I think wicket-security is intuitive enough (and > follows the other names already out there wicket-ioc, wicket-spring, > etc.). I really don't like the fact that when folks ask questions > about wicket-auth-roles, the usual answer is "wicket-auth-roles is > only a demonstration" or something to that effect. There really > should be a sanctioned/preferred (and pluggable) security framework > for Wicket that we can all get behind. I think WASP is a good name for what it is now: a separate project. A general security framework for wicket should be named wicket-security. WASP makes it possible to authorize single components, models of components and classes. This authorization can be performed on multiple levels, not just RENDER and ENABLE. It also provides the ISecurityCheck interface, which can be used to create reusable security checks. Some default implementations are already provided. The secure components are components that are used often, such as a SecurePageLink that is only visible when the target is authorized. I don't think WASP (or wicket-security) should be integrated into wicket-auth- roles, but auth-roles should be one of the security providers available for Wicket. My vision is that WASP replaces the interfaces in Wicket itself (such as IAuthorizationStrategy) and become part of the core of Wicket. Other frameworks can then build on this interface. However, as I said before, currently WASP is too bloated to be considered as a 'general security API'. Emond - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
On Mon, Jan 25, 2010 at 9:50 AM, Emond Papegaaij wrote: > I think a good security framework needs to provide an API that allows, but not > require, fine-grained control. > Exactly! That's what I'm looking for. For the folks who want to get down-and-dirty and really tighten the screws on their authorization, they can do that. But, for me and my somewhat limited authorization concerns, I'd like to use something simple. > Most of the complicated stuff is from SWARM, which indeed requires a lot of > configuration. The difference between WASP and SWARM is not quite clear from > the documentation, nor is the separation of the two. Some of the naming could > use some improvement indeed :). The HiveMind manages the Hives used in the VM. > A Hive contains all principals and permissions of an application and > ultimately determines if a permission is granted or not. However, the Hive > (and mind) are part of SWARM and should not be part of a general API. > > The main elements of WASP are: > - A set of secure components > - Several security checks > - The ActionFactory, with a set of default actions > - The WaspAuthorizationStrategy, which implements IAuthorizationStrategy > > With this, WASP only provides an interface to make you Wicket application > secure. It has no implementation what-so-ever on how to check the security. > Therefore, I think it is a good starting point for creating a general security > API for Wicket. > So, what does WASP add to wicket-auth-roles that it doesn't have already? Is it generic enough that we should just put it into wicket-auth-roles (or a new wicket-security module)? I really don't like the name WASP. I think wicket-security is intuitive enough (and follows the other names already out there wicket-ioc, wicket-spring, etc.). I really don't like the fact that when folks ask questions about wicket-auth-roles, the usual answer is "wicket-auth-roles is only a demonstration" or something to that effect. There really should be a sanctioned/preferred (and pluggable) security framework for Wicket that we can all get behind. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
On Monday 25 January 2010 15:22:42 James Carman wrote: > On Mon, Jan 25, 2010 at 9:11 AM, Emond Papegaaij > > The current wicket-security code is somewhat limited in what you can do > > with it. WASP provides a much richer (probably too rich) interface for > > security. I see WASP as a viable basis for the wicket-security API where > > providers can plug in to. One of these providers will be SWARM, but also > > wicket-security- shiro and wicket-security-spring. Maybe even auth-roles. > > Agreed it's limited, so we should definitely make the API rich enough > so that you can do very fine-grained authorization control or more > coarse-grained. Some projects (like ours) will be okay with just > saying "this page has to have this role." I think a good security framework needs to provide an API that allows, but not require, fine-grained control. > > However WASP in its current state is a too bloated for this. It will > > require a major cleanup. On the other hand, the current wicket-security > > API is too limited for a real security framework to plug in to. For this > > to work, we need to find the fine line that provides a clean, but > > complete API. > > Agreed. When I look at the documentation for SWARM/WASP, I cringe. > I, being one of the (now defunct) Apache HiveMind committers, also > take offense to the name of the HiveMind class. :) Actually, I really > don't like the cutesy names in the API at all. The names don't make > any