Took me some time to understand as well so I'm glad share :)
I'm in process of tuning this setup so just out of curiosity how did you
set up the Wicket properties file(s)? I don't like the idea to having
properties in src/main/java and looking for proper way to load them from
custom location like
src/main/resources/properties/MyWicketApplication.properties.
In out previous project we used I18n.init() method but I'm thinking more
Wicket-y way,
maybe using BundleStringResourceLoader ? But so far no luck making that
work...
Zbynek
On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael <
nino.martinez.w...@gmail.com> wrote:
> Yes this is exactly how I've done it :) Thanks for taking time to help...
>
> @WicketSignInPage
> @MountPath("page/login")
> public class LoginPage extends BasePage {
>
> public LoginPage(PageParameters parameters) {
> super(parameters);
>
> if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
> continueToOriginalDestination();
> }
> add(new LoginForm("loginForm"));
> }
>
> private class LoginForm extends StatelessForm<LoginForm> {
>
> private String username;
> private String password;
>
> public LoginForm(String id) {
> super(id);
> setModel(new CompoundPropertyModel<>(this));
> add(new FeedbackPanel("feedback"));
> add(new RequiredTextField<String>("username"));
> add(new PasswordTextField("password"));
> }
>
> @Override
> protected void onSubmit() {
> AuthenticatedWebSession session = AuthenticatedWebSession.get();
> if (session.signIn(username, password)) {
> setResponsePage(HomePage.class);
> } else {
> error("Login failed");
> }
> }
> }
> }
>
>
> On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros <zbynekvav...@gmail.com>
> wrote:
>
> > Is seems you have mixed my code with your code somehow.
> > You must configure formLogin() and specify loginPage() pointing to your
> > Wicket login page (maybe using @MountPath?).
> > The .loginProcessingUrl() points to "/fake-url" because the
> authentication
> > itself is called from Wicket login page
> > via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism
> > in your Wicket login page?
> >
> > Zbynek
> >
> > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> > nino.martinez.w...@gmail.com> wrote:
> >
> > > It sort of works, If I go to the actuator I get the http basic auth,
> if I
> > > on the same session goto my pages.. I get an "ugly" access denied page
> > and
> > > not the configured wicket login page. So it sort of works..
> > >
> > > If I just goto localhost:8080/ I get an default spring login page not
> the
> > > wicket one.. Upon succesfull login it forwards me to the wicket login
> > page,
> > > where I can login again and then get to the real application..
> > >
> > > Below my current code:
> > >
> > >
> > > package dk.netdesign.ccadmin.frontend.security;
> > >
> > > import org.springframework.context.annotation.Bean;
> > > import org.springframework.context.annotation.Configuration;
> > > import org.springframework.core.annotation.Order;
> > > import
> org.springframework.security.authentication.AuthenticationManager;
> > > import
> > >
> > >
> >
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> > > import
> > >
> org.springframework.security.config.annotation.web.builders.HttpSecurity;
> > > import
> > >
> > >
> >
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> > > import org.springframework.security.config.http.SessionCreationPolicy;
> > > import org.springframework.security.core.Authentication;
> > > import org.springframework.security.core.context.SecurityContextHolder;
> > > import org.springframework.security.core.userdetails.User;
> > > import
> org.springframework.security.core.userdetails.UserDetailsService;
> > > import
> org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> > > import
> > > org.springframework.security.provisioning.InMemoryUserDetailsManager;
> > > import org.springframework.stereotype.Component;
> > >
> > > @Configuration
> > > public class WicketWebSecurityAdapterConfig extends
> > > WebSecurityConfigurerAdapter {
> > >
> > >
> > > @Configuration
> > > @Order(1)
> > > public static class RestSecurityConfig extends
> > > WebSecurityConfigurerAdapter {
> > >
> > > @Override
> > > protected void configure(HttpSecurity http) throws Exception {
> > >
> > >
> > >
> > >
> >
> http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
> > > .and().csrf().disable()
> > >
> > >
> > >
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > > .and().httpBasic();
> > > }
> > > }
> > >
> > > @Configuration
> > > @Order(2)
> > > public static class WicketSecurityConfig extends
> > > WebSecurityConfigurerAdapter {
> > > @Override
> > > protected void configure(HttpSecurity http) throws Exception {
> > > http.antMatcher("/page/**").authorizeRequests()
> > > .antMatchers("/page/login**").permitAll()
> > > .antMatchers("/page/**").hasAnyAuthority("USER",
> > > "ADMIN")
> > >
> > >
> > >
> >
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> > >
> > > .and().csrf().disable();
> > > }
> > > }
> > >
> > > @Bean
> > > public static BCryptPasswordEncoder passwordEncoder() {
> > > return new BCryptPasswordEncoder();
> > > }
> > >
> > > @Bean(name = "authenticationManager")
> > > @Override
> > > public AuthenticationManager authenticationManagerBean() throws
> > > Exception {
> > >
> > > return super.authenticationManagerBean();
> > > }
> > > public interface IAuthenticationFacade {
> > > Authentication getAuthentication();
> > > }
> > > @Component
> > > public class AuthenticationFacade implements IAuthenticationFacade
> {
> > >
> > > @Override
