Hello Rik, > Questions; > Do you use a "normal" login form according to Acegi or do you use a > Wicket login form? > We use a signin page that is derived from the example in wicket-auth-roles-example. So it's a Wicket login form. > Where do you put your authorization settings? > The complete authorization picture in my current application is as follows: - We use our wicket-auth-roles port to java 1.4 (took about 15 minutes to make) with just one change so that we can do authorization based on the base class of a component (see https://issues.apache.org/jira/browse/WICKET-21).
- MyApplication#init() contains the following code: getSecuritySettings().setAuthorizationStrategy(new MetaDataRoleAuthorizationStrategy(this)); MetaDataRoleAuthorizationStrategy.authorize(SecurePage.class, "role_viewer role_administrator"); MetaDataRoleAuthorizationStrategy.authorize(AdminPage.class, "role_administrator"); MetaDataRoleAuthorizationStrategy.authorize(SecurePopupPage.class, "role_viewer role_administrator"); All pages that need a login extend either SecurePage or SecurePopupPage. - The base class for all pages constructs a menu with links to all pages in the application. If the linked page requires authorization, during construction of the menu MetaDataRoleAuthorizationStrategy.authorize(link, Component.RENDER, roles) is called, where link is a Link instance and roles is derived from the metadata of the linked class. (Though I did not yet write the automatic role derivation, it should be easy to do so.) >> If desired we >> could have easily read that information from an ACL file. >> > What do you have in mind as content for the ACL file. I understand > from the Acegi reference guide that you can set authorization on > domain objects. But what for example if the case is that a delete > button may only be visible for administrators? > As I said, we don't use ACL files, but it could be as simple as: com.example.app.SecurePage role_viewer role_administrator com.example.app.AdminPage role_administrator How do this for buttons depend on the structure of your application. You'll have to devise a way to identify the button (or better, the function it will perform), and call a MetaDataRoleAuthorizationStrategy.authorize... before the button component is used. Erik. -- Erik van Oosten http://day-to-day-stuff.blogspot.com/ ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user