This is mostly a technology demonstration implementing authorization and authentication for the Apache Wicket web framework. The project supplies roles based authorization and some simple authentication components.
Wicket Auth/Roles is a simplistic but useful security extension to the Wicket framework. It is intended to be simplistic and not to be confused with a framework. If you find this library useful, great. If you need more than is supplied by this library, either look at alternative security integrations or copy these classes and modify them at will (this project is open source after all.)
Like most if not all security solutions for Wicket, this project provides an
implementation for Wicket’s
IAuthorizationStrategy. When an authorization
strategy is installed in the security settings
WebApplication#getSecuritySettings), Wicket will check for each component
(including pages) if instantiation is allowed and if rendering is allowed.
For more documentation use the following links:
Note that for the instantiation check Wicket will invoke the constructor hierarchy of your component, but will throw an exception if the authorization check fails.
As a basis, you should extend your web application class from
AuthenticatedWebApplication. When you create your class you’ll be asked to
override the following methods:
newSession- return a subclass of
getSignInPageClass- return the class for your login page (this one should not require authentication, otherwise you’ll create an infinite loop)
Next you’ll need to provide your custom session class-making it a subclass of
AuthenticatedWebSession. This class requires you to override the following
authenticate- called when the user needs to be authenticated using a username and password
getRoles- called after the users was authenticated and should provide the roles associated with the authenticated user.
You can use the provided
SignInPage, which has been translated to a couple
of languages (see the source code for the actual translations), or roll your
own. When you roll your own, you can opt to use the provided
(which has been translated as well) so you don’t have to create your own login
Annotation for configuring what roles are allowed for instantiation the annotated component or package. This annotation can be used for classes and packages, and can be used like this:
// only users with role ADMIN are allowed to create instances of this page, whether it is // either bookmarkable or not @AuthorizeInstantiation("ADMIN") public class AdminAnnotationsBookmarkablePage extends WebPage
When someone who doesn’t have the role ADMIN, Wicket will not allow the page to be fully constructed and throw an authorization exception during the construction of the page. This will result in an access denied page for the user.
Enablng the annotations for role based authorization is done by setting the
WebApplication#getSecuritySettings value to
AnnotationsRoleAuthorizationStrategy. Then you can use the auth/roles
provided authorization annotations.
More elaborate security solutions exist in the following projects:
- Wicket Shiro - integration between Apache Shiro and Wicket
- Wicket Security
- JAAS inspired, principal based security framework
If other security solutions are available for Wicket, let us know.
Click on the source links to see the related source code.
Installing Wicket Auth/Roles can be done through adding a dependency in your project’s Maven pom, or by putting the wicket-auth-roles.jar and the required dependencies in your projects classpath.
Add the following dependency to your pom:
<dependency> <groupId>org.apache.wicket</groupId> <artifactId>wicket-auth-roles</artifactId> <version>6.18.0</version> </dependency>
Wicket Auth/Roles requires the following jar files to be on your classpath:
- Wicket Auth/Roles