I did it using BundleStringResourceLoader in the end.
Well that's the point of having two WebSecurityConfigurerAdapters.
One takes care about your actuator using HTTP Basic
http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR_ROLE").and().httpBasic();
and the one one takes care about Wicket
http.antMatcher("/wicket/**").authorizeRequests()
.antMatchers("/wicket/page/login**").permitAll()
.antMatchers("/wicket/page/**").hasRole("WICKET")
.and().formLogin().loginPage("/wicket/page/login").loginProcessingUrl("/fake-url")
.and().csrf().disable();
this will redirect to login page in case you are not logged in.
Regarding lack of privileges (roles) that's another story and you should
probably read
Spring Security docs on how to properly handle those since it's not really
related (i.e.
user is already logged in, you sure you want to re-login?).
Zbynek
On Fri, Jan 25, 2019 at 11:05 AM nino martinez wael <
[email protected]> wrote:
> Have you gone through this :
>
>
> https://ci.apache.org/projects/wicket/guide/8.x/single.html#_extending_the_default_lookup_algorithm
> (which seems you have, please show a little code)
>
> And could you tell med howto make Spring redirect to my wicket login page
> for all urls except /actuator (which is handled by basic auth)? Also every
> wicket page which requires authentication should redirect to /login page if
> you either lack permissions or arent logged in..
>
> -Nino
>
>
>
> On Fri, Jan 25, 2019 at 8:18 AM Zbynek Vavros <[email protected]>
> wrote:
>
> > Took me some time to understand as well so I'm glad share :)
> >
> > I'm in process of tuning this setup so just out of curiosity how did you
> > set up the Wicket properties file(s)? I don't like the idea to having
> > properties in src/main/java and looking for proper way to load them from
> > custom location like
> > src/main/resources/properties/MyWicketApplication.properties.
> >
> > In out previous project we used I18n.init() method but I'm thinking more
> > Wicket-y way,
> > maybe using BundleStringResourceLoader ? But so far no luck making that
> > work...
> >
> > Zbynek
> >
> > On Fri, Jan 25, 2019 at 6:34 AM nino martinez wael <
> > [email protected]> wrote:
> >
> > > Yes this is exactly how I've done it :) Thanks for taking time to
> help...
> > >
> > > @WicketSignInPage
> > > @MountPath("page/login")
> > > public class LoginPage extends BasePage {
> > >
> > > public LoginPage(PageParameters parameters) {
> > > super(parameters);
> > >
> > > if (((AbstractAuthenticatedWebSession) getSession()).isSignedIn()) {
> > > continueToOriginalDestination();
> > > }
> > > add(new LoginForm("loginForm"));
> > > }
> > >
> > > private class LoginForm extends StatelessForm<LoginForm> {
> > >
> > > private String username;
> > > private String password;
> > >
> > > public LoginForm(String id) {
> > > super(id);
> > > setModel(new CompoundPropertyModel<>(this));
> > > add(new FeedbackPanel("feedback"));
> > > add(new RequiredTextField<String>("username"));
> > > add(new PasswordTextField("password"));
> > > }
> > >
> > > @Override
> > > protected void onSubmit() {
> > > AuthenticatedWebSession session = AuthenticatedWebSession.get();
> > > if (session.signIn(username, password)) {
> > > setResponsePage(HomePage.class);
> > > } else {
> > > error("Login failed");
> > > }
> > > }
> > > }
> > > }
> > >
> > >
> > > On Thu, Jan 24, 2019 at 4:17 PM Zbynek Vavros <[email protected]>
> > > wrote:
> > >
> > > > Is seems you have mixed my code with your code somehow.
> > > > You must configure formLogin() and specify loginPage() pointing to
> your
> > > > Wicket login page (maybe using @MountPath?).
> > > > The .loginProcessingUrl() points to "/fake-url" because the
> > > authentication
> > > > itself is called from Wicket login page
> > > > via AuthenticatedWebSession.get().signIn(). Or do you use other
> > mechanism
> > > > in your Wicket login page?
