Dear Martin
Thanks for your hints. I finally implemented the logic and load roles from
relational database.
At first, I created a abstract class according to
MetaDataRoleAuthorizationStrategy.
public abstract class AbstractExternalDataStoreRoleAuthorizationStrategy
extends AbstractRoleAuthorizationStrategy {
/**
* Construct.
*
* @param roleCheckingStrategy the authorizer delegate
*/
public
AbstractExternalDataStoreRoleAuthorizationStrategy(IRoleCheckingStrategy
roleCheckingStrategy) {
super(roleCheckingStrategy);
}
/**
* @see
org.apache.wicket.authorization.IAuthorizationStrategy#isInstantiationAuthorized(java.lang.Class)
*/
@Override
public final <T extends IRequestableComponent> boolean
isInstantiationAuthorized(
final Class<T> componentClass) {
if (componentClass == null) {
throw new IllegalArgumentException("argument componentClass cannot
be null");
}
// as long as the interface does not use generics, we should check this
if (!Component.class.isAssignableFrom(componentClass)) {
throw new IllegalArgumentException("argument componentClass must be
of type " +
Component.class.getName());
}
final Roles roles = rolesAuthorizedToInstantiate(componentClass);
if (roles != null) {
return hasAny(roles);
}
return true;
}
/**
* Uses component level meta data to match roles for component action
execution.
*
* @see
org.apache.wicket.authorization.IAuthorizationStrategy#isActionAuthorized(org.apache.wicket.Component,
* org.apache.wicket.authorization.Action)
*/
@Override
public boolean isActionAuthorized(final Component component, final Action
action) {
if (component == null) {
throw new IllegalArgumentException("argument component has to be
not null");
}
if (action == null) {
throw new IllegalArgumentException("argument action has to be not
null");
}
final Roles roles = rolesAuthorizedToPerformAction(component, action);
if (roles != null) {
return hasAny(roles);
}
return true;
}
/**
* Gets the roles for creation of the given component class from data
store, or null if none were registered.
*
* @param <T>
* @param componentClass the component class
* @return the roles that are authorized for creation of the
componentClass, or null if no
* specific authorization was configured
*/
abstract protected <T extends IRequestableComponent> Roles
rolesAuthorizedToInstantiate(final Class<T> componentClass);
/**
* Gets the roles for the given action/component combination from data
store.
*
* @param component the component
* @param action the action
* @return the roles for the action as defined with the given component
*/
abstract protected Roles rolesAuthorizedToPerformAction(final Component
component,
final Action
action);
}
Second, implement the concrete class.
public class RDBRoleAuthorizationStrategy extends
AbstractExternalDataStoreRoleAuthorizationStrategy {
/**
* 從資料庫中讀取Role對應的元件類別名稱
*/
@EJB(name = "MySqlCrudServiceImpl")
private IRDBCrudService<Rolepermission> rolepermissionIRDBCrudService;
public RDBRoleAuthorizationStrategy(IRoleCheckingStrategy
roleCheckingStrategy) {
super(roleCheckingStrategy);
Injector.get().inject(this);
}
@Override
protected <T extends IRequestableComponent> Roles
rolesAuthorizedToInstantiate(Class<T> aClass) {
logger.info("Component Name : {}", aClass.getSimpleName());
List<String> roleslist = new ArrayList<>();
rolepermissionIRDBCrudService.findWithNamedQuery(
NamedQueryNames.CHCSSO_FIND_ROLE_BY_COMPONENTCLASSNAME,
QueryParameterBuilder.start("component",
aClass.getSimpleName()).build())
.forEach(
roleslist.add(rp.getRid().getName());
});
if (roleslist.isEmpty()) {
return null;
} else {
return new Roles(roleslist);
}
}
@Override
protected Roles rolesAuthorizedToPerformAction(Component component, Action
action) {
return null;
}
}
Third, combine AnnotationsRoleAuthorizationStrategy and
RDBRoleAuthorizationStrategy with CompuundAuthorizationStrategy and load in
Wicket Application
getSecuritySettings().setAuthorizationStrategy(new
SLSRolesAuthorizationStrategy(this));
Shengche
From: Martin Grigorov <mgrigo...@apache.org>
Date: Tuesday, November 19, 2024 at 3:26 PM
To: users@wicket.apache.org <users@wicket.apache.org>
Subject: Re: Wicket authorization strategy
Hi,
wicket-auth-roles
uses
org.apache.wicket.authroles.authorization.strategies.role.annotations.AnnotationsRoleAuthorizationStrategy
by default, but you can roll your own implementation that is more dynamic
and loads the information from DB or another source.
On Sat, Nov 16, 2024 at 5:21 AM Shengche Hsiao <shengchehs...@gmail.com>
wrote:
> Thanks, we used to adopt implementation as you mentioned.
>
> As my new project, it has a page to let administrators dynamically create
> a new Role and pickup necessary page permissions. But wicket’s built in
> AnnotationsRoleAuthorizationStrategy supports static role annotations, for
> example:
>
> @AuthorizeInstantiation("SIGNED_IN")
> @AuthorizeAction(action = "ENABLE", roles = {"ADMIN”}) <- this ADMIN is
> built-in or predefined in project
> public class MyPage extends WebPage {
> //Page class code...
> }
>
> My question is when I load custom Roles which created by administrators
> from database, how to authorization users to restrict their access.
>
> Thanks
>
> Shengche
>
> From: Jeff Schneller <jeffrey.schnel...@envisa.com>
> Date: Friday, November 15, 2024 at 11:21 PM
> To: users@wicket.apache.org <users@wicket.apache.org>
> Subject: RE: Wicket authorization strategy
>
> We store our roles for the logged in user in our db. When a user logs in
> we store the logged in user with their roles in the session.
>
> Then using UserRolesAuthorizer we check to make sure the user has the
> correct roles. Also there we check to make sure the user doesn't have any
> flags on their account that would override their roles (something like a
> past due balance for example).
> Not sure if that is what you were asking or not.
>
>
>
> -----Original Message-----
> From: Shengche Hsiao <shengchehs...@gmail.com>
> Sent: Friday, November 15, 2024 6:11 AM
> To: Wicket User Mailinglist <users@wicket.apache.org>
> Subject: Wicket authorization strategy
>
> Dear All
>
> Wicket auth-role library allow us to define the static roles, and allow
> logined users to access restricted pages or components. But, I need to
> implement the dynamic authorization to constrain page/component
> permissions, and role-permission relationships are persistent in database.
> By now, I can dynamically add constraints on db.
> But how do I apply the constrains on page or components?
>
>
>
> Shengche
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>