sense? Why is a "hive" called a "hive" for instance? Why is the > HiveMind class called HiveMind. Just looking at it, it's really not > intuitive. There also seems to be a lot of configuration required to > get things off the ground properly. Most of the complicated stuff is from SWARM, which indeed requires a lot of configuration. The difference between WASP and SWARM is not quite clear from the documentation, nor is the separation of the two. Some of the naming could use some improvement indeed :). The HiveMind manages the Hives used in the VM. A Hive contains all principals and permissions of an application and ultimately determines if a permission is granted or not. However, the Hive (and mind) are part of SWARM and should not be part of a general API. The main elements of WASP are: - A set of secure components - Several security checks - The ActionFactory, with a set of default actions - The WaspAuthorizationStrategy, which implements IAuthorizationStrategy With this, WASP only provides an interface to make you Wicket application secure. It has no implementation what-so-ever on how to check the security. Therefore, I think it is a good starting point for creating a general security API for Wicket. Emond - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
On Mon, Jan 25, 2010 at 9:11 AM, Emond Papegaaij wrote: > I didn't mean that providing a general framework for security providers is > overkill, just that modifying SWARM to be usable outside a Wicket-environment > is overkill. There is no need to split SWARM into a general security framework > and a Wicket integration part. > And I didn't intend to imply that either. > The current wicket-security code is somewhat limited in what you can do with > it. WASP provides a much richer (probably too rich) interface for security. I > see WASP as a viable basis for the wicket-security API where providers can > plug in to. One of these providers will be SWARM, but also wicket-security- > shiro and wicket-security-spring. Maybe even auth-roles. > Agreed it's limited, so we should definitely make the API rich enough so that you can do very fine-grained authorization control or more coarse-grained. Some projects (like ours) will be okay with just saying "this page has to have this role." > However WASP in its current state is a too bloated for this. It will require a > major cleanup. On the other hand, the current wicket-security API is too > limited for a real security framework to plug in to. For this to work, we need > to find the fine line that provides a clean, but complete API. > Agreed. When I look at the documentation for SWARM/WASP, I cringe. I, being one of the (now defunct) Apache HiveMind committers, also take offense to the name of the HiveMind class. :) Actually, I really don't like the cutesy names in the API at all. The names don't make any sense? Why is a "hive" called a "hive" for instance? Why is the HiveMind class called HiveMind. Just looking at it, it's really not intuitive. There also seems to be a lot of configuration required to get things off the ground properly. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
On Monday 25 January 2010 14:31:47 James Carman wrote: > On Mon, Jan 25, 2010 at 8:07 AM, Emond Papegaaij > > wrote: > > That sounds a bit overkill to me. I don't think anyone will ever want to > > use SWARM in a non-Wicket application. Naturally, this is a bit different > > for Shiro and spring-security, because these are existing projects (if > > I'm not mistaken), which can also be used without Wicket. > > Overkill? It's not overkill to provide a framework where you can plug > in providers. I didn't say that SWARM should be used outside of > Wicket (I personally wouldn't use it anywhere because I think it's too > complicated). What I was saying was that any security "framework" for > Wicket should allow you to bring your own security provider (shiro, > spring-security, etc). That's exactly what the wicket-security code > provides right now with the AuthenticatedWebApplication, > AuthenticatedWebSession, etc. I didn't mean that providing a general framework for security providers is overkill, just that modifying SWARM to be usable outside a Wicket-environment is overkill. There is no need to split SWARM into a general security framework and a Wicket integration part. The current wicket-security code is somewhat limited in what you can do with it. WASP provides a much richer (probably too rich) interface for security. I see WASP as a viable basis for the wicket-security API where providers can plug in to. One of these providers will be SWARM, but also wicket-security- shiro and wicket-security-spring. Maybe even auth-roles. However WASP in its current state is a too bloated for this. It will require a major cleanup. On the other hand, the current wicket-security API is too limited for a real security framework to plug in to. For this to work, we need to find the fine line that provides a clean, but complete API. Emond Papegaaij - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
