I think I am following your example correctly. What I will end up with is the names of one or more principals that have the permission that was denied. Those one or more principals will not belong to the current subject. Then I can use the names of those principals to construct a message. You could end up with a permission that does not belong to any principal. Strike that, that would mean that no one would be able to access that component. I will give this a try. I am sure I will have more questions.
Thanks, > -----Original Message----- > From: Maurice Marrink [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 13, 2008 2:56 PM > To: users@wicket.apache.org > Subject: Re: wicket-security Custom Access Denied Page > > > It actually is a bit more trickier then that. > Swarm does not check for principals it checks for permissions. > The same permission might be shared by multiple principals. > To get that information you need to dig deep. > You can't wait for the wicket UnAuthorizedActionException since all it > will tell you is the component and what wicket action was not > authorized (although if you have a really simple policy you might > figure it out with this information). > Swarm can tell you, but truthfull the api lacks in that area, i'll see > if i can fix this for 1.3.1. > > For now your best bet is probably to Subclass SwarmStrategy, override > hasPermission(Permission). Most checks use this method but it is > always possible for a custom ISecurityCheck to bypass this. > public boolean hasPermission(Permission p) > { > if(!super.hasPermission(p) > { > //now we now the permission and we can find out which principals have it > //since the hive api does not give that info we need to use a custom > hive, more on that later > //for now do something like getHive().getPrincipals(p); > //then we need to get the subject and check if it has any of those > principals, the one (or more) that are missing are the one(s) we are > interested in > //use getSubject().getPrincipals() > //store those principals somewhere in the requestcycle > return false; > } > return true; > } > In order to use this new Strategy you need to extend > SwarmStrategyFactory and overide newStrategy to return your subclass. > Then you need to override setupStrategyFactory in your application to > do setStrategyFactory(new MySwarmStrategyFactory(getHiveKey())); > > Next we need to extend our hive so we can ask it which principals > belong to which permission (offcourse the hive already has this > information but you can not access it) > If you are using 1.3.0 rc1 you are probably using the > SimpleCachingHive, extend it and override 2 methods > addPrincipal(Principal , Collection ) and addPermission(Principal , > Permission ) > to record which principal has which permissions you can use a > ManyToManyMap for this, it is also used internally the information > recorded can then be exposed in a method like public Set<Principal> > getPrincipals(Permission) > This will duplicate all recordings but your other option is to copy > BasicHive and SimpleCachingHive entirely and create the getPrincipals > method. > > Either way you will need to use this new hive and to do that we need > to extend PolicyFileHiveFactory (or SwarmPolicyFileHiveFactory if you > are using the latest 1.3-snapshots), override the createHive() method. > You can pretty much copy everything from PolicyFileHiveFactory except > for the first 5 lines you need to create your own hive there. Also > while copying you will run into a few private variables but you should > be able to replace those with there getters (although i might have > missed some, if that is the case you have to copy the entire class). > In your application's setupHive method you are already creating the > hivefactory, simply replace it with this custom one. > > And that should do the trick. Sorry the api is not more accommodating > to your needs i'll see if i can make some improvements anytime soon > for the 1.3-snapshot (1.3.1), but i also have to release 1.3.0 final > sometime soon. > > Maurice > > P.S. i did not cover the part about providing the application with > your own requestcycle but just look for newRequestCycle in your > application ;) > > > On Feb 13, 2008 6:49 PM, Igor Vaynberg <[EMAIL PROTECTED]> wrote: > > stick that name into requestcycle's metadata, and pull it out in yoru > > implementation of access denied page > > > > -igor > > > > > > > > On Feb 13, 2008 8:31 AM, Warren <[EMAIL PROTECTED]> wrote: > > > I understand that, but what I want to do is create a message > on that page > > > that reads "Users in group xxx do not have access to yyy" > where yyy would be > > > the name of the principal that triggered the access denied. I > need to get > > > the name of that principal. > > > > > > > > > > -----Original Message----- > > > > From: Maurice Marrink [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, February 13, 2008 12:12 AM > > > > To: users@wicket.apache.org > > > > Subject: Re: wicket-security Custom Access Denied Page > > > > > > > > > > > > In the init of your webapp do > > > > getApplicationSettings().setAccessDeniedPage(MyPage.class) > > > > > > > > This is a wicket setting and not related to the security framework. > > > > > > > > Maurice > > > > > > > > On Feb 12, 2008 7:50 PM, Warren <[EMAIL PROTECTED]> wrote: > > > > > How do you set-up a custom "access denied page" that has > a message on it > > > > > like "Users in group xxx do not have access to yyy"? I > also want to have > > > > > this page return to the previous page the user was on. I am using > > > > > wicket-security (wasp and swarm). > > > > > > > > > > Thanks, > > > > > > > > > > Warren Bell > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
