Have you gone through this :
https://ci.apache.org/projects/wicket/guide/8.x/single.html#_extending_the_default_lookup_algorithm
(which seems you have, please show a little code)
And could you tell med howto make Spring redirect to my wicket login page
for all urls except /actuator (which is handled by basic auth)? Also every
wicket page which requires authentication should redirect to /login page if
you either lack permissions or arent logged in..
-Nino
On Fri, Jan 25, 2019 at 8:18 AM Zbynek Vavros <zbynekvav...@gmail.com>
wrote:
> Took me some time to understand as well so I'm glad share :)
>
> I'm in process of tuning this setup so just out of curiosity how did you
> set up the Wicket properties file(s)? I don't like the idea to having
> properties in src/main/java and looking for proper way to load them from
> custom location like
> src/main/resources/properties/MyWicketApplication.properties.
>
> In out previous project we used I18n.init() method but I'm thinking more
> Wicket-y way,
> maybe using BundleStringResourceLoader ? But so far no luck making that
> work...
>
> Zbynek
>
> On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael <
> nino.martinez.w...@gmail.com> wrote:
>
> > Yes this is exactly how I've done it :) Thanks for taking time to help...
> >
> > @WicketSignInPage
> > @MountPath("page/login")
> > public class LoginPage extends BasePage {
> >
> > public LoginPage(PageParameters parameters) {
> > super(parameters);
> >
> > if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
> > continueToOriginalDestination();
> > }
> > add(new LoginForm("loginForm"));
> > }
> >
> > private class LoginForm extends StatelessForm<LoginForm> {
> >
> > private String username;
> > private String password;
> >
> > public LoginForm(String id) {
> > super(id);
> > setModel(new CompoundPropertyModel<>(this));
> > add(new FeedbackPanel("feedback"));
> > add(new RequiredTextField<String>("username"));
> > add(new PasswordTextField("password"));
> > }
> >
> > @Override
> > protected void onSubmit() {
> > AuthenticatedWebSession session = AuthenticatedWebSession.get();
> > if (session.signIn(username, password)) {
> > setResponsePage(HomePage.class);
> > } else {
> > error("Login failed");
> > }
> > }
> > }
> > }
> >
> >
> > On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros <zbynekvav...@gmail.com>
> > wrote:
> >
> > > Is seems you have mixed my code with your code somehow.
> > > You must configure formLogin() and specify loginPage() pointing to your
> > > Wicket login page (maybe using @MountPath?).
> > > The .loginProcessingUrl() points to "/fake-url" because the
> > authentication
> > > itself is called from Wicket login page
> > > via AuthenticatedWebSession.get().signIn(). Or do you use other
> mechanism
> > > in your Wicket login page?
> > >
> > > Zbynek
> > >
> > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> > > nino.martinez.w...@gmail.com> wrote:
> > >
> > > > It sort of works, If I go to the actuator I get the http basic auth,
> > if I
> > > > on the same session goto my pages.. I get an "ugly" access denied
> page
> > > and
> > > > not the configured wicket login page. So it sort of works..
> > > >
> > > > If I just goto localhost:8080/ I get an default spring login page not
> > the
> > > > wicket one.. Upon succesfull login it forwards me to the wicket login
> > > page,
> > > > where I can login again and then get to the real application..
