Hi, I came accross the same problem some months ago (in a more generic way because it wasn't targeting Google only). I made the choice to use PAC4J to benefit from its principle and algorithm : "all you have to do" is to handle page requests and decide wheither or not it should be pushed to PAC4J (are all your pages protected ?). You also have to understand PAC4J, which is not a simple thing because it doesn't feet well with Wicket. You must use a "IndirectClient" (PAC4J term) and call : - DefaultSecurityLogic to start third party authentication - DefaultCallbackLogic to handle callback from the provider, it must be mounted on a URL - DefaultLogoutLogic for logout, it must be mounted also
I made all of this in the following project : https://github.com/tircis/pac4j-wicket No release, no example, no doc (but javadoc), sorry. You'll have to put a Pac4jRequestCycleListener in your web.xml or equivalent, then use the Pac4jApplication or mimic it. The scheme is that AuthenticatedWebApplication decides first (according to role annotations) if users are loggedIn or not, I mean that URL protection is not made by PACJ4. It might be different with Spring boot. The project depends on Wicket 8 but it can be reverted to Wicket 7 easily (1-2 adjustments to make). Last, if you have to handle both IndirectClient and DirectClient (not OAuth Provider, continue to use your local database), then it' even more complicated. In my code I tried to make Wicket SignInPanel feets to PAC4J DirectClient, it's not clean because Wicket SignInPanel is coupled to AuthenticatedWebSession and made an ugly ThreadLocal for credentials short-term storage. Hope it helps -- Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org