OK, thanks
From: Martin Grigorov <mgrigo...@apache.org>
Date: Tuesday, November 19, 2024 at 10:49 PM
To: users@wicket.apache.org <users@wicket.apache.org>
Subject: Re: Wicket authorization strategy
Well done!
If this has performance implications then you may add some caching in front!
On Tue, Nov 19, 2024 at 4:27 PM Shengche Hsiao <shengchehs...@gmail.com>
wrote:
> Dear Martin
>
> Thanks for your hints. I finally implemented the logic and load roles from
> relational database.
>
> At first, I created a abstract class according to
> MetaDataRoleAuthorizationStrategy.
>
> public abstract class AbstractExternalDataStoreRoleAuthorizationStrategy
> extends AbstractRoleAuthorizationStrategy {
>
> /**
> * Construct.
> *
> * @param roleCheckingStrategy the authorizer delegate
> */
> public
> AbstractExternalDataStoreRoleAuthorizationStrategy(IRoleCheckingStrategy
> roleCheckingStrategy) {
> super(roleCheckingStrategy);
> }
>
> /**
> * @see
> org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class)
> */
> @Override
> public final <T extends IRequestableComponent> boolean
> isInstantiationAuthorized(
> final Class<T> componentClass) {
> if (componentClass == null) {
> throw new IllegalArgumentException("argument componentClass
> cannot be null");
> }
>
> // as long as the interface does not use generics, we should check
> this
> if (!Component.class.isAssignableFrom(componentClass)) {
> throw new IllegalArgumentException("argument componentClass
> must be of type " +
> Component.class.getName());
> }
>
> final Roles roles = rolesAuthorizedToInstantiate(componentClass);
>
> if (roles != null) {
> return hasAny(roles);
> }
> return true;
> }
>
> /**
> * Uses component level meta data to match roles for component action
> execution.
> *
> * @see
> org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
> * org.apache.wicket.authorization.Action)
> */
> @Override
> public boolean isActionAuthorized(final Component component, final
> Action action) {
> if (component == null) {
> throw new IllegalArgumentException("argument component has to
> be not null");
> }
> if (action == null) {
> throw new IllegalArgumentException("argument action has to be
> not null");
> }
>
> final Roles roles = rolesAuthorizedToPerformAction(component,
> action);
> if (roles != null) {
> return hasAny(roles);
> }
> return true;
> }
>
>
> /**
> * Gets the roles for creation of the given component class from data
> store, or null if none were registered.
> *
> * @param <T>
> * @param componentClass the component class
> * @return the roles that are authorized for creation of the
> componentClass, or null if no
> * specific authorization was configured
> */
> abstract protected <T extends IRequestableComponent> Roles
> rolesAuthorizedToInstantiate(final Class<T> componentClass);
>
>
> /**
> * Gets the roles for the given action/component combination from data
> store.
> *
> * @param component the component
> * @param action the action
> * @return the roles for the action as defined with the given component
> */
> abstract protected Roles rolesAuthorizedToPerformAction(final
> Component component,
> final Action
> action);
>
> }
>
> Second, implement the concrete class.
>
> public class RDBRoleAuthorizationStrategy extends
> AbstractExternalDataStoreRoleAuthorizationStrategy {
>
> /**
> * 從資料庫中讀取Role對應的元件類別名稱
> */
> @EJB(name = "MySqlCrudServiceImpl")
> private IRDBCrudService<Rolepermission> rolepermissionIRDBCrudService;
>
> public RDBRoleAuthorizationStrategy(IRoleCheckingStrategy
> roleCheckingStrategy) {
> super(roleCheckingStrategy);
> Injector.get().inject(this);
> }
>
> @Override
> protected <T extends IRequestableComponent> Roles
> rolesAuthorizedToInstantiate(Class<T> aClass) {
> logger.info("Component Name : {}", aClass.getSimpleName());
> List<String> roleslist = new ArrayList<>();
> rolepermissionIRDBCrudService.findWithNamedQuery(
>
> NamedQueryNames.CHCSSO_FIND_ROLE_BY_COMPONENTCLASSNAME,
> QueryParameterBuilder.start("component",
> aClass.getSimpleName()).build())
> .forEach(
> roleslist.add(rp.getRid().getName());
> });
>
> if (roleslist.isEmpty()) {
> return null;
> } else {
> return new Roles(roleslist);
> }
> }
>
> @Override
> protected Roles rolesAuthorizedToPerformAction(Component component,
> Action action) {
> return null;
> }
> }
>
> Third, combine AnnotationsRoleAuthorizationStrategy and
> RDBRoleAuthorizationStrategy with CompuundAuthorizationStrategy and load in
> Wicket Application
>
> getSecuritySettings().setAuthorizationStrategy(new
> SLSRolesAuthorizationStrategy(this));
>
>
> Shengche
>
> From: Martin Grigorov <mgrigo...@apache.org>
> Date: Tuesday, November 19, 2024 at 3:26 PM
> To: users@wicket.apache.org <users@wicket.apache.org>
> Subject: Re: Wicket authorization strategy
>
> Hi,
>
> wicket-auth-roles
> uses
> org.apache.wicket.authroles.authorization.strategies.role.annotations.AnnotationsRoleAuthorizationStrategy
> by default, but you can roll your own implementation that is more dynamic
> and loads the information from DB or another source.
>
> On Sat, Nov 16, 2024 at 5:21 AM Shengche Hsiao <shengchehs...@gmail.com>
> wrote:
>
> > Thanks, we used to adopt implementation as you mentioned.
> >
> > As my new project, it has a page to let administrators dynamically create
> > a new Role and pickup necessary page permissions. But wicket’s built in
> > AnnotationsRoleAuthorizationStrategy supports static role annotations,
> for
> > example:
> >
> > @AuthorizeInstantiation("SIGNED_IN")
> > @AuthorizeAction(action = "ENABLE", roles = {"ADMIN”}) <- this ADMIN is
> > built-in or predefined in project
> > public class MyPage extends WebPage {
> > //Page class code...
> > }
> >
> > My question is when I load custom Roles which created by administrators
> > from database, how to authorization users to restrict their access.
> >
> > Thanks
> >
> > Shengche
> >
> > From: Jeff Schneller <jeffrey.schnel...@envisa.com>
> > Date: Friday, November 15, 2024 at 11:21 PM
> > To: users@wicket.apache.org <users@wicket.apache.org>
> > Subject: RE: Wicket authorization strategy
> >
> > We store our roles for the logged in user in our db. When a user logs in
> > we store the logged in user with their roles in the session.
> >
> > Then using UserRolesAuthorizer we check to make sure the user has the
> > correct roles. Also there we check to make sure the user doesn't have
> any
> > flags on their account that would override their roles (something like a
> > past due balance for example).
> > Not sure if that is what you were asking or not.
> >
> >
> >
> > -----Original Message-----
> > From: Shengche Hsiao <shengchehs...@gmail.com>
> > Sent: Friday, November 15, 2024 6:11 AM
> > To: Wicket User Mailinglist <users@wicket.apache.org>
> > Subject: Wicket authorization strategy
> >
> > Dear All
> >
> > Wicket auth-role library allow us to define the static roles, and allow
> > logined users to access restricted pages or components. But, I need to
> > implement the dynamic authorization to constrain page/component
> > permissions, and role-permission relationships are persistent in
> database.
> > By now, I can dynamically add constraints on db.
> > But how do I apply the constrains on page or components?
> >
> >
> >
> > Shengche
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > For additional commands, e-mail: users-h...@wicket.apache.org
> >
> >
>