> > > >
> > > > Below my current code:
> > > >
> > > >
> > > > package dk.netdesign.ccadmin.frontend.security;
> > > >
> > > > import org.springframework.context.annotation.Bean;
> > > > import org.springframework.context.annotation.Configuration;
> > > > import org.springframework.core.annotation.Order;
> > > > import
> > org.springframework.security.authentication.AuthenticationManager;
> > > > import
> > > >
> > > >
> > >
> >
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> > > > import
> > > >
> > org.springframework.security.config.annotation.web.builders.HttpSecurity;
> > > > import
> > > >
> > > >
> > >
> >
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> > > > import
> org.springframework.security.config.http.SessionCreationPolicy;
> > > > import org.springframework.security.core.Authentication;
> > > > import
> org.springframework.security.core.context.SecurityContextHolder;
> > > > import org.springframework.security.core.userdetails.User;
> > > > import
> > org.springframework.security.core.userdetails.UserDetailsService;
> > > > import
> > org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> > > > import
> > > > org.springframework.security.provisioning.InMemoryUserDetailsManager;
> > > > import org.springframework.stereotype.Component;
> > > >
> > > > @Configuration
> > > > public class WicketWebSecurityAdapterConfig extends
> > > > WebSecurityConfigurerAdapter {
> > > >
> > > >
> > > > @Configuration
> > > > @Order(1)
> > > > public static class RestSecurityConfig extends
> > > > WebSecurityConfigurerAdapter {
> > > >
> > > > @Override
> > > > protected void configure(HttpSecurity http) throws Exception
> {
> > > >
> > > >
> > > >
> > > >
> > >
> >
> http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
> > > > .and().csrf().disable()
> > > >
> > > >
> > > >
> > >
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > > > .and().httpBasic();
> > > > }
> > > > }
> > > >
> > > > @Configuration
> > > > @Order(2)
> > > > public static class WicketSecurityConfig extends
> > > > WebSecurityConfigurerAdapter {
> > > > @Override
> > > > protected void configure(HttpSecurity http) throws Exception
> {
> > > > http.antMatcher("/page/**").authorizeRequests()
> > > > .antMatchers("/page/login**").permitAll()
> > > > .antMatchers("/page/**").hasAnyAuthority("USER",
> > > > "ADMIN")
> > > >
> > > >
> > > >
> > >
> >
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> > > >
> > > > .and().csrf().disable();
> > > > }
> > > > }
> > > >
> > > > @Bean
> > > > public static BCryptPasswordEncoder passwordEncoder() {
> > > > return new BCryptPasswordEncoder();
> > > > }
> > > >
> > > > @Bean(name = "authenticationManager")
> > > > @Override
> > > > public AuthenticationManager authenticationManagerBean() throws
> > > > Exception {
> > > >
> > > > return super.authenticationManagerBean();
> > > > }
> > > > public interface IAuthenticationFacade {
> > > > Authentication getAuthentication();
> > > > }
> > > > @Component
> > > > public class AuthenticationFacade implements
> IAuthenticationFacade
> > {
> > > >
> > > > @Override
> > > > public Authentication getAuthentication() {
> > > > return
> > > SecurityContextHolder.getContext().getAuthentication();
> > > > }
> > > > }
> > > >
> > > > @Bean
> > > > public UserDetailsService userDetailsService() {
> > > > InMemoryUserDetailsManager manager = new
> > > > InMemoryUserDetailsManager();
> > > > manager.createUser(
> > > > User.withUsername("admin")
> > > >
> > > > .password(passwordEncoder().encode("admin")).authorities("USER",
> > "ADMIN")
> > > > .build());
> > > >
> > > > manager.createUser(
> > > > User.withUsername("actuator")
> > > >
> > > > .password(passwordEncoder().encode("actuator")).roles("ACTUATOR")
> > > > .build());
> > > >
> > > > return manager;
> > > > }
> > > > }
> > > >
> > > >
> > > > On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael <
> > > > nino.martinez.w...@gmail.com> wrote:
> > > >
> > > > > Thanks will try it:)
> > > > >
> > > > > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros <
> > zbynekvav...@gmail.com>
> > > > > wrote:
> > > > >
> > > > >> In my case it works something like this:
> > > > >>
> > > > >> @Configuration
> > > > >> @EnableWebSecurity
> > > > >> public class SecurityConfiguration {
> > > > >>
> > > > >> @Configuration
> > > > >> @Order(1)
> > > > >> public static class RestSecurityConfig extends
> > > > >> WebSecurityConfigurerAdapter {
> > > > >>
> > > > >> .. user details service, auth providers etc
> > > > >>
> > > > >> @Override
> > > > >> protected void configure(HttpSecurity http) throws
> > Exception {
> > > > >>
> > > > >>
> > > > >>
> > > >
> > >
> >
> http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
> > > > >> .and().csrf().disable()
> > > > >>
> > > > >>
> > > > >>
> > > >
> > >
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > > > >> .and().httpBasic();
> > > > >> }
> > > > >> }
> > > > >>
> > > > >> @Configuration
> > > > >> @Order(2)
> > > > >> public static class WicketSecurityConfig extends
> > > > >> WebSecurityConfigurerAdapter {
> > > > >>
> > > > >> .. user details service, auth providers etc
> > > > >>
> > > > >> @Override
> > > > >> protected void configure(AuthenticationManagerBuilder
> auth)
> > > > throws
> > > > >> Exception {
> > > > >>
> > auth.authenticationProvider(wicketAuthenticationProvider);
> > > > >> }
> > > > >>
> > > > >> @Override
> > > > >> protected void configure(HttpSecurity http) throws
> > Exception {
> > > > >> http.antMatcher("/page/**").authorizeRequests()
> > > > >> .antMatchers("/page/login**").permitAll()
> > > > >> .antMatchers("/page/**").hasRole("ROLE")
> > > > >>
> > > > >>
> > > > >>
> > > >
> > >
> >
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> > > > >> .and().csrf().disable();
> > > > >> }
> > > > >>
> > > > >> @Override
> > > > >> @Bean(name = "authenticationManager")
> > > > >> public AuthenticationManager authenticationManagerBean()
> > > throws
> > > > >> Exception {
> > > > >> return super.authenticationManagerBean();
> > > > >> }
> > > > >> }
> > > > >> }
> > > > >>
> > > > >> The RestSecurityConfigwould be what you would do for actuators,
> for
> > me
> > > > >> thats the REST API.
