Took me some time to understand as well so I'm glad share :) I'm in process of tuning this setup so just out of curiosity how did you set up the Wicket properties file(s)? I don't like the idea to having properties in src/main/java and looking for proper way to load them from custom location like src/main/resources/properties/MyWicketApplication.properties.
In out previous project we used I18n.init() method but I'm thinking more Wicket-y way, maybe using BundleStringResourceLoader ? But so far no luck making that work... Zbynek On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael < nino.martinez.w...@gmail.com> wrote: > Yes this is exactly how I've done it :) Thanks for taking time to help... > > @WicketSignInPage > @MountPath("page/login") > public class LoginPage extends BasePage { > > public LoginPage(PageParameters parameters) { > super(parameters); > > if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) { > continueToOriginalDestination(); > } > add(new LoginForm("loginForm")); > } > > private class LoginForm extends StatelessForm<LoginForm> { > > private String username; > private String password; > > public LoginForm(String id) { > super(id); > setModel(new CompoundPropertyModel<>(this)); > add(new FeedbackPanel("feedback")); > add(new RequiredTextField<String>("username")); > add(new PasswordTextField("password")); > } > > @Override > protected void onSubmit() { > AuthenticatedWebSession session = AuthenticatedWebSession.get(); > if (session.signIn(username, password)) { > setResponsePage(HomePage.class); > } else { > error("Login failed"); > } > } > } > } > > > On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros <zbynekvav...@gmail.com> > wrote: > > > Is seems you have mixed my code with your code somehow. > > You must configure formLogin() and specify loginPage() pointing to your > > Wicket login page (maybe using @MountPath?). > > The .loginProcessingUrl() points to "/fake-url" because the > authentication > > itself is called from Wicket login page > > via AuthenticatedWebSession.get().signIn(). Or do you use other mechanism > > in your Wicket login page? > > > > Zbynek > > > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael < > > nino.martinez.w...@gmail.com> wrote: > > > > > It sort of works, If I go to the actuator I get the http basic auth, > if I > > > on the same session goto my pages.. I get an "ugly" access denied page > > and > > > not the configured wicket login page. So it sort of works.. > > > > > > If I just goto localhost:8080/ I get an default spring login page not > the > > > wicket one.. Upon succesfull login it forwards me to the wicket login > > page, > > > where I can login again and then get to the real application.. > > > > > > Below my current code: > > > > > > > > > package dk.netdesign.ccadmin.frontend.security; > > > > > > import org.springframework.context.annotation.Bean; > > > import org.springframework.context.annotation.Configuration; > > > import org.springframework.core.annotation.Order; > > > import > org.springframework.security.authentication.AuthenticationManager; > > > import > > > > > > > > > org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; > > > import > > > > org.springframework.security.config.annotation.web.builders.HttpSecurity; > > > import > > > > > > > > > org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; > > > import org.springframework.security.config.http.SessionCreationPolicy; > > > import org.springframework.security.core.Authentication; > > > import org.springframework.security.core.context.SecurityContextHolder; > > > import org.springframework.security.core.userdetails.User; > > > import > org.springframework.security.core.userdetails.UserDetailsService; > > > import > org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; > > > import > > > org.springframework.security.provisioning.InMemoryUserDetailsManager; > > > import org.springframework.stereotype.Component; > > > > > > @Configuration > > > public class WicketWebSecurityAdapterConfig extends > > > WebSecurityConfigurerAdapter { > > > > > > > > > @Configuration > > > @Order(1) > > > public static class RestSecurityConfig extends > > > WebSecurityConfigurerAdapter { > > > > > > @Override > > > protected void configure(HttpSecurity http) throws Exception { > > > > > > > > > > > > > > > http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR") > > > .and().csrf().disable() > > > > > > > > > > > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > > > .and().httpBasic(); > > > } > > > } > > > > > > @Configuration > > > @Order(2) > > > public static class WicketSecurityConfig extends > > > WebSecurityConfigurerAdapter { > > > @Override > > > protected void configure(HttpSecurity http) throws Exception { > > > http.antMatcher("/page/**").authorizeRequests() > > > .antMatchers("/page/login**").permitAll() > > > .antMatchers("/page/**").hasAnyAuthority("USER", > > > "ADMIN") > > > > > > > > > > > > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > > > > > > .and().csrf().disable(); > > > } > > > } > > > > > > @Bean > > > public static BCryptPasswordEncoder passwordEncoder() { > > > return new BCryptPasswordEncoder(); > > > } > > > > > > @Bean(name = "authenticationManager") > > > @Override > > > public AuthenticationManager authenticationManagerBean() throws > > > Exception { > > > > > > return super.authenticationManagerBean(); > > > } > > > public interface IAuthenticationFacade { > > > Authentication getAuthentication(); > > > } > > > @Component > > > public class AuthenticationFacade implements IAuthenticationFacade > { > > > > > > @Override > > > public Authentication getAuthentication() { > > > return > > SecurityContextHolder.getContext().getAuthentication(); > > > } > > > } > > > > > > @Bean > > > public UserDetailsService userDetailsService() { > > > InMemoryUserDetailsManager manager = new > > > InMemoryUserDetailsManager(); > > > manager.createUser( > > > User.withUsername("admin") > > > > > > .password(passwordEncoder().encode("admin")).authorities("USER", > "ADMIN") > > > .build()); > > > > > > manager.createUser( > > > User.withUsername("actuator") > > > > > > .password(passwordEncoder().encode("actuator")).roles("ACTUATOR") > > > .build()); > > > > > > return manager; > > > } > > > } > > > > > > > > > On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael < > > > nino.martinez.w...