Have you gone through this : https://ci.apache.org/projects/wicket/guide/8.x/single.html#_extending_the_default_lookup_algorithm (which seems you have, please show a little code)
And could you tell med howto make Spring redirect to my wicket login page for all urls except /actuator (which is handled by basic auth)? Also every wicket page which requires authentication should redirect to /login page if you either lack permissions or arent logged in.. -Nino On Fri, Jan 25, 2019 at 8:18 AM Zbynek Vavros <zbynekvav...@gmail.com> wrote: > Took me some time to understand as well so I'm glad share :) > > I'm in process of tuning this setup so just out of curiosity how did you > set up the Wicket properties file(s)? I don't like the idea to having > properties in src/main/java and looking for proper way to load them from > custom location like > src/main/resources/properties/MyWicketApplication.properties. > > In out previous project we used I18n.init() method but I'm thinking more > Wicket-y way, > maybe using BundleStringResourceLoader ? But so far no luck making that > work... > > Zbynek > > On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael < > nino.martinez.w...@gmail.com> wrote: > > > Yes this is exactly how I've done it :) Thanks for taking time to help... > > > > @WicketSignInPage > > @MountPath("page/login") > > public class LoginPage extends BasePage { > > > > public LoginPage(PageParameters parameters) { > > super(parameters); > > > > if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) { > > continueToOriginalDestination(); > > } > > add(new LoginForm("loginForm")); > > } > > > > private class LoginForm extends StatelessForm<LoginForm> { > > > > private String username; > > private String password; > > > > public LoginForm(String id) { > > super(id); > > setModel(new CompoundPropertyModel<>(this)); > > add(new FeedbackPanel("feedback")); > > add(new RequiredTextField<String>("username")); > > add(new PasswordTextField("password")); > > } > > > > @Override > > protected void onSubmit() { > > AuthenticatedWebSession session = AuthenticatedWebSession.get(); > > if (session.signIn(username, password)) { > > setResponsePage(HomePage.class); > > } else { > > error("Login failed"); > > } > > } > > } > > } > > > > > > On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros <zbynekvav...@gmail.com> > > wrote: > > > > > Is seems you have mixed my code with your code somehow. > > > You must configure formLogin() and specify loginPage() pointing to your > > > Wicket login page (maybe using @MountPath?). > > > The .loginProcessingUrl() points to "/fake-url" because the > > authentication > > > itself is called from Wicket login page > > > via AuthenticatedWebSession.get().signIn(). Or do you use other > mechanism > > > in your Wicket login page? > > > > > > Zbynek > > > > > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael < > > > nino.martinez.w...@gmail.com> wrote: > > > > > > > It sort of works, If I go to the actuator I get the http basic auth, > > if I > > > > on the same session goto my pages.. I get an "ugly" access denied > page > > > and > > > > not the configured wicket login page. So it sort of works.. > > > > > > > > If I just goto localhost:8080/ I get an default spring login page not > > the > > > > wicket one.. Upon succesfull login it forwards me to the wicket login > > > page, > > > > where I can login again and then get to the real application.. > > > > > > > > Below my current code: > > > > > > > > > > > > package dk.netdesign.ccadmin.frontend.security; > > > > > > > > import org.springframework.context.annotation.Bean; > > > > import org.springframework.context.annotation.Configuration; > > > > import org.springframework.core.annotation.Order; > > > > import > > org.springframework.security.authentication.AuthenticationManager; > > > > import > > > > > > > > > > > > > > org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; > > > > import > > > > > > org.springframework.security.config.annotation.web.builders.HttpSecurity; > > > > import > > > > > > > > > > > > > > org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; > > > > import > org.springframework.security.config.http.SessionCreationPolicy; > > > > import