> > > > >> Not the order of "antMatcher", "authorizeRequests" and "
> > antMatchers".
> > > > >>
> > > > >> Zbynek
> > > > >>
> > > > >> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael <
> > > > >> nino.martinez.w...@gmail.com> wrote:
> > > > >>
> > > > >> > do you have an example? OR is it just to cut them into two like:
> > > > >> > WebSecurityConfigurerAdapter A:
> > > > >> >
> > > > >> >
> > > > >>
> > > >
> > >
> >
> http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > > > >> >
> > > > >> > WebSecurityConfigurerAdapter B:
> > > > >> > http
> > > > >> > .csrf().disable()
> > > > >> > .authorizeRequests().anyRequest().permitAll()
> > > > >> > .and()
> > > > >> > .logout()
> > > > >> > .permitAll();
> > > > >> > http.headers().frameOptions().disable();
> > > > >> >
> > > > >> >
> > > > >> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros <
> > > zbynekvav...@gmail.com
> > > > >
> > > > >> > wrote:
> > > > >> >
> > > > >> > > Hi,
> > > > >> > >
> > > > >> > > I did similar thing, the trick here is to use two
> > > > >> > > WebSecurityConfigurerAdaptes.
> > > > >> > >
> > > > >> > > Zbynek
> > > > >> > >
> > > > >> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> > > > >> > > nino.martinez.w...@gmail.com> wrote:
> > > > >> > >
> > > > >> > > > Hope its okay to use the wicket user mailing list for this:)
> > > > >> > > >
> > > > >> > > > First of all thanks to MarcGiffing for making the project.
> > But I
> > > > >> cannot
> > > > >> > > get
> > > > >> > > > actuator endpoints to work with spring security and wicket
> > > spring
> > > > >> > boot..
> > > > >> > > > I've tried a lot of things..
> > > > >> > > >
> > > > >> > > > IN my WebSecurityConfigurerAdapter:
> > > > >> > > >
> > > > >> > > > http
> > > > >> > > >
> > > > >> > > >
> > > > >> > > >
> > > > >> > >
> > > > >> >
> > > > >>
> > > >
> > >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > > > >> > > >
> > > > >> > > > http
> > > > >> > > > .csrf().disable()
> > > > >> > > >
> .authorizeRequests().anyRequest().permitAll()
> > > > >> > > > .and()
> > > > >> > > > .logout()
> > > > >> > > > .permitAll();
> > > > >> > > > http.headers().frameOptions().disable();
> > > > >> > > >
> > > > >> > > > But that just disables actuator and messes with the Wicket
> > side
> > > of
> > > > >> the
> > > > >> > > > security.. Any one have some clues=
> > > > >> > > >
> > > > >> > > > --
> > > > >> > > > Best regards / Med venlig hilsen
> > > > >> > > > Nino Martinez
> > > > >> > > >
> > > > >> > >
> > > > >> >
> > > > >> >
> > > > >> > --
> > > > >> > Best regards / Med venlig hilsen
> > > > >> > Nino Martinez
> > > > >> >
> > > > >>
> > > > >
> > > > >
> > > > > --
> > > > > Best regards / Med venlig hilsen
> > > > > Nino Martinez
> > > > >
> > > >
> > > >
> > > > --
> > > > Best regards / Med venlig hilsen
> > > > Nino Martinez
> > > >
> > >
> >
> >
> > --
> > Best regards / Med venlig hilsen
> > Nino Martinez
> >
>
--
Best regards / Med venlig hilsen
Nino Martinez
