Hi Erik, Thanks for your reply.
First I will arrange authentication with Acegi in mine application and then I will take a good look to the MetaDataRoleAuthorizationStrategy. Regards, Rik On 12-nov-2006, at 13:47, Erik van Oosten wrote: > Hello Rik, >> Questions; >> Do you use a "normal" login form according to Acegi or do you use a >> Wicket login form? >> > We use a signin page that is derived from the example in > wicket-auth-roles-example. So it's a Wicket login form. >> Where do you put your authorization settings? >> > The complete authorization picture in my current application is as > follows: > - We use our wicket-auth-roles port to java 1.4 (took about 15 minutes > to make) with just one change so that we can do authorization based on > the base class of a component (see > https://issues.apache.org/jira/browse/WICKET-21). > > - MyApplication#init() contains the following code: > getSecuritySettings().setAuthorizationStrategy(new > MetaDataRoleAuthorizationStrategy(this)); > MetaDataRoleAuthorizationStrategy.authorize(SecurePage.class, > "role_viewer role_administrator"); > MetaDataRoleAuthorizationStrategy.authorize(AdminPage.class, > "role_administrator"); > MetaDataRoleAuthorizationStrategy.authorize(SecurePopupPage.class, > "role_viewer role_administrator"); > All pages that need a login extend either SecurePage or > SecurePopupPage. > > - The base class for all pages constructs a menu with links to all > pages > in the application. If the linked page requires authorization, during > construction of the menu > MetaDataRoleAuthorizationStrategy.authorize(link, Component.RENDER, > roles) is called, where link is a Link instance and roles is derived > from the metadata of the linked class. (Though I did not yet write the > automatic role derivation, it should be easy to do so.) > >>> If desired we >>> could have easily read that information from an ACL file. >>> >> What do you have in mind as content for the ACL file. I understand >> from the Acegi reference guide that you can set authorization on >> domain objects. But what for example if the case is that a delete >> button may only be visible for administrators? >> > As I said, we don't use ACL files, but it could be as simple as: > com.example.app.SecurePage role_viewer role_administrator > com.example.app.AdminPage role_administrator > > How do this for buttons depend on the structure of your application. > You'll have to devise a way to identify the button (or better, the > function it will perform), and call a > MetaDataRoleAuthorizationStrategy.authorize... before the button > component is used. > > Erik. > > -- > Erik van Oosten > http://day-to-day-stuff.blogspot.com/ > > > ---------------------------------------------------------------------- > --- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Wicket-user mailing list > Wicket-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wicket-user ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Wicket-user mailing list Wicket-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wicket-user
