CODEWITHSUNDEEP
wicket
Shahriar
Shahriar

Reputation: 824

authorization on wicket component using wicket auth-role

I am using wicket 1.4.9 and implemented spring + wicket auth-role and using @AuthorizeInstantiation based on roles on pages. I have multiple custom roles.

I have followed this link to implement the basics: https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html

After that I have implemented my own UserDetailsService to have my own roles/users from database.

Now, How can I impose controls on roles with components eg, Links,Buttons ? like link A can be accessed only by SUPER_USER, DR_MANAGER. (roles comes from database).

I have done like this and it seems to work, but is that the good way to do this? OrbitWebSession is of type AuthenticatedWebSession.

        @Override
        public boolean isVisible() {
            if(OrbitWebSession.get().getRoles().hasRole("SUPER_USER")){
                return true;
            }
            return false;
        }

thanks.

Upvotes: 4

Views: 5767

Answers (3)

Martin Peters
Martin Peters

Reputation: 406

Overriding isVisible all the time is a major pain. Take a look at MetaDataRoleAuthorizationStrategy instead. You call authorize(Component component, Action action, String roles) with Action RENDER, and the roles you want to allow. This way the component, whatever it is, is automatically hidden for other roles provided that the authorization strategy is registered in your webapplication. Basically it does the same thing as Holms answer, except you don't have to subclass anything.

Upvotes: 7

Holm
Holm

Reputation: 982

Using the @AuthorizeAction annotation you can control wether the component is rendered or not based on roles. It's quite easy to use, but you have to subclass the component that you want to authorize.

@AuthorizeAction(action = Action.RENDER, roles = { "SUPER_USER", "DR_MANAGER" })
class UserAdminPageLink extends BookmarkablePageLink<String> {
   //Implementation…
}
add(new UserAdminPageLink("UserAdminPageLink", UserAdminPage.class));

Check out Wicket Examples - Authorization for some working code.

Upvotes: 3

Marcelo
Marcelo

Reputation: 11308

You are in the right track, the only change I would do is:

@Override
public boolean isVisible() {
    return super.isVisible() && OrbitWebSession.get().getRoles().hasRole("SUPER_USER");
}

That way you don't accidentally override its default visible behavior for example if the parent component is not visible.

Upvotes: 3

Related Questions