org.springframework.security.core.Authentication; > > > > import > org.springframework.security.core.context.SecurityContextHolder; > > > > import org.springframework.security.core.userdetails.User; > > > > import > > org.springframework.security.core.userdetails.UserDetailsService; > > > > import > > org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; > > > > import > > > > org.springframework.security.provisioning.InMemoryUserDetailsManager; > > > > import org.springframework.stereotype.Component; > > > > > > > > @Configuration > > > > public class WicketWebSecurityAdapterConfig extends > > > > WebSecurityConfigurerAdapter { > > > > > > > > > > > > @Configuration > > > > @Order(1) > > > > public static class RestSecurityConfig extends > > > > WebSecurityConfigurerAdapter { > > > > > > > > @Override > > > > protected void configure(HttpSecurity http) throws Exception > { > > > > > > > > > > > > > > > > > > > > > > http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR") > > > > .and().csrf().disable() > > > > > > > > > > > > > > > > > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > > > > .and().httpBasic(); > > > > } > > > > } > > > > > > > > @Configuration > > > > @Order(2) > > > > public static class WicketSecurityConfig extends > > > > WebSecurityConfigurerAdapter { > > > > @Override > > > > protected void configure(HttpSecurity http) throws Exception > { > > > > http.antMatcher("/page/**").authorizeRequests() > > > > .antMatchers("/page/login**").permitAll() > > > > .antMatchers("/page/**").hasAnyAuthority("USER", > > > > "ADMIN") > > > > > > > > > > > > > > > > > > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > > > > > > > > .and().csrf().disable(); > > > > } > > > > } > > > > > > > > @Bean > > > > public static BCryptPasswordEncoder passwordEncoder() { > > > > return new BCryptPasswordEncoder(); > > > > } > > > > > > > > @Bean(name = "authenticationManager") > > > > @Override > > > > public AuthenticationManager authenticationManagerBean() throws > > > > Exception { > > > > > > > > return super.authenticationManagerBean(); > > > > } > > > > public interface IAuthenticationFacade { > > > > Authentication getAuthentication(); > > > > } > > > > @Component > > > > public class AuthenticationFacade implements > IAuthenticationFacade > > { > > > > > > > > @Override > > > > public Authentication getAuthentication() { > > > > return > > > SecurityContextHolder.getContext().getAuthentication(); > > > > } > > > > } > > > > > > > > @Bean > > > > public UserDetailsService userDetailsService() { > > > > InMemoryUserDetailsManager manager = new > > > > InMemoryUserDetailsManager(); > > > > manager.createUser( > > > > User.withUsername("admin") > > > > > > > > .password(passwordEncoder().encode("admin")).authorities("USER", > > "ADMIN") > > > > .build()); > > > > > > > > manager.createUser( > > > > User.withUsername("actuator") > > > > > > > > .password(passwordEncoder().encode("actuator")).roles("ACTUATOR") > > > > .build()); > > > > > > > > return manager; > > > > } > > > > } > > > > > > > > > > > > On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael < > > > > nino.martinez.w...@gmail.com> wrote: > > > > > > > > > Thanks will try it:) > > > > > > > > > > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros < > > zbynekvav...@gmail.com> > > > > > wrote: > > > > > > > > > >> In my case it works something like this: > > > > >> > > > > >> @Configuration > > > > >> @EnableWebSecurity > > > > >> public class SecurityConfiguration { > > > > >> > > > > >> @Configuration > > > > >> @Order(1) > > > > >> public static class RestSecurityConfig extends > > > > >> WebSecurityConfigurerAdapter { > > > > >> > > > > >> .. user details service, auth providers etc > > > > >> > > > > >> @Override > > > > >> protected void configure(HttpSecurity http) throws > > Exception { > > > > >> > > > > >> > > > > >> > > > > > > > > > > http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated() > > > > >> .and().csrf().disable() > > > > >> > > > > >> > > > > >> > > > > > > > > > > .