org.wicketstuff.security.strategies

Class WaspAuthorizationStrategy

java.lang.Object

org.wicketstuff.security.strategies.WaspAuthorizationStrategy

All Implemented Interfaces:

Serializable, org.apache.wicket.authorization.IAuthorizationStrategy

Direct Known Subclasses:

ClassAuthorizationStrategy

public abstract class WaspAuthorizationStrategy
extends Object
implements org.apache.wicket.authorization.IAuthorizationStrategy, Serializable

Base class for every strategy. Checks Authorization and authentication at the class, component and model levels.

Author:

marrink

See Also:

Serialized Form

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.wicket.authorization.IAuthorizationStrategy

org.apache.wicket.authorization.IAuthorizationStrategy.AllowAllAuthorizationStrategy

Field Summary

Fields

Modifier and Type	Field and Description
protected static AuthorizationErrorKey	MESSAGE_KEY Key used to store the IAuthorizationMessageSource in the RequestCycle metadata.

Fields inherited from interface org.apache.wicket.authorization.IAuthorizationStrategy

ALLOW_ALL

Constructor Summary

Constructors

Constructor and Description
WaspAuthorizationStrategy()

Method Summary

Methods

Modifier and Type	Method and Description
protected IAuthorizationMessageSource	createMessageSource() Creates a new IAuthorizationMessageSource.
abstract void	destroy() Called at the end of the sessions lifecycle to perform some clean up.
static WaspAuthorizationStrategy	get() Returns the WaspAuthorizationStrategy.
protected WaspActionFactory	getActionFactory() Shortcut to the actionfactory.
protected IAuthorizationMessageSource	getMessageSource() Retrieves the messagesource from the RequestCycle's metadata.
protected IAuthorizationMessageSource	getMessageSource(boolean create) Retrieves the messagesource from the RequestCycle's metadata.
protected ISecurityCheck	getSecurityCheck(org.apache.wicket.Component component) We cannot assume everybody uses the here specified public methods to store the securitycheck, so we check if the component is a ISecureComponent and if so use the getSecurityCheck on the secure component else we fall back to the SecureComponentHelper.
boolean	isActionAuthorized(org.apache.wicket.Component component, org.apache.wicket.authorization.Action action)
abstract boolean	isClassAuthenticated(Class<?> clazz) Performs the authentication check.
abstract boolean	isClassAuthorized(Class<?> clazz, WaspAction action) Performs the actual authorization check on the component class.
abstract boolean	isComponentAuthenticated(org.apache.wicket.Component component) Performs the authentication check.
abstract boolean	isComponentAuthorized(org.apache.wicket.Component component, WaspAction action) Performs the actual authorization check on the component.
abstract boolean	isModelAuthenticated(org.apache.wicket.model.IModel<?> model, org.apache.wicket.Component component) Performs the authentication check.
abstract boolean	isModelAuthorized(ISecureModel<?> model, org.apache.wicket.Component component, WaspAction action) Performs the actual authorization check on the model of the component.
abstract boolean	isUserAuthenticated() Checks if there is a user logged in at all.
abstract void	login(Object context) Attempts to log the user in.
protected void	logMessage(IAuthorizationMessageSource message) Logs a message indication an action was denied.
protected void	logMessage(String key, Map<String,Object> variables, IAuthorizationMessageSource message) Logs a message indication an action was denied.
protected void	logMessage(String key, Map<String,Object> variables, IAuthorizationMessageSource message, boolean remove) Logs a message indication an action was denied.
protected boolean	logMessages() Indicates if messages about denied actions should be logged.
abstract boolean	logoff(Object context) Log the user off.
protected void	removeMessageSource() Removes the message from the RequestCycle's metadata.
static void	setStrategyResolver(StrategyResolver threadResolver) Sets the StrategyResolver for the current thread

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.wicket.authorization.IAuthorizationStrategy

isInstantiationAuthorized, isResourceAuthorized

Field Detail

MESSAGE_KEY

protected static final AuthorizationErrorKey MESSAGE_KEY

Key used to store the IAuthorizationMessageSource in the RequestCycle metadata.

Constructor Detail

WaspAuthorizationStrategy

public WaspAuthorizationStrategy()

Method Detail

isComponentAuthorized

public abstract boolean isComponentAuthorized(org.apache.wicket.Component component,
                            WaspAction action)

Performs the actual authorization check on the component.

Parameters:

component -

action -

Returns:

true if authorized, false otherwise

isModelAuthorized

public abstract boolean isModelAuthorized(ISecureModel<?> model,
                        org.apache.wicket.Component component,
                        WaspAction action)

Performs the actual authorization check on the model of the component.

Parameters:

model - the model

component - component 'owning' the model if available

action - the action to check

Returns:

true if authorized, false otherwise

isClassAuthorized

public abstract boolean isClassAuthorized(Class<?> clazz,
                        WaspAction action)

Performs the actual authorization check on the component class.

Parameters:

clazz - typically a component

action - the action to check

Returns:

true if authorized, false otherwise

isComponentAuthenticated

public abstract boolean isComponentAuthenticated(org.apache.wicket.Component component)

Performs the authentication check.

Parameters:

component - the wicket component

Returns:

true if the user is authenticated, false otherwise

isModelAuthenticated

public abstract boolean isModelAuthenticated(org.apache.wicket.model.IModel<?> model,
                           org.apache.wicket.Component component)

Performs the authentication check.