On Mon, Jan 25, 2010 at 8:07 AM, Emond Papegaaij wrote: > That sounds a bit overkill to me. I don't think anyone will ever want to use > SWARM in a non-Wicket application. Naturally, this is a bit different for > Shiro and spring-security, because these are existing projects (if I'm not > mistaken), which can also be used without Wicket. Overkill? It's not overkill to provide a framework where you can plug in providers. I didn't say that SWARM should be used outside of Wicket (I personally wouldn't use it anywhere because I think it's too complicated). What I was saying was that any security "framework" for Wicket should allow you to bring your own security provider (shiro, spring-security, etc). That's exactly what the wicket-security code provides right now with the AuthenticatedWebApplication, AuthenticatedWebSession, etc. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
On Monday 25 January 2010 13:02:05 James Carman wrote: > On Mon, Jan 25, 2010 at 6:11 AM, Emond Papegaaij > > wrote: > > I do think this is a good idea, however it will be difficult to > > implement. WASP/SWARM already provides this setup. WASP defines the > > interface, where SWARM is the implementation of that interface. I do not > > know about Shiro, but I don't think it is implemented on top of WASP. So > > should SWARM be build on top of the abstractions provided by Shiro (does > > it even have those abstractions?) or should Shiro be build on top of > > WASP? Either way will require a lot of work. > > Shiro shouldn't have to know anything about WASP. What should happen > is Wicket-Security (or whatever we're going to call it) would declare > a "SPI" interface that could be implemented to adapt any security > framework (spring-security, shiro, etc.) to the Wicket-Security API. > The security frameworks themselves wouldn't necessarily (most likely > they would not) implement the interface; there would be an integration > library (e.g. wicket-security-shiro) that bridges the gap. That sounds a bit overkill to me. I don't think anyone will ever want to use SWARM in a non-Wicket application. Naturally, this is a bit different for Shiro and spring-security, because these are existing projects (if I'm not mistaken), which can also be used without Wicket. WASP (Wicket Abstract Security Platform) is what could serve as a basis for what you call 'the Wicket-Security API'. It will require some work to make it more generic and less 'SWARM'-like, but I think the concept is quite good. This can then serve as a basis to build security providers, such as wicket- security-shiro, wicket-security-spring and SWARM. Emond Papegaaij - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
On Mon, Jan 25, 2010 at 6:11 AM, Emond Papegaaij wrote: > I do think this is a good idea, however it will be difficult to implement. > WASP/SWARM already provides this setup. WASP defines the interface, where > SWARM is the implementation of that interface. I do not know about Shiro, but > I don't think it is implemented on top of WASP. So should SWARM be build on > top of the abstractions provided by Shiro (does it even have those > abstractions?) or should Shiro be build on top of WASP? Either way will > require a lot of work. Shiro shouldn't have to know anything about WASP. What should happen is Wicket-Security (or whatever we're going to call it) would declare a "SPI" interface that could be implemented to adapt any security framework (spring-security, shiro, etc.) to the Wicket-Security API. The security frameworks themselves wouldn't necessarily (most likely they would not) implement the interface; there would be an integration library (e.g. wicket-security-shiro) that bridges the gap. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
I do think this is a good idea, however it will be difficult to implement. WASP/SWARM already provides this setup. WASP defines the interface, where SWARM is the implementation of that interface. I do not know about Shiro, but I don't think it is implemented on top of WASP. So should SWARM be build on top of the abstractions provided by Shiro (does it even have those abstractions?) or should Shiro be build on top of WASP? Either way will require a lot of work. I don't know who is the maintainer of Shiro, but I don't mind changing WASP to allow Shiro to be build on top of it, or the other way around (building SWARM on top of Shiro). Perhaps this core security framework can then be integrated into the wicket core. However, I doubt if such a thing can be accomplished for wicket 1.5 (or at all). Best regards, Emond Papegaaij On Monday 25 January 2010 11:11:31 nino martinez wael wrote: > No one has a feeling about making a "super/parent" security framework for > wicket and then let providers implement their solution.. Like JPA ? It > would mean that it would be the same using Shiro or Swarm / Wasp etc.. You > just switch provider? > > 2010/1/22 nino martinez wael > > > I am in doubt. What I think would be best are creating a parent framework > > like wicket ioc. And then the different security providers could use > > that.. Does it seem reasonable? > > > > That would mean keeping Wicket security at stuff, but probably extracting > > interfaces? And