org.wicketstuff.security.strategies

Class ClassAuthorizationStrategy

java.lang.Object

org.wicketstuff.security.strategies.WaspAuthorizationStrategy

org.wicketstuff.security.strategies.ClassAuthorizationStrategy

All Implemented Interfaces:

Serializable, org.apache.wicket.authorization.IAuthorizationStrategy

Direct Known Subclasses:

AbstractSwarmStrategy

public abstract class ClassAuthorizationStrategy
extends WaspAuthorizationStrategy

Authorization strategy to enforce security at the construction of components rather then at render time. Note that it always requires a valid login, failing this condition will cause a redirect to the login page as defined in the application rather then returning false which will cause wicket to go to the accessdenied page. This class operates by checking if the supplied class or any of its superclasses have static final fields of type ISecurityCheck. It then calls each of them with an Access action, if any one of them fails the class is not allowed to instantiate. Note that this strategy only checks (sub)classes of ISecureComponent.

Author:

marrink

See Also:

Serialized Form

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.wicket.authorization.IAuthorizationStrategy

org.apache.wicket.authorization.IAuthorizationStrategy.AllowAllAuthorizationStrategy

Field Summary

Fields inherited from class org.wicketstuff.security.strategies.WaspAuthorizationStrategy

MESSAGE_KEY

Fields inherited from interface org.apache.wicket.authorization.IAuthorizationStrategy

ALLOW_ALL

Constructor Summary

Constructors

Constructor and Description
ClassAuthorizationStrategy() Creates a strategy that checks all implementations of ISecurePage .
ClassAuthorizationStrategy(Class<? extends ISecureComponent> secureClass) Creates a strategy that checks all implementations of the supplied class.

Method Summary

Methods

Modifier and Type	Method and Description
void	destroy() Does some cleaning up.
protected List<ISecurityCheck>	getClassChecks(Class<?> clazz, List<ISecurityCheck> list) Appends all the ISecurityChecks of a class and its superclasses to the list.
protected ISecurityCheck[]	getClassChecks(Class<? extends org.apache.wicket.request.component.IRequestableComponent> clazz) Returns the static ISecurityChecks of a class.
protected String	getExceptionMessage(Field field) Produces a generic exception message including information about the field that caused the exception.
<T extends org.apache.wicket.request.component.IRequestableComponent> boolean	isInstantiationAuthorized(Class<T> c) Checks if a class is allowed to be constructed.

Methods inherited from class org.wicketstuff.security.strategies.WaspAuthorizationStrategy

createMessageSource, get, getActionFactory, getMessageSource, getMessageSource, getSecurityCheck, isActionAuthorized, isClassAuthenticated, isClassAuthorized, isComponentAuthenticated, isComponentAuthorized, isModelAuthenticated, isModelAuthorized, isUserAuthenticated, login, logMessage, logMessage, logMessage, logMessages, logoff, removeMessageSource, setStrategyResolver

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.wicket.authorization.IAuthorizationStrategy

isResourceAuthorized

Constructor Detail

ClassAuthorizationStrategy

public ClassAuthorizationStrategy()

Creates a strategy that checks all implementations of ISecurePage . All other classes are granted instantiation rights.

ClassAuthorizationStrategy

public ClassAuthorizationStrategy(Class<? extends ISecureComponent> secureClass)

Creates a strategy that checks all implementations of the supplied class. All other classes are granted instantiation rights.

Parameters:

secureClass - an ISecureComponent (sub)class.

Method Detail

isInstantiationAuthorized

public <T extends org.apache.wicket.request.component.IRequestableComponent> boolean isInstantiationAuthorized(Class<T> c)

Checks if a class is allowed to be constructed. Only classes assignable to the specified Class are checked. Note that all the found ISecurityChecks must return true for the authorization to succeed. If the class does not have any static ISecurityChecks a ClassSecurityCheck is used to simulate a static securitycheck This way you only need to assign static checks if you want something special.

See Also:

IAuthorizationStrategy.isInstantiationAuthorized(java.lang.Class)

getClassChecks

protected final ISecurityCheck[] getClassChecks(Class<? extends org.apache.wicket.request.component.IRequestableComponent> clazz)

Returns the static ISecurityChecks of a class. Note that found checks are cached therefore all checks should be final.

Parameters:

clazz -

Returns:

an array containing all the ISecurityCheck of this class and all its super classes, or an array of length 0 if none is found.

getClassChecks

protected List<ISecurityCheck> getClassChecks(Class<?> clazz,
                                  List<ISecurityCheck> list)

Appends all the ISecurityChecks of a class and its superclasses to the list.

Parameters:

clazz -

list -

Returns:

the list

getExceptionMessage

protected String getExceptionMessage(Field field)

Produces a generic exception message including information about the field that caused the exception.

Parameters:

field -

Returns:

generic exception message

destroy

public void destroy()

Does some cleaning up. If you override this method you must call super.destroy();.

Specified by:

destroy in class WaspAuthorizationStrategy

See Also:

WaspAuthorizationStrategy.destroy()