Parameters:

model - the (secure) model

component - the component owning the model

Returns:

true if the user is authenticated, false otherwise

isClassAuthenticated

public abstract boolean isClassAuthenticated(Class<?> clazz)

Performs the authentication check.

Parameters:

clazz - the class of the wicket component

Returns:

true if the user is authenticated, false otherwise

isUserAuthenticated

public abstract boolean isUserAuthenticated()

Checks if there is a user logged in at all. This will return true after a successful login(Object) and false after a successful logoff(Object). Note that in a multi-login scenario this method returns true until all successful logins are countered with a successful logoff.

Returns:

true while a user is logged in, false otherwise

login

public abstract void login(Object context)
                    throws LoginException

Attempts to log the user in. Note to implementations: It is generally considered a bad idea to store the context if it contains sensitive data (like a plaintext password).

Parameters:

context - a not further specified object that provides all the information to log the user on

Throws:

LoginException - if the login is unsuccessful

logoff

public abstract boolean logoff(Object context)

Log the user off. With the help of a context implementations might facilitate multi level login / logoff.

Parameters:

context - a not further specified object, might be null

Returns:

true if the logoff was successful, false otherwise

destroy

public abstract void destroy()

Called at the end of the sessions lifecycle to perform some clean up.

isActionAuthorized

public boolean isActionAuthorized(org.apache.wicket.Component component,
                         org.apache.wicket.authorization.Action action)

Specified by:

isActionAuthorized in interface org.apache.wicket.authorization.IAuthorizationStrategy

See Also:

IAuthorizationStrategy.isActionAuthorized(org.apache.wicket.Component, org.apache.wicket.authorization.Action)

logMessage

protected final void logMessage(IAuthorizationMessageSource message)

Logs a message indication an action was denied. The message is retrieved through localization with the following resource key:"authorization.denied" (no quotes). This method removes the messagesource from the requestcycle.

Parameters:

message - messagesource

See Also:

logMessage(String, Map, IAuthorizationMessageSource, boolean)

logMessage

protected final void logMessage(String key,
              Map<String,Object> variables,
              IAuthorizationMessageSource message,
              boolean remove)

Logs a message indication an action was denied. The message is retrieved through localization with the specified resource key. Optionally the message can be removed from the requestcycle, if it is not removed the message might be processed multiple times (which might be what you want if you want to use different resource keys). This invokes logMessage(String, Map, IAuthorizationMessageSource)

Parameters:

key - the resource key to lookup the message

variables - optional map containing additional variables that can be used during the message lookup

message - messagesource

remove - flag indicating if the message should be removed or not

See Also:

removeMessageSource(), logMessage(String, Map, IAuthorizationMessageSource)

logMessage

protected void logMessage(String key,
              Map<String,Object> variables,
              IAuthorizationMessageSource message)

Logs a message indication an action was denied. The message is retrieved through localization with the specified resource key. This default implementation simply does something like log.debug(...) Overwrite this method if you want for example wicket to print feedback messages with something like Session.get().error(...)

Parameters:

key - the resource key for the message

variables - optional map containing additional variables that can be used during message construction

message - the messagesource

removeMessageSource

protected final void removeMessageSource()

Removes the message from the RequestCycle's metadata.

getMessageSource

protected final IAuthorizationMessageSource getMessageSource()

Retrieves the messagesource from the RequestCycle's metadata.

Returns:

the messagesource or null if there is none

getMessageSource

protected final IAuthorizationMessageSource getMessageSource(boolean create)

Retrieves the messagesource from the RequestCycle's metadata. optionally creating a new one if there is not already one.

Parameters:

create -

Returns:

the messagesource or null if there is none and the create flag was false

createMessageSource

protected IAuthorizationMessageSource createMessageSource()

Creates a new IAuthorizationMessageSource. Subclasses can override this to return there own implementation.

Returns:

a new IErrorMessageSource, never null

logMessages

protected boolean logMessages()

Indicates if messages about denied actions should be logged. Default is to use the slf4 log implementation checking if debug messages should be printed. for example using log4j as the logging implementation for slf4j logging could be turned on by putting the following line in your log4.properties
log4j.category.org.wicketstuff.security.strategies.WaspAuthorizationStrategy=DEBUG

Returns:

true if messages should be logged, false otherwise

getSecurityCheck

protected final ISecurityCheck getSecurityCheck(org.apache.wicket.Component component)

We cannot assume everybody uses the here specified public methods to store the securitycheck, so we check if the component is a ISecureComponent and if so use the getSecurityCheck on the secure component else we fall back to the SecureComponentHelper.

Parameters:

component -

Returns:

the security check of the component or null if the component does not have one

See Also:

SecureComponentHelper.getSecurityCheck(Component)

getActionFactory

protected final WaspActionFactory getActionFactory()

Shortcut to the actionfactory.

Returns:

the actionfactory from the application

get

public static WaspAuthorizationStrategy get()

Returns the WaspAuthorizationStrategy. This defaults to WaspSession.getAuthorizationStrategy(), but a different implementation can be registered via a StrategyResolver.

Returns:

setStrategyResolver

public static void setStrategyResolver(StrategyResolver threadResolver)

Sets the StrategyResolver for the current thread

Parameters:

threadResolver -