Wicket-Security


Overview

Wicket-Security is an attempt to create an out of the box reusable authenticating and authorization framework for Wicket. It contains several projects which van be used stand alone or in conjunction with each other.

Version 1.3.0 has just been released and works with Wicket 1.3.x. We are currently working on version 1.3.1 which will contain several enhancements. Unfortunately that means 1.3.0 and 1.3.1 are not binary compatible, we did however try our best to make the migration as easy as possible. migration guide.

Wicket-Security uses the available security mechanisms from Wicket to build upon and expand the authentication and authorization mechanisms. In order to maximize flexibility and customization a new API, called WASP, was build on top of Wicket.





WASP

Wicket Abstract Security Platform, or Wasp for short, builds on the IAuthorisationStrategies provided by Wicket and allows individual components or models to do their own authentication and or authorization checks.

Like Wicket it uses actions to grant permissions, however where Wicket uses string based actions (render and enable) we use full blown java objects. We also decided to add the following 2 actions:

An ActionFactory makes it possible to define your own custom actions.

Actions 

Wicket is only aware of the render and enable actions. They are used for making components invisible (render), read only and clickable (enable). Swarm adds the access action for component instantiation and the inherit action for permission inheritance.
Actions can imply other actions by default all actions imply the access action and the enable action implies the render action. This means if you specify that a permission has the "enable" action what you really get is  "access, render, enable". This also means that if you specify a permission without any explicit actions you will automatically get the "access" action.

Authentication

Authentication in Wasp is handled by the WaspAuthorizationStrategy which provides you with a general login / logoff method. By using an unspecified "context" object you can use not only username password authentication but pretty much everything you can think of. You can even use multi-login as is often used in online banking.

Authorization

As briefly mentioned above Wasp allows your individual components to handle their own authentication authorization requirements.

To enable security on a component there are 3 paths to choose from:

As you might have guessed from the section above Wasp uses ISecuityChecks to dictate how to handle a component, only one check may be placed on a component but by chaining or wrapping them in other checks you can go as complex as you like. For ease of use and re usability most ISecurityChecks will not know anything about how to actually authorize or authenticate, but the IAuthorizationStrategy does so most should just redirect (possibly doing some stuff of their own). The picture below tries to clarify this a bit.


  (fig 1 default flow in wasp)

It may seem strange at first that the ISecureModel is only queried if an ISecurityCheck is absent, but once you realize that the ISecuityCheck itself could query the model  it becomes clear that this offers greater flexibility by allowing you the choice of an And or Or check.

Note that if the component implements the ISecureComponent interface that will be used instead of the ISecurityCheck. 

Besides an API to implement by yourself Wicket-Security also contains a default implementation, called SWARM, so you can get started right away, or at least you have a reference  to build your own

More information 

Documentation for version 1.3.0
Documentation for version 1.3.1
Read how to get started here (Swarm guide)
Acegi integration here
Examples are available here
FAQ is located here
A SlideShow is located here

Latest release / build

Latest stable release is 1.3.0.

Work is underway for 1.3.1 (only available as 1.3-SNAPSHOT from the maven repository) 

The latest releases are available at SourceForge
The latest builds are available at http://wicketstuff.org/maven/repository/org/apache/wicket/wicket-security/

Maven 2

Wasp and Swarm can be downloaded from wicket-stuff maven repository by including the following fragments in your project pom.

<repository>
   <id>wicket-snaps</id>
   <url>http://wicketstuff.org/maven/repository</url>
   <snapshots>
      <enabled>true</enabled>
   </snapshots>
   <releases>
      <enabled>true</enabled>
   </releases>
</repository>


<dependency>
   <groupId>org.apache.wicket.wicket-security</groupId>
   <artifactId>swarm</artifactId>
   <version>1.3.0</version>
   <scope>compile</scope>
</dependency>




A separate dependency on Wasp is not necessary since maven will automatically fetch it with Swarm. However if you are only interested in Wasp you can use the following fragment.

<dependency>
   <groupId>org.apache.wicket.wicket-security</groupId>
   <artifactId>wasp</artifactId>
   <version>1.3.0</version>
   <scope>compile</scope>
</dependency>




Project maintainers

Maurice Marrink

SVN Repository

The SVN repository of the project (1.3-SNAPSHOT) is available at
https://wicket-stuff.svn.sourceforge.net/svnroot/wicket-stuff/trunk/wicket-security

The sourcecode for 1.3.0 is available at
https://wicket-stuff.svn.sourceforge.net/svnroot/wicket-stuff/branches/wicket-security-1.3.0-final/wasp/wicket-security-wasp 
https://wicket-stuff.svn.sourceforge.net/svnroot/wicket-stuff/branches/wicket-security-1.3.0-final/swarm/wicket-security-swarm
https://wicket-stuff.svn.sourceforge.net/svnroot/wicket-stuff/branches/wicket-security-1.3.0-final/examples/wicket-security-examples

Bug reports 

Bugs can be filed or monitored at the wicket stuff jira:
Wasp 
Swarm 


Browse Space

- Pages
- News
- Labels
- Attachments
- Bookmarks
- Mail
- Advanced
- Activity

Explore Confluence

- Popular Labels
- Notation Guide

Your Account

Log In

or Sign Up  

Other Features

Add Content

Powered by Atlassian Confluence 2.8.0, the Enterprise Wiki.
Bug/feature request - Contact administrators