@gmail.com> wrote: > > > > > > > Thanks will try it:) > > > > > > > > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros < > zbynekvav...@gmail.com> > > > > wrote: > > > > > > > >> In my case it works something like this: > > > >> > > > >> @Configuration > > > >> @EnableWebSecurity > > > >> public class SecurityConfiguration { > > > >> > > > >> @Configuration > > > >> @Order(1) > > > >> public static class RestSecurityConfig extends > > > >> WebSecurityConfigurerAdapter { > > > >> > > > >> .. user details service, auth providers etc > > > >> > > > >> @Override > > > >> protected void configure(HttpSecurity http) throws > Exception { > > > >> > > > >> > > > >> > > > > > > http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated() > > > >> .and().csrf().disable() > > > >> > > > >> > > > >> > > > > > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > > > >> .and().httpBasic(); > > > >> } > > > >> } > > > >> > > > >> @Configuration > > > >> @Order(2) > > > >> public static class WicketSecurityConfig extends > > > >> WebSecurityConfigurerAdapter { > > > >> > > > >> .. user details service, auth providers etc > > > >> > > > >> @Override > > > >> protected void configure(AuthenticationManagerBuilder auth) > > > throws > > > >> Exception { > > > >> > auth.authenticationProvider(wicketAuthenticationProvider); > > > >> } > > > >> > > > >> @Override > > > >> protected void configure(HttpSecurity http) throws > Exception { > > > >> http.antMatcher("/page/**").authorizeRequests() > > > >> .antMatchers("/page/login**").permitAll() > > > >> .antMatchers("/page/**").hasRole("ROLE") > > > >> > > > >> > > > >> > > > > > > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > > > >> .and().csrf().disable(); > > > >> } > > > >> > > > >> @Override > > > >> @Bean(name = "authenticationManager") > > > >> public AuthenticationManager authenticationManagerBean() > > throws > > > >> Exception { > > > >> return super.authenticationManagerBean(); > > > >> } > > > >> } > > > >> } > > > >> > > > >> The RestSecurityConfigwould be what you would do for actuators, for > me > > > >> thats the REST API. > > > >> Not the order of "antMatcher", "authorizeRequests" and " > antMatchers". > > > >> > > > >> Zbynek > > > >> > > > >> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael < > > > >> nino.martinez.w...@gmail.com> wrote: > > > >> > > > >> > do you have an example? OR is it just to cut them into two like: > > > >> > WebSecurityConfigurerAdapter A: > > > >> > > > > >> > > > > >> > > > > > > http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > > >> > > > > >> > WebSecurityConfigurerAdapter B: > > > >> > http > > > >> > .csrf().disable() > > > >> > .authorizeRequests().anyRequest().permitAll() > > > >> > .and() > > > >> > .logout() > > > >> > .permitAll(); > > > >> > http.headers().frameOptions().disable(); > > > >> > > > > >> > > > > >> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros < > > zbynekvav...@gmail.com > > > > > > > >> > wrote: > > > >> > > > > >> > > Hi, > > > >> > > > > > >> > > I did similar thing, the trick here is to use two > > > >> > > WebSecurityConfigurerAdaptes. > > > >> > > > > > >> > > Zbynek > > > >> > > > > > >> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael < > > > >> > > nino.martinez.w...@gmail.com> wrote: > > > >> > > > > > >> > > > Hope its okay to use the wicket user mailing list for this:) > > > >> > > > > > > >> > > > First of all thanks to MarcGiffing for making the project. > But I > > > >> cannot > > > >> > > get > > > >> > > > actuator endpoints to work with spring security and wicket > > spring > > > >> > boot.. > > > >> > > > I've tried a lot of things.. > > > >> > > > > > > >> > > > IN my WebSecurityConfigurerAdapter: > > > >> > > > > > > >> > > > http > > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > > > > .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > > >> > > > > > > >> > > > http > > > >> > > > .csrf().disable() > > > >> > > > .authorizeRequests().anyRequest().permitAll() > > > >> > > > .and() > > > >> > > > .logout() > > > >> > > > .permitAll(); > > > >> > > > http.headers().frameOptions().disable(); > > > >> > > > > > > >> > > > But that just disables actuator and messes with the Wicket > side > > of > > > >> the > > > >> > > > security.. Any one have some clues= > > > >> > > > > > > >> > > > -- > > > >> > > > Best regards / Med venlig hilsen > > > >> > > > Nino Martinez > > > >> > > > > > > >> > > > > > >> > > > > >> > > > > >> > -- > > > >> > Best regards / Med venlig hilsen > > > >> > Nino Martinez > > > >> > > > > >> > > > > > > > > > > > > -- > > > > Best regards / Med venlig hilsen > > > > Nino Martinez > > > > > > > > > > > > > -- > > > Best regards / Med venlig hilsen > > > Nino Martinez > > > > > > > > -- > Best regards / Med venlig hilsen > Nino Martinez >