Hello Rik,
> Questions;
> Do you use a "normal" login form according to Acegi or do you use a
> Wicket login form?
>
We use a signin page that is derived from the example in
wicket-auth-roles-example. So it's a Wicket login form.
> Where do you put your authorization settings?
>
The complete authorization picture in my current application is as follows:
- We use our wicket-auth-roles port to java 1.4 (took about 15 minutes
to make) with just one change so that we can do authorization based on
the base class of a component (see
https://issues.apache.org/jira/browse/WICKET-21).
- MyApplication#init() contains the following code:
getSecuritySettings().setAuthorizationStrategy(new
MetaDataRoleAuthorizationStrategy(this));
MetaDataRoleAuthorizationStrategy.authorize(SecurePage.class,
"role_viewer role_administrator");
MetaDataRoleAuthorizationStrategy.authorize(AdminPage.class,
"role_administrator");
MetaDataRoleAuthorizationStrategy.authorize(SecurePopupPage.class,
"role_viewer role_administrator");
All pages that need a login extend either SecurePage or SecurePopupPage.
- The base class for all pages constructs a menu with links to all pages
in the application. If the linked page requires authorization, during
construction of the menu
MetaDataRoleAuthorizationStrategy.authorize(link, Component.RENDER,
roles) is called, where link is a Link instance and roles is derived
from the metadata of the linked class. (Though I did not yet write the
automatic role derivation, it should be easy to do so.)
>> If desired we
>> could have easily read that information from an ACL file.
>>
> What do you have in mind as content for the ACL file. I understand
> from the Acegi reference guide that you can set authorization on
> domain objects. But what for example if the case is that a delete
> button may only be visible for administrators?
>
As I said, we don't use ACL files, but it could be as simple as:
com.example.app.SecurePage role_viewer role_administrator
com.example.app.AdminPage role_administrator
How do this for buttons depend on the structure of your application.
You'll have to devise a way to identify the button (or better, the
function it will perform), and call a
MetaDataRoleAuthorizationStrategy.authorize... before the button
component is used.
Erik.
--
Erik van Oosten
http://day-to-day-stuff.blogspot.com/
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Wicket-user mailing list
Wicket-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wicket-user