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) > > > > >> .and().httpBasic(); > > > > >> } > > > > >> } > > > > >> > > > > >> @Configuration > > > > >> @Order(2) > > > > >> public static class WicketSecurityConfig extends > > > > >> WebSecurityConfigurerAdapter { > > > > >> > > > > >> .. user details service, auth providers etc > > > > >> > > > > >> @Override > > > > >> protected void configure(AuthenticationManagerBuilder > auth) > > > > throws > > > > >> Exception { > > > > >> > > auth.authenticationProvider(wicketAuthenticationProvider); > > > > >> } > > > > >> > > > > >> @Override > > > > >> protected void configure(HttpSecurity http) throws > > Exception { > > > > >> http.antMatcher("/page/**").authorizeRequests() > > > > >> .antMatchers("/page/login**").permitAll() > > > > >> .antMatchers("/page/**").hasRole("ROLE") > > > > >> > > > > >> > > > > >> > > > > > > > > > > .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url") > > > > >> .and().csrf().disable(); > > > > >> } > > > > >> > > > > >> @Override > > > > >> @Bean(name = "authenticationManager") > > > > >> public AuthenticationManager authenticationManagerBean() > > > throws > > > > >> Exception { > > > > >> return super.authenticationManagerBean(); > > > > >> } > > > > >> } > > > > >> } > > > > >> > > > > >> The RestSecurityConfigwould be what you would do for actuators, > for > > me > > > > >> thats the REST API. > > > > >> Not the order of "antMatcher", "authorizeRequests" and " > > antMatchers". > > > > >> > > > > >> Zbynek > > > > >> > > > > >> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael < > > > > >> nino.martinez.w...@gmail.com> wrote: > > > > >> > > > > >> > do you have an example? OR is it just to cut them into two like: > > > > >> > WebSecurityConfigurerAdapter A: > > > > >> > > > > > >> > > > > > >> > > > > > > > > > > http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > > > >> > > > > > >> > WebSecurityConfigurerAdapter B: > > > > >> > http > > > > >> > .csrf().disable() > > > > >> > .authorizeRequests().anyRequest().permitAll() > > > > >> > .and() > > > > >> > .logout() > > > > >> > .permitAll(); > > > > >> > http.headers().frameOptions().disable(); > > > > >> > > > > > >> > > > > > >> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros < > > > zbynekvav...@gmail.com > > > > > > > > > >> > wrote: > > > > >> > > > > > >> > > Hi, > > > > >> > > > > > > >> > > I did similar thing, the trick here is to use two > > > > >> > > WebSecurityConfigurerAdaptes. > > > > >> > > > > > > >> > > Zbynek > > > > >> > > > > > > >> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael < > > > > >> > > nino.martinez.w...@gmail.com> wrote: > > > > >> > > > > > > >> > > > Hope its okay to use the wicket user mailing list for this:) > > > > >> > > > > > > > >> > > > First of all thanks to MarcGiffing for making the project. > > But I > > > > >> cannot > > > > >> > > get > > > > >> > > > actuator endpoints to work with spring security and wicket > > > spring > > > > >> > boot.. > > > > >> > > > I've tried a lot of things.. > > > > >> > > > > > > > >> > > > IN my WebSecurityConfigurerAdapter: > > > > >> > > > > > > > >> > > > http > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > > > > > > > .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic(); > > > > >> > > > > > > > >> > > > http > > > > >> > > > .csrf().disable() > > > > >> > > > > .authorizeRequests().anyRequest().permitAll() > > > > >> > > > .and() > > > > >> > > > .logout() > > > > >> > > > .permitAll(); > > > > >> > > > http.headers().frameOptions().disable(); > > > > >> > > > > > > > >> > > > But that just disables actuator and messes with the Wicket > > side > > > of > > > > >> the > > > > >> > > > security.. Any one have some clues= > > > > >> > > > > > > > >> > > > -- > > > > >> > > > Best regards / Med venlig hilsen > > > > >> > > > Nino Martinez > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > > >> > -- > > > > >> > Best regards / Med venlig hilsen > > > > >> > Nino Martinez > > > > >> > > > > > >> > > > > > > > > > > > > > > > -- > > > > > Best regards / Med venlig hilsen > > > > > Nino Martinez > > > > > > > > > > > > > > > > > -- > > > > Best regards / Med venlig hilsen > > > > Nino Martinez > > > > > > > > > > > > > -- > > Best regards / Med venlig hilsen > > Nino Martinez > > > -- Best regards / Med venlig hilsen Nino Martinez