maybe adopting a few committers from wicket shiro / > > wicket security and if there are other integrations to a sub project at > > Apache Wicket, to make it less of a burden as Igor writes. > > > > > > > > [ ] adopt Wicket security into Apache Wicket > > [X ] keep Wicket security at Wicket Stuff > > > > 2010/1/22 Martijn Dashorst > > > > Guys, > > > >> I'd like to discuss the future of the Wicket Security project. > >> Currently the project lives on/in the wicketstuff repository, but uses > >> group id and package names "org.apache.wicket". IMO We should either: > >> > >> - adopt Wicket Security into the Wicket project and move everything > >> over from Wicket Stuff into a subproject within Apache Wicket (and > >> adopt the committers), or > >> - keep Wicket Security at wicketstuff and move it into the fold of > >> wicket stuff, including groupid/package rename. > >> > >> Since development on wicket security 1.4 is currently happening with a > >> 1.4-beta1 just released, it is prudent to decide its future now (with > >> a pending package rename). > >> > >> Considering that both the wicket security contributors and the Wicket > >> PMC members are needed to make this happen, all their opinions are > >> considered binding. > >> > >> [ ] adopt Wicket security into Apache Wicket > >> [ ] keep Wicket security at Wicket Stuff > >> > >> Martijn > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >> For additional commands, e-mail: users-h...@wicket.apache.org > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
No one has a feeling about making a "super/parent" security framework for wicket and then let providers implement their solution.. Like JPA ? It would mean that it would be the same using Shiro or Swarm / Wasp etc.. You just switch provider? 2010/1/22 nino martinez wael > I am in doubt. What I think would be best are creating a parent framework > like wicket ioc. And then the different security providers could use that.. > Does it seem reasonable? > > That would mean keeping Wicket security at stuff, but probably extracting > interfaces? And maybe adopting a few committers from wicket shiro / wicket > security and if there are other integrations to a sub project at Apache > Wicket, to make it less of a burden as Igor writes. > > > > [ ] adopt Wicket security into Apache Wicket > [X ] keep Wicket security at Wicket Stuff > > 2010/1/22 Martijn Dashorst > > Guys, >> >> I'd like to discuss the future of the Wicket Security project. >> Currently the project lives on/in the wicketstuff repository, but uses >> group id and package names "org.apache.wicket". IMO We should either: >> >> - adopt Wicket Security into the Wicket project and move everything >> over from Wicket Stuff into a subproject within Apache Wicket (and >> adopt the committers), or >> - keep Wicket Security at wicketstuff and move it into the fold of >> wicket stuff, including groupid/package rename. >> >> Since development on wicket security 1.4 is currently happening with a >> 1.4-beta1 just released, it is prudent to decide its future now (with >> a pending package rename). >> >> Considering that both the wicket security contributors and the Wicket >> PMC members are needed to make this happen, all their opinions are >> considered binding. >> >> [ ] adopt Wicket security into Apache Wicket >> [ ] keep Wicket security at Wicket Stuff >> >> Martijn >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> >
Re: Future of Wicket Security (WASP/SWARM)
Also -1 on bringing it into core. I don't feel it has wide enough adoption to justify it being maintained by core committers. There's too many security options out there. -- Jeremy Thomerson http://www.wickettraining.com On Fri, Jan 22, 2010 at 10:53 AM, Igor Vaynberg wrote: > -1 on bringing this into the core. its more code to maintain and we > are busy enough already making improvements to the core itself. > > -igor > > On Fri, Jan 22, 2010 at 1:52 AM, Martijn Dashorst > wrote: > > Guys, > > > > I'd like to discuss the future of the Wicket Security project. > > Currently the project lives on/in the wicketstuff repository, but uses > > group id and package names "org.apache.wicket". IMO We should either: > > > > - adopt Wicket Security into the Wicket project and move everything > > over from Wicket Stuff into a subproject within Apache Wicket (and > > adopt the committers), or > > - keep Wicket Security at wicketstuff and move it into the fold of > > wicket stuff, including groupid/package rename. > > > > Since development on wicket security 1.4 is currently happening with a > > 1.4-beta1 just released, it is prudent to decide its future now (with > > a pending package rename). > > > > Considering that both the wicket security contributors and the Wicket > > PMC members are needed to make this happen, all their opinions are > > considered binding. > > > > [ ] adopt Wicket security into Apache Wicket > > [ ] keep Wicket security at Wicket Stuff > > > > Martijn > > > > - > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Re: Future of Wicket Security (WASP/SWARM)
