Re: [Wicket-user] 401 HTTP authentication?
Sean, Jean-Baptiste, Johan, Maurce, thanks for all of your help. I ended up using a combination of all suggestions, which worked well. Here's the final code in my Application class in case it's useful to anybody else: protected void init() { super.init(); getSecuritySettings().setAuthorizationStrategy( new IAuthorizationStrategy() { public boolean isInstantiationAuthorized( Class componentClass ) { if( componentClass.getName().startsWith("wicket") ) { return true; //Allow wicket error messages to be displayed } try { boolean isAuthenticated = false; HttpServletRequest request = ((WebRequest)RequestCycle.get ().getRequest()).getHttpServletRequest(); String auth = request.getHeader("Authorization"); if (auth != null && auth.indexOf(' ') != -1) { // a valid auth header will have the type of auth, then a space, then the data auth = auth.substring(auth.indexOf(' ') + 1); auth = new String( new BASE64Decoder().decodeBuffer( auth ) ); int index = auth.indexOf(':'); if (index != -1) { String username = auth.substring(0, index); String password = auth.substring(index+1); isAuthenticated = authenticate( username, password ); } } return isAuthenticated; } catch( IOException e ) { throw new RuntimeException( e ); } } private boolean authenticate( String username, String password ) { //Authenticate here } public boolean isActionAuthorized( Component component, Action action ) { return true; } } ); getSecuritySettings().setUnauthorizedComponentInstantiationListener ( new IUnauthorizedComponentInstantiationListener() { public void onUnauthorizedInstantiation( Component component ) { HttpServletResponse response = ((WebResponse)component.getResponse ()).getHttpServletResponse(); response.setHeader("WWW-Authenticate", "Basic realm=\"" + getRealm () + "\""); throw new AbortWithHttpStatusException( 401, false ); } private String getRealm() { return "YourSecurityRealm"; } } ); } --Jesse Barnum, President, 360Works http://www.360works.com (770) 234-9293 On Jul 7, 2007, at 12:27 AM, Sean Sullivan wrote: > > Have you tried: > > import org.apache.wicket.protocol.http.servlet.*; > > > throw new AbortWithWebErrorCodeException(401) > > // or maybe: > > throw new AbortWithHttpStatusException(401, false) > > > > On 7/3/07, Maurice Marrink <[EMAIL PROTECTED] > wrote: > > > I did some digging in the code and found the following: using the > RequestCycle you can get the Response. which is most likely a > WebResponse from there you can get the HttpServletResponse and set the > statuscode to 401. Question remains how to tell wicket to stop > processing and simply return the statuscode. > -- > --- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > ___ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] 401 HTTP authentication?
Have you tried: import org.apache.wicket.protocol.http.servlet.*; throw new AbortWithWebErrorCodeException(401) // or maybe: throw new AbortWithHttpStatusException(401, false) On 7/3/07, Maurice Marrink <[EMAIL PROTECTED]> wrote: I did some digging in the code and found the following: using the RequestCycle you can get the Response. which is most likely a WebResponse from there you can get the HttpServletResponse and set the statuscode to 401. Question remains how to tell wicket to stop processing and simply return the statuscode. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] 401 HTTP authentication?
* Johan Compagner: > you can use a Page that you also display and then in the configureResponse() > you can set the right status > like the AccessDeniedPage does: > >protected void configureResponse() >{ >super.configureResponse(); > > getWebRequestCycle().getWebResponse().getHttpServletResponse().setStatus( > HttpServletResponse.SC_FORBIDDEN); >} > > > or if you don't want a page but only set the status you can do: > > RequestCycle.get().setRequestTarget(new IRequestTarget() > { > respond() > { > getWebRequestCycle().getWebResponse().getHttpServletResponse().setStatus( > HttpServletResponse.SC_FORBIDDEN); > } > }); Or you set the response code and setRequestTarget(new EmptyRequestTarget()) -- Jean-Baptiste Quenot aka John Banana Qwerty http://caraldi.com/jbq/ - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] 401 HTTP authentication?
you can use a Page that you also display and then in the configureResponse() you can set the right status like the AccessDeniedPage does: protected void configureResponse() { super.configureResponse(); getWebRequestCycle().getWebResponse().getHttpServletResponse().setStatus( HttpServletResponse.SC_FORBIDDEN); } or if you don't want a page but only set the status you can do: RequestCycle.get().setRequestTarget(new IRequestTarget() { respond() { getWebRequestCycle().getWebResponse().getHttpServletResponse().setStatus( HttpServletResponse.SC_FORBIDDEN); } }); On 7/4/07, Jesse Barnum <[EMAIL PROTECTED]> wrote: What is the right way to use basic HTTP authentication? I know how to read the headers to extract the username and password, but if they don't match, or if they're not supplied, what is the best way to send the 401 response to the user? It seems like the ISecuritySettings.setUnauthorizedComponentInstantiationListener() method assumes that you want to present an HTML login component to the user. --Jesse Barnum, President, 360Works http://www.360works.com (770) 234-9293 - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] 401 HTTP authentication?
Very interesting question indeed. I did some digging in the code and found the following: using the RequestCycle you can get the Response. which is most likely a WebResponse from there you can get the HttpServletResponse and set the statuscode to 401. Question remains how to tell wicket to stop processing and simply return the statuscode. If any of the core committers could respond with a proper way of doing this :) Maurice On 7/4/07, Jesse Barnum <[EMAIL PROTECTED]> wrote: > What is the right way to use basic HTTP authentication? I know how to > read the headers to extract the username and password, but if they > don't match, or if they're not supplied, what is the best way to send > the 401 response to the user? > > It seems like the > ISecuritySettings.setUnauthorizedComponentInstantiationListener() > method assumes that you want to present an HTML login component to > the user. > > --Jesse Barnum, President, 360Works > http://www.360works.com > (770) 234-9293 > > > > - > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > ___ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user > - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
[Wicket-user] 401 HTTP authentication?
What is the right way to use basic HTTP authentication? I know how to read the headers to extract the username and password, but if they don't match, or if they're not supplied, what is the best way to send the 401 response to the user? It seems like the ISecuritySettings.setUnauthorizedComponentInstantiationListener() method assumes that you want to present an HTML login component to the user. --Jesse Barnum, President, 360Works http://www.360works.com (770) 234-9293 - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user