> > > public Authentication getAuthentication() {
> > > return
> > SecurityContextHolder.getContext().getAuthentication();
> > > }
> > > }
> > >
> > > @Bean
> > > public UserDetailsService userDetailsService() {
> > > InMemoryUserDetailsManager manager = new
> > > InMemoryUserDetailsManager();
> > > manager.createUser(
> > > User.withUsername("admin")
> > >
> > > .password(passwordEncoder().encode("admin")).authorities("USER",
> "ADMIN")
> > > .build());
> > >
> > > manager.createUser(
> > > User.withUsername("actuator")
> > >
> > > .password(passwordEncoder().encode("actuator")).roles("ACTUATOR")
> > > .build());
> > >
> > > return manager;
> > > }
> > > }
> > >
> > >
> > > On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael <
> > > nino.martinez.w...@gmail.com> wrote:
> > >
> > > > Thanks will try it:)
> > > >
> > > > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros <
> zbynekvav...@gmail.com>
> > > > wrote:
> > > >
> > > >> In my case it works something like this:
> > > >>
> > > >> @Configuration
> > > >> @EnableWebSecurity
> > > >> public class SecurityConfiguration {
> > > >>
> > > >> @Configuration
> > > >> @Order(1)
> > > >> public static class RestSecurityConfig extends
> > > >> WebSecurityConfigurerAdapter {
> > > >>
> > > >> .. user details service, auth providers etc
> > > >>
> > > >> @Override
> > > >> protected void configure(HttpSecurity http) throws
> Exception {
> > > >>
> > > >>
> > > >>
> > >
> >
> http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
> > > >> .and().csrf().disable()
> > > >>
> > > >>
> > > >>
> > >
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > > >> .and().httpBasic();
> > > >> }
> > > >> }
> > > >>
> > > >> @Configuration
> > > >> @Order(2)
> > > >> public static class WicketSecurityConfig extends
> > > >> WebSecurityConfigurerAdapter {
> > > >>
> > > >> .. user details service, auth providers etc
> > > >>
> > > >> @Override
> > > >> protected void configure(AuthenticationManagerBuilder auth)
> > > throws
> > > >> Exception {
> > > >>
> auth.authenticationProvider(wicketAuthenticationProvider);
> > > >> }
> > > >>
> > > >> @Override
> > > >> protected void configure(HttpSecurity http) throws
> Exception {
> > > >> http.antMatcher("/page/**").authorizeRequests()
> > > >> .antMatchers("/page/login**").permitAll()
> > > >> .antMatchers("/page/**").hasRole("ROLE")
> > > >>
> > > >>
> > > >>
> > >
> >
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> > > >> .and().csrf().disable();
> > > >> }
> > > >>
> > > >> @Override
> > > >> @Bean(name = "authenticationManager")
> > > >> public AuthenticationManager authenticationManagerBean()
> > throws
> > > >> Exception {
> > > >> return super.authenticationManagerBean();
> > > >> }
> > > >> }
> > > >> }
> > > >>
> > > >> The RestSecurityConfigwould be what you would do for actuators, for
> me
> > > >> thats the REST API.
> > > >> Not the order of "antMatcher", "authorizeRequests" and "
> antMatchers".
> > > >>
> > > >> Zbynek
> > > >>
> > > >> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael <
> > > >> nino.martinez.w...@gmail.com> wrote:
> > > >>
> > > >> > do you have an example? OR is it just to cut them into two like:
> > > >> > WebSecurityConfigurerAdapter A:
> > > >> >
> > > >> >
> > > >>
> > >
> >
> http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > > >> >
> > > >> > WebSecurityConfigurerAdapter B:
> > > >> > http
> > > >> > .csrf().disable()
> > > >> > .authorizeRequests().anyRequest().permitAll()
> > > >> > .and()
> > > >> > .logout()
> > > >> > .permitAll();
> > > >> > http.headers().frameOptions().disable();
> > > >> >
> > > >> >
> > > >> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros <
> > zbynekvav...@gmail.com
> > > >
> > > >> > wrote:
> > > >> >
> > > >> > > Hi,
> > > >> > >
> > > >> > > I did similar thing, the trick here is to use two
> > > >> > > WebSecurityConfigurerAdaptes.
> > > >> > >
> > > >> > > Zbynek
> > > >> > >
> > > >> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> > > >> > > nino.martinez.w...@gmail.com> wrote:
> > > >> > >
> > > >> > > > Hope its okay to use the wicket user mailing list for this:)
> > > >> > > >
> > > >> > > > First of all thanks to MarcGiffing for making the project.
> But I
> > > >> cannot
> > > >> > > get
> > > >> > > > actuator endpoints to work with spring security and wicket
> > spring
> > > >> > boot..
> > > >> > > > I've tried a lot of things..
> > > >> > > >
> > > >> > > > IN my WebSecurityConfigurerAdapter:
> > > >> > > >
> > > >> > > > http
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > >
> > > >> >
> > > >>
> > >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > > >> > > >
> > > >> > > > http
> > > >> > > > .csrf().disable()
> > > >> > > > .authorizeRequests().anyRequest().permitAll()
> > > >> > > > .and()
> > > >> > > > .logout()
> > > >> > > > .permitAll();
> > > >> > > > http.headers().frameOptions().disable();
> > > >> > > >
> > > >> > > > But that just disables actuator and messes with the Wicket
> side
> > of
> > > >> the
> > > >> > > > security.. Any one have some clues=
> > > >> > > >
> > > >> > > > --
> > > >> > > > Best regards / Med venlig hilsen
> > > >> > > > Nino Martinez
> > > >> > > >
> > > >> > >
> > > >> >
> > > >> >
> > > >> > --
> > > >> > Best regards / Med venlig hilsen
> > > >> > Nino Martinez
> > > >> >
> > > >>
> > > >
> > > >
> > > > --
> > > > Best regards / Med venlig hilsen
> > > > Nino Martinez
> > > >
> > >
> > >
> > > --
> > > Best regards / Med venlig hilsen
> > > Nino Martinez
> > >
> >
>
>
> --
> Best regards / Med venlig hilsen
> Nino Martinez
>