I am in doubt. What I think would be best are creating a parent framework like wicket ioc. And then the different security providers could use that.. Does it seem reasonable? That would mean keeping Wicket security at stuff, but probably extracting interfaces? And maybe adopting a few committers from wicket shiro / wicket security and if there are other integrations to a sub project at Apache Wicket, to make it less of a burden as Igor writes. [ ] adopt Wicket security into Apache Wicket [X ] keep Wicket security at Wicket Stuff 2010/1/22 Martijn Dashorst > Guys, > > I'd like to discuss the future of the Wicket Security project. > Currently the project lives on/in the wicketstuff repository, but uses > group id and package names "org.apache.wicket". IMO We should either: > > - adopt Wicket Security into the Wicket project and move everything > over from Wicket Stuff into a subproject within Apache Wicket (and > adopt the committers), or > - keep Wicket Security at wicketstuff and move it into the fold of > wicket stuff, including groupid/package rename. > > Since development on wicket security 1.4 is currently happening with a > 1.4-beta1 just released, it is prudent to decide its future now (with > a pending package rename). > > Considering that both the wicket security contributors and the Wicket > PMC members are needed to make this happen, all their opinions are > considered binding. > > [ ] adopt Wicket security into Apache Wicket > [ ] keep Wicket security at Wicket Stuff > > Martijn > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Re: Future of Wicket Security (WASP/SWARM)
-1 on bringing this into the core. its more code to maintain and we are busy enough already making improvements to the core itself. -igor On Fri, Jan 22, 2010 at 1:52 AM, Martijn Dashorst wrote: > Guys, > > I'd like to discuss the future of the Wicket Security project. > Currently the project lives on/in the wicketstuff repository, but uses > group id and package names "org.apache.wicket". IMO We should either: > > - adopt Wicket Security into the Wicket project and move everything > over from Wicket Stuff into a subproject within Apache Wicket (and > adopt the committers), or > - keep Wicket Security at wicketstuff and move it into the fold of > wicket stuff, including groupid/package rename. > > Since development on wicket security 1.4 is currently happening with a > 1.4-beta1 just released, it is prudent to decide its future now (with > a pending package rename). > > Considering that both the wicket security contributors and the Wicket > PMC members are needed to make this happen, all their opinions are > considered binding. > > [ ] adopt Wicket security into Apache Wicket > [ ] keep Wicket security at Wicket Stuff > > Martijn > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
Hi Martijn! > [ ] adopt Wicket security into Apache Wicket > [x] keep Wicket security at Wicket Stuff Best regards, --- Jan. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
On Fri, Jan 22, 2010 at 5:07 PM, Ben Tilford wrote: > Assuming adopting it into Apache Wicket would mean being in the wicket jar > instead of an optional jar. Huh? What part of > - adopt Wicket Security into the Wicket project and move everything > over from Wicket Stuff into a subproject within Apache Wicket (and > adopt the committers), or is unclear? Martijn - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
Assuming adopting it into Apache Wicket would mean being in the wicket jar instead of an optional jar. [ ] adopt Wicket security into Apache Wicket [x] keep Wicket security at Wicket Stuff On Fri, Jan 22, 2010 at 11:00 AM, Les Hazlewood wrote: > > [ ] adopt Wicket security into Apache Wicket > > [x] keep Wicket security at Wicket Stuff > > I am biased, yes, but I much prefer Shiro in my Wicket apps too :) > > - Les > > On Fri, Jan 22, 2010 at 10:03 AM, Martin Grigorov > wrote: > > On Fri, 2010-01-22 at 10:52 +0100, Martijn Dashorst wrote: > >> Guys, > >> > >> I'd like to discuss the future of the Wicket Security project. > >> Currently the project lives on/in the wicketstuff repository, but uses > >> group id and package names "org.apache.wicket". IMO We should either: > >> > >> - adopt Wicket Security into the Wicket project and move everything > >> over from Wicket Stuff into a subproject within Apache Wicket (and > >> adopt the committers), or > >> - keep Wicket Security at wicketstuff and move it into the fold of > >> wicket stuff, including groupid/package rename. > >> > >> Since development on wicket security 1.4 is currently happening with a > >> 1.4-beta1 just released, it is prudent to decide its future now (with > >> a pending package rename). > >> > >> Considering that both the wicket security contributors and the Wicket > >> PMC members are needed to make this happen, all their opinions are > >> considered binding. > >> > >> [ ] adopt Wicket security into Apache Wicket > >> [x] keep Wicket security at Wicket Stuff > > I haven't seen in the mailing lists many users of it. Most of them use > > Spring Security (my statistics). > > > > I think there is no need to add one more thing to support by the core > > committers. > > > > P.S. I personally prefer Shiro. > >> > >> Martijn > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >> For additional commands, e-mail: users-h...@wicket.apache.org > >> > >> > > > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Re: Future of Wicket Security (WASP/SWARM)
