wicket security presentation
DESCRIPTION
Presentation given at the Amsterdam wicket meetup 2007 about new wicket securityTRANSCRIPT
![Page 1: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/1.jpg)
Wicket Security
Wasp & Swarm
![Page 2: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/2.jpg)
Introduction
•Maurice Marrink•Topicus•Core•Healthcare•Education•Finance
•Using Wicket since 2004
![Page 3: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/3.jpg)
•History•Wasp•Swarm•Examples•Simple setup•Custom actions•Secure models
•Questions?
Agenda
![Page 4: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/4.jpg)
History
![Page 5: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/5.jpg)
•Pre Wicket: Jaas•2004 Wicket POC authentication only•2005 Custom Wicket for authorization•2006 Wicket: IAuthorizationStrategy•2006 Wicket-Jaas internal project•2007 Wasp and Swarm
![Page 6: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/6.jpg)
WASP
![Page 7: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/7.jpg)
•Wicket Abstract Security Platform•Action based•Authentication and Authorization•Flexible base•Support classes•Java 1.4•Wicket 1.3
![Page 8: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/8.jpg)
Wicket
Wasp strategy
ISecurity Check
ISecureModel
Security implemen-tation
Custom security
check
1
2a
2b
3a
3b
4a
4b
1 Permission for instantiation or authorization?
2a Authorization permission?
3a Authenticated and or authorized?
3b Custom security checks.
3c Check model.
2b Authorization permission?
4a Authenticated and or authorized?
4b Custom security checks.
3c
![Page 9: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/9.jpg)
•Implement ISecurePageInstantiation + login redirect
•Add ISecurityCheck•Or add ISecureModel•Or use an ISecureComponentAuthorization and or Authentication
![Page 10: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/10.jpg)
SWARM
![Page 11: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/11.jpg)
•Standard Wicket Authentication and Rights Management•Based on Wasp•ACL based•Session scope•Easy to use with dynamic roles•Jaas like security implementation•Subjects•Principals•Permissions•Actions•Policy files
![Page 12: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/12.jpg)
grant principal nl.example.Principal "basic"{ permission ${ComponentPermission} "${myPackage}.SomePage", "inherit, render";};
![Page 13: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/13.jpg)
ExampleSimple setup
![Page 14: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/14.jpg)
1. Extend SwarmWebApplication2. Create Principal(s)3. Write policy files
![Page 15: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/15.jpg)
public class App extends SwarmWebApplication{ public Class<HomePage> getHomePage(){ return HomePage.class; } public Class<LoginPage> getLoginPage(){ return LoginPage.class; } protected Object getHiveKey(){ return getServletContext().getContextPath(); }…
![Page 16: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/16.jpg)
protected void setUpHive(){ PolicyFileHiveFactory factory = new PolicyFileHiveFactory(); factory.setAlias("package", "nl.example"); try{ factory.addPolicyFile(getServletContext() .getResource("/WEB-INF/beheer.hive")); } ... HiveMind.registerHive(getHiveKey(), factory); }
![Page 17: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/17.jpg)
public class MyPrincipal implements Principal{ private String name; public MyPrincipal(String name){ this.name = name; } public String getName(){ return name; } public boolean implies(Subject subject){ return false; } …}
![Page 18: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/18.jpg)
1. Design your Pages2. Implement ISecurePage3. Add security checks4. Or add secure models5. Or use secure component
![Page 19: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/19.jpg)
![Page 20: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/20.jpg)
![Page 21: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/21.jpg)
grant principal ${package}.MyPrincipal "instelling.deelnemers"{ permission ${ComponentPermission} "${package}.SearchPage", "inherit, render"; permission ${ComponentPermission} "${package}.SearchPage", "enable"; permission ${ComponentPermission} "${package}.detailPage", "inherit, render"; permission ${ComponentPermission} "${package}.detailPage", "enable";};
![Page 22: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/22.jpg)
1. Design login page2. Extend LoginContext3. Populate Subject with Principals
![Page 23: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/23.jpg)
Wicket SecurityExample: Simple setup
![Page 24: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/24.jpg)
public boolean signIn(String username, String password, Domain domain){ LoginContext ctx = new MyLoginContext(username, password, domain); try{ ((WaspSession)Session.get()).login(ctx); return true; } catch (LoginException e){ error(e.getMessage()); } return false;}
![Page 25: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/25.jpg)
public Subject login() throws LoginException{ Account accnt = authenticate(username, password, domain); if (accnt != null){ clearFields(); return new MySubject(accnt); } clearFields(); throw new LoginException(“...”);}
![Page 26: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/26.jpg)
public class MySubject extends DefaultSubject{ public MySubject(Account account){ for (Role role : account.getRoles()){ for (MyPrincipal principal: role.getPrincipals()) addPrincipal(principal); } setReadOnly(); }}
![Page 27: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/27.jpg)
ExampleCustom actions
![Page 28: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/28.jpg)
Should•Divide authorization in levels•Direct logic of custom security checks
Should not•Roles•User groups
![Page 29: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/29.jpg)
Wicket
Wasp strategy
ISecurity Check
Security implemen-tation
1
2a3a
1 Component and render or enable action
2a Same
3a Custom actions?
![Page 30: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/30.jpg)
1. Create Actions2. Register Actions3. Use Actions in security check or secure model
![Page 31: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/31.jpg)
![Page 32: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/32.jpg)
register(Teacher.class, “teacher"); register(Counselor.class, “counselor");register(Location.class, new SomeAction( “location“, Teacher.class, Counselor.class));register(School.class, new SomeAction( “school“, Location.class));
public interface School extends WaspAction{ // no explicit implementation required}
![Page 33: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/33.jpg)
public boolean isActionAuthorized(WaspAction action){ WaspAction combined = null, additional; ActionFactory factory = getActionFactory(); for (Class< ? extends WaspAction> actionClass : actions){ additional = factory.getAction(actionClass); combined = action.add(additional); if (wrapped.isActionAuthorized(combined)) return verify(additional); } return false;}protected abstract boolean verify(WaspAction action);
![Page 34: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/34.jpg)
protected boolean verify(WaspAction action){ if (action.implies(getAction(School.class))) return student.getSchool() .equals(getUser().getSchool()); if (action.implies(getAction(Location.class))) return student.takesClassesAt(getUser() .getLocations()); if(…….) ……….
return false;}
![Page 35: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/35.jpg)
ExampleSecure models
![Page 36: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/36.jpg)
Can•In ListViews and other Repeaters•In DropDownChoices•Reuse of security without declaring it on every Component
Can NOT•As instantiation check
![Page 37: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/37.jpg)
![Page 38: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/38.jpg)
public interface ISecureModel extends IModel{ public boolean isAuthorized(Component c, WaspAction a);
public boolean isAuthenticated(Component c);}
public interface SwarmModel extends ISecureModel{ public String getSecurityId(Component c);}
![Page 39: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/39.jpg)
• Implement SwarmModel• Add DataPermission to policy file
![Page 40: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/40.jpg)
public final String getSecurityId(Component component){ return “foo”;}public boolean isAuthenticated(Component component){ return getStrategy().isModelAuthenticated(this, component);}public boolean isAuthorized(