> > > >
> > > > Zbynek
> > > >
> > > > On Thu, Jan 24, 2019 at 4:13 PM nino martinez wael <
> > > > [email protected]> wrote:
> > > >
> > > > > It sort of works, If I go to the actuator I get the http basic
> auth,
> > > if I
> > > > > on the same session goto my pages.. I get an "ugly" access denied
> > page
> > > > and
> > > > > not the configured wicket login page. So it sort of works..
> > > > >
> > > > > If I just goto localhost:8080/ I get an default spring login page
> not
> > > the
> > > > > wicket one.. Upon succesfull login it forwards me to the wicket
> login
> > > > page,
> > > > > where I can login again and then get to the real application..
> > > > >
> > > > > Below my current code:
> > > > >
> > > > >
> > > > > package dk.netdesign.ccadmin.frontend.security;
> > > > >
> > > > > import org.springframework.context.annotation.Bean;
> > > > > import org.springframework.context.annotation.Configuration;
> > > > > import org.springframework.core.annotation.Order;
> > > > > import
> > > org.springframework.security.authentication.AuthenticationManager;
> > > > > import
> > > > >
> > > > >
> > > >
> > >
> >
> org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
> > > > > import
> > > > >
> > >
> org.springframework.security.config.annotation.web.builders.HttpSecurity;
> > > > > import
> > > > >
> > > > >
> > > >
> > >
> >
> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
> > > > > import
> > org.springframework.security.config.http.SessionCreationPolicy;
> > > > > import org.springframework.security.core.Authentication;
> > > > > import
> > org.springframework.security.core.context.SecurityContextHolder;
> > > > > import org.springframework.security.core.userdetails.User;
> > > > > import
> > > org.springframework.security.core.userdetails.UserDetailsService;
> > > > > import
> > > org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
> > > > > import
> > > > >
> org.springframework.security.provisioning.InMemoryUserDetailsManager;
> > > > > import org.springframework.stereotype.Component;
> > > > >
> > > > > @Configuration
> > > > > public class WicketWebSecurityAdapterConfig extends
> > > > > WebSecurityConfigurerAdapter {
> > > > >
> > > > >
> > > > > @Configuration
> > > > > @Order(1)
> > > > > public static class RestSecurityConfig extends
> > > > > WebSecurityConfigurerAdapter {
> > > > >
> > > > > @Override
> > > > > protected void configure(HttpSecurity http) throws
> Exception
> > {
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> http.antMatcher("/actuator/**").authorizeRequests().anyRequest().hasRole("ACTUATOR")
> > > > > .and().csrf().disable()
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > > > > .and().httpBasic();
> > > > > }
> > > > > }
> > > > >
> > > > > @Configuration
> > > > > @Order(2)
> > > > > public static class WicketSecurityConfig extends
> > > > > WebSecurityConfigurerAdapter {
> > > > > @Override
> > > > > protected void configure(HttpSecurity http) throws
> Exception
> > {
> > > > > http.antMatcher("/page/**").authorizeRequests()
> > > > > .antMatchers("/page/login**").permitAll()
> > > > >
> .antMatchers("/page/**").hasAnyAuthority("USER",
> > > > > "ADMIN")
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> > > > >
> > > > > .and().csrf().disable();
> > > > > }
> > > > > }
> > > > >
> > > > > @Bean
> > > > > public static BCryptPasswordEncoder passwordEncoder() {
> > > > > return new BCryptPasswordEncoder();
> > > > > }
> > > > >
> > > > > @Bean(name = "authenticationManager")
> > > > > @Override
> > > > > public AuthenticationManager authenticationManagerBean() throws
> > > > > Exception {
> > > > >