> [ ] adopt Wicket security into Apache Wicket > [x] keep Wicket security at Wicket Stuff I am biased, yes, but I much prefer Shiro in my Wicket apps too :) - Les On Fri, Jan 22, 2010 at 10:03 AM, Martin Grigorov wrote: > On Fri, 2010-01-22 at 10:52 +0100, Martijn Dashorst wrote: >> Guys, >> >> I'd like to discuss the future of the Wicket Security project. >> Currently the project lives on/in the wicketstuff repository, but uses >> group id and package names "org.apache.wicket". IMO We should either: >> >> - adopt Wicket Security into the Wicket project and move everything >> over from Wicket Stuff into a subproject within Apache Wicket (and >> adopt the committers), or >> - keep Wicket Security at wicketstuff and move it into the fold of >> wicket stuff, including groupid/package rename. >> >> Since development on wicket security 1.4 is currently happening with a >> 1.4-beta1 just released, it is prudent to decide its future now (with >> a pending package rename). >> >> Considering that both the wicket security contributors and the Wicket >> PMC members are needed to make this happen, all their opinions are >> considered binding. >> >> [ ] adopt Wicket security into Apache Wicket >> [x] keep Wicket security at Wicket Stuff > I haven't seen in the mailing lists many users of it. Most of them use > Spring Security (my statistics). > > I think there is no need to add one more thing to support by the core > committers. > > P.S. I personally prefer Shiro. >> >> Martijn >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> > > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
I am a user of Wicket Security and I would prefer: [x] adopt Wicket security into Apache Wicket [] keep Wicket security at Wicket Stuff best regards giovanni From: Martin Grigorov To: users@wicket.apache.org Cc: d...@wicket.apache.org Sent: Fri, January 22, 2010 4:03:48 PM Subject: Re: Future of Wicket Security (WASP/SWARM) On Fri, 2010-01-22 at 10:52 +0100, Martijn Dashorst wrote: > Guys, > > I'd like to discuss the future of the Wicket Security project. > Currently the project lives on/in the wicketstuff repository, but uses > group id and package names "org.apache.wicket". IMO We should either: > > - adopt Wicket Security into the Wicket project and move everything > over from Wicket Stuff into a subproject within Apache Wicket (and > adopt the committers), or > - keep Wicket Security at wicketstuff and move it into the fold of > wicket stuff, including groupid/package rename. > > Since development on wicket security 1.4 is currently happening with a > 1.4-beta1 just released, it is prudent to decide its future now (with > a pending package rename). > > Considering that both the wicket security contributors and the Wicket > PMC members are needed to make this happen, all their opinions are > considered binding. > > [ ] adopt Wicket security into Apache Wicket > [x] keep Wicket security at Wicket Stuff I haven't seen in the mailing lists many users of it. Most of them use Spring Security (my statistics). I think there is no need to add one more thing to support by the core committers. P.S. I personally prefer Shiro. > > Martijn > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
On Fri, 2010-01-22 at 10:52 +0100, Martijn Dashorst wrote: > Guys, > > I'd like to discuss the future of the Wicket Security project. > Currently the project lives on/in the wicketstuff repository, but uses > group id and package names "org.apache.wicket". IMO We should either: > > - adopt Wicket Security into the Wicket project and move everything > over from Wicket Stuff into a subproject within Apache Wicket (and > adopt the committers), or > - keep Wicket Security at wicketstuff and move it into the fold of > wicket stuff, including groupid/package rename. > > Since development on wicket security 1.4 is currently happening with a > 1.4-beta1 just released, it is prudent to decide its future now (with > a pending package rename). > > Considering that both the wicket security contributors and the Wicket > PMC members are needed to make this happen, all their opinions are > considered binding. > > [ ] adopt Wicket security into Apache Wicket > [x] keep Wicket security at Wicket Stuff I haven't seen in the mailing lists many users of it. Most of them use Spring Security (my statistics). I think there is no need to add one more thing to support by the core committers. P.S. I personally prefer Shiro. > > Martijn > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Future of Wicket Security (WASP/SWARM)
[ ] adopt Wicket security into Apache Wicket > [x ] keep Wicket security at Wicket Stuff > > Pulling more code into Apache Wicket doesn't look like the best option to me. Looking at http://www.ohloh.net/p/wicket/contributors?query=&sort=latest_commit I'd be more interesed in ideas of creating more commitment to the project. mf
