Re: [Wicket-user] 401 HTTP authentication?
Sean, Jean-Baptiste, Johan, Maurce, thanks for all of your help. I
ended up using a combination of all suggestions, which worked well.
Here's the final code in my Application class in case it's useful to
anybody else:
protected void init() {
super.init();
getSecuritySettings().setAuthorizationStrategy( new
IAuthorizationStrategy() {
public boolean isInstantiationAuthorized( Class
componentClass ) {
if(
componentClass.getName().startsWith("wicket") ) {
return true; //Allow wicket error
messages to be displayed
}
try {
boolean isAuthenticated = false;
HttpServletRequest request =
((WebRequest)RequestCycle.get
().getRequest()).getHttpServletRequest();
String auth =
request.getHeader("Authorization");
if (auth != null && auth.indexOf(' ')
!= -1) { // a valid auth
header will have the type of auth, then a space, then the data
auth =
auth.substring(auth.indexOf(' ') + 1);
auth = new String( new
BASE64Decoder().decodeBuffer( auth ) );
int index = auth.indexOf(':');
if (index != -1) {
String username =
auth.substring(0, index);
String password =
auth.substring(index+1);
isAuthenticated =
authenticate( username, password );
}
}
return isAuthenticated;
} catch( IOException e ) {
throw new RuntimeException( e );
}
}
private boolean authenticate( String username, String
password ) {
//Authenticate here
}
public boolean isActionAuthorized( Component component,
Action
action ) {
return true;
}
} );
getSecuritySettings().setUnauthorizedComponentInstantiationListener
( new IUnauthorizedComponentInstantiationListener() {
public void onUnauthorizedInstantiation( Component
component ) {
HttpServletResponse response =
((WebResponse)component.getResponse
()).getHttpServletResponse();
response.setHeader("WWW-Authenticate", "Basic
realm=\"" + getRealm
() + "\"");
throw new AbortWithHttpStatusException( 401,
false );
}
private String getRealm() {
return "YourSecurityRealm";
}
} );
}
--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
On Jul 7, 2007, at 12:27 AM, Sean Sullivan wrote:
>
> Have you tried:
>
> import org.apache.wicket.protocol.http.servlet.*;
>
>
> throw new AbortWithWebErrorCodeException(401)
>
> // or maybe:
>
> throw new AbortWithHttpStatusException(401, false)
>
>
>
> On 7/3/07, Maurice Marrink <[EMAIL PROTECTED] > wrote:
>
>
> I did some digging in the code and found the following: using the
> RequestCycle you can get the Response. which is most likely a
> WebResponse from there you can get the HttpServletResponse and set the
> statuscode to 401. Question remains how to tell wicket to stop
> processing and simply return the statuscode.
> --
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> ___
> Wicket-user mailing list
> Wicket-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/wicket-user
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Wicket-user mailing list
Wicket-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] 401 HTTP authentication?
Have you tried: import org.apache.wicket.protocol.http.servlet.*; throw new AbortWithWebErrorCodeException(401) // or maybe: throw new AbortWithHttpStatusException(401, false) On 7/3/07, Maurice Marrink <[EMAIL PROTECTED]> wrote: I did some digging in the code and found the following: using the RequestCycle you can get the Response. which is most likely a WebResponse from there you can get the HttpServletResponse and set the statuscode to 401. Question remains how to tell wicket to stop processing and simply return the statuscode. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] 401 HTTP authentication?
* Johan Compagner:
> you can use a Page that you also display and then in the configureResponse()
> you can set the right status
> like the AccessDeniedPage does:
>
>protected void configureResponse()
>{
>super.configureResponse();
>
> getWebRequestCycle().getWebResponse().getHttpServletResponse().setStatus(
> HttpServletResponse.SC_FORBIDDEN);
>}
>
>
> or if you don't want a page but only set the status you can do:
>
> RequestCycle.get().setRequestTarget(new IRequestTarget()
> {
> respond()
> {
> getWebRequestCycle().getWebResponse().getHttpServletResponse().setStatus(
> HttpServletResponse.SC_FORBIDDEN);
> }
> });
Or you set the response code and setRequestTarget(new EmptyRequestTarget())
--
Jean-Baptiste Quenot
aka John Banana Qwerty
http://caraldi.com/jbq/
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Wicket-user mailing list
Wicket-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] 401 HTTP authentication?
you can use a Page that you also display and then in the configureResponse()
you can set the right status
like the AccessDeniedPage does:
protected void configureResponse()
{
super.configureResponse();
getWebRequestCycle().getWebResponse().getHttpServletResponse().setStatus(
HttpServletResponse.SC_FORBIDDEN);
}
or if you don't want a page but only set the status you can do:
RequestCycle.get().setRequestTarget(new IRequestTarget()
{
respond()
{
getWebRequestCycle().getWebResponse().getHttpServletResponse().setStatus(
HttpServletResponse.SC_FORBIDDEN);
}
});
On 7/4/07, Jesse Barnum <[EMAIL PROTECTED]> wrote:
What is the right way to use basic HTTP authentication? I know how to
read the headers to extract the username and password, but if they
don't match, or if they're not supplied, what is the best way to send
the 401 response to the user?
It seems like the
ISecuritySettings.setUnauthorizedComponentInstantiationListener()
method assumes that you want to present an HTML login component to
the user.
--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Wicket-user mailing list
Wicket-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wicket-user
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/___
Wicket-user mailing list
Wicket-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wicket-user
Re: [Wicket-user] 401 HTTP authentication?
Very interesting question indeed. I did some digging in the code and found the following: using the RequestCycle you can get the Response. which is most likely a WebResponse from there you can get the HttpServletResponse and set the statuscode to 401. Question remains how to tell wicket to stop processing and simply return the statuscode. If any of the core committers could respond with a proper way of doing this :) Maurice On 7/4/07, Jesse Barnum <[EMAIL PROTECTED]> wrote: > What is the right way to use basic HTTP authentication? I know how to > read the headers to extract the username and password, but if they > don't match, or if they're not supplied, what is the best way to send > the 401 response to the user? > > It seems like the > ISecuritySettings.setUnauthorizedComponentInstantiationListener() > method assumes that you want to present an HTML login component to > the user. > > --Jesse Barnum, President, 360Works > http://www.360works.com > (770) 234-9293 > > > > - > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > ___ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user > - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
[Wicket-user] 401 HTTP authentication?
What is the right way to use basic HTTP authentication? I know how to read the headers to extract the username and password, but if they don't match, or if they're not supplied, what is the best way to send the 401 response to the user? It seems like the ISecuritySettings.setUnauthorizedComponentInstantiationListener() method assumes that you want to present an HTML login component to the user. --Jesse Barnum, President, 360Works http://www.360works.com (770) 234-9293 - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