> > > > > return super.authenticationManagerBean();
> > > > > }
> > > > > public interface IAuthenticationFacade {
> > > > > Authentication getAuthentication();
> > > > > }
> > > > > @Component
> > > > > public class AuthenticationFacade implements
> > IAuthenticationFacade
> > > {
> > > > >
> > > > > @Override
> > > > > public Authentication getAuthentication() {
> > > > > return
> > > > SecurityContextHolder.getContext().getAuthentication();
> > > > > }
> > > > > }
> > > > >
> > > > > @Bean
> > > > > public UserDetailsService userDetailsService() {
> > > > > InMemoryUserDetailsManager manager = new
> > > > > InMemoryUserDetailsManager();
> > > > > manager.createUser(
> > > > > User.withUsername("admin")
> > > > >
> > > > > .password(passwordEncoder().encode("admin")).authorities("USER",
> > > "ADMIN")
> > > > > .build());
> > > > >
> > > > > manager.createUser(
> > > > > User.withUsername("actuator")
> > > > >
> > > > > .password(passwordEncoder().encode("actuator")).roles("ACTUATOR")
> > > > > .build());
> > > > >
> > > > > return manager;
> > > > > }
> > > > > }
> > > > >
> > > > >
> > > > > On Thu, Jan 24, 2019 at 3:19 PM nino martinez wael <
> > > > > [email protected]> wrote:
> > > > >
> > > > > > Thanks will try it:)
> > > > > >
> > > > > > On Thu, Jan 24, 2019 at 3:14 PM Zbynek Vavros <
> > > [email protected]>
> > > > > > wrote:
> > > > > >
> > > > > >> In my case it works something like this:
> > > > > >>
> > > > > >> @Configuration
> > > > > >> @EnableWebSecurity
> > > > > >> public class SecurityConfiguration {
> > > > > >>
> > > > > >> @Configuration
> > > > > >> @Order(1)
> > > > > >> public static class RestSecurityConfig extends
> > > > > >> WebSecurityConfigurerAdapter {
> > > > > >>
> > > > > >> .. user details service, auth providers etc
> > > > > >>
> > > > > >> @Override
> > > > > >> protected void configure(HttpSecurity http) throws
> > > Exception {
> > > > > >>
> > > > > >>
> > > > > >>
> > > > >
> > > >
> > >
> >
> http.antMatcher("/api/**").authorizeRequests().anyRequest().authenticated()
> > > > > >> .and().csrf().disable()
> > > > > >>
> > > > > >>
> > > > > >>
> > > > >
> > > >
> > >
> >
> .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
> > > > > >> .and().httpBasic();
> > > > > >> }
> > > > > >> }
> > > > > >>
> > > > > >> @Configuration
> > > > > >> @Order(2)
> > > > > >> public static class WicketSecurityConfig extends
> > > > > >> WebSecurityConfigurerAdapter {
> > > > > >>
> > > > > >> .. user details service, auth providers etc
> > > > > >>
> > > > > >> @Override
> > > > > >> protected void configure(AuthenticationManagerBuilder
> > auth)
> > > > > throws
> > > > > >> Exception {
> > > > > >>
> > > auth.authenticationProvider(wicketAuthenticationProvider);
> > > > > >> }
> > > > > >>
> > > > > >> @Override
> > > > > >> protected void configure(HttpSecurity http) throws
> > > Exception {
> > > > > >> http.antMatcher("/page/**").authorizeRequests()
> > > > > >> .antMatchers("/page/login**").permitAll()
> > > > > >> .antMatchers("/page/**").hasRole("ROLE")
> > > > > >>
> > > > > >>
> > > > > >>
> > > > >
> > > >
> > >
> >
> .and().formLogin().loginPage("/page/login").loginProcessingUrl("/fake-url")
> > > > > >> .and().csrf().disable();
> > > > > >> }
> > > > > >>
> > > > > >> @Override
> > > > > >> @Bean(name = "authenticationManager")
> > > > > >> public AuthenticationManager authenticationManagerBean()
> > > > throws
> > > > > >> Exception {
> > > > > >> return super.authenticationManagerBean();
> > > > > >> }
> > > > > >> }
> > > > > >> }
> > > > > >>
> > > > > >> The RestSecurityConfigwould be what you would do for actuators,
> > for
> > > me
> > > > > >> thats the REST API.
