Well, since your page will never be constructed when the user is not logged
in, it is secure. Even when your page is stateless, a user will never be
able to reference components on the page.
So if the isLoggedIn() method on your UserLoggedInSession works (and is
tested!) you should be good to go.
Bas
----- Original Message -----
From: "Henrique Boregio" <hbore...@gmail.com>
To: <users@wicket.apache.org>
Sent: Friday, December 10, 2010 3:03 PM
Subject: Basic Webpage security
Just like many others, my website has parts that are “public” and
parts where the user has to login to see it. Since I don’t need to
manage user roles, I have this basic interface:
public class SecureWebPage extends WebPage {
public SecureWebPage() {
if(!UserLoggedInSession.get().isLoggedIn()) {
getRequestCycle().setRedirect(true);
throw new RestartResponseException(Login.class);
}
}
}
So, if I have a webpage that is “private”, it just extends this
interface instead of the normal wicket Page.
My question is, just how safe is this approach to securing specific
individual webpages?
Could this security mechanism be easily broken and let non-loggedin users
in?
Thanks.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