> > > > > >> Not the order of "antMatcher", "authorizeRequests" and "
> > > antMatchers".
> > > > > >>
> > > > > >> Zbynek
> > > > > >>
> > > > > >> On Thu, Jan 24, 2019 at 3:09 PM nino martinez wael <
> > > > > >> [email protected]> wrote:
> > > > > >>
> > > > > >> > do you have an example? OR is it just to cut them into two
> like:
> > > > > >> > WebSecurityConfigurerAdapter A:
> > > > > >> >
> > > > > >> >
> > > > > >>
> > > > >
> > > >
> > >
> >
> http.authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > > > > >> >
> > > > > >> > WebSecurityConfigurerAdapter B:
> > > > > >> > http
> > > > > >> > .csrf().disable()
> > > > > >> > .authorizeRequests().anyRequest().permitAll()
> > > > > >> > .and()
> > > > > >> > .logout()
> > > > > >> > .permitAll();
> > > > > >> > http.headers().frameOptions().disable();
> > > > > >> >
> > > > > >> >
> > > > > >> > On Thu, Jan 24, 2019 at 3:06 PM Zbynek Vavros <
> > > > [email protected]
> > > > > >
> > > > > >> > wrote:
> > > > > >> >
> > > > > >> > > Hi,
> > > > > >> > >
> > > > > >> > > I did similar thing, the trick here is to use two
> > > > > >> > > WebSecurityConfigurerAdaptes.
> > > > > >> > >
> > > > > >> > > Zbynek
> > > > > >> > >
> > > > > >> > > On Thu, Jan 24, 2019 at 2:55 PM nino martinez wael <
> > > > > >> > > [email protected]> wrote:
> > > > > >> > >
> > > > > >> > > > Hope its okay to use the wicket user mailing list for
> this:)
> > > > > >> > > >
> > > > > >> > > > First of all thanks to MarcGiffing for making the project.
> > > But I
> > > > > >> cannot
> > > > > >> > > get
> > > > > >> > > > actuator endpoints to work with spring security and wicket
> > > > spring
> > > > > >> > boot..
> > > > > >> > > > I've tried a lot of things..
> > > > > >> > > >
> > > > > >> > > > IN my WebSecurityConfigurerAdapter:
> > > > > >> > > >
> > > > > >> > > > http
> > > > > >> > > >
> > > > > >> > > >
> > > > > >> > > >
> > > > > >> > >
> > > > > >> >
> > > > > >>
> > > > >
> > > >
> > >
> >
> .authorizeRequests().antMatchers("/actuator/**","/actuator").hasRole("ACTUATOR").and().httpBasic();
> > > > > >> > > >
> > > > > >> > > > http
> > > > > >> > > > .csrf().disable()
> > > > > >> > > >
> > .authorizeRequests().anyRequest().permitAll()
> > > > > >> > > > .and()
> > > > > >> > > > .logout()
> > > > > >> > > > .permitAll();
> > > > > >> > > > http.headers().frameOptions().disable();
> > > > > >> > > >
> > > > > >> > > > But that just disables actuator and messes with the Wicket
> > > side
> > > > of
> > > > > >> the
> > > > > >> > > > security.. Any one have some clues=
> > > > > >> > > >
> > > > > >> > > > --
> > > > > >> > > > Best regards / Med venlig hilsen
> > > > > >> > > > Nino Martinez
> > > > > >> > > >
> > > > > >> > >
> > > > > >> >
> > > > > >> >
> > > > > >> > --
> > > > > >> > Best regards / Med venlig hilsen
> > > > > >> > Nino Martinez
> > > > > >> >
> > > > > >>
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Best regards / Med venlig hilsen
> > > > > > Nino Martinez
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Best regards / Med venlig hilsen
> > > > > Nino Martinez
> > > > >
> > > >
> > >
> > >
> > > --
> > > Best regards / Med venlig hilsen
> > > Nino Martinez
> > >
> >
>
>
> --
> Best regards / Med venlig hilsen
> Nino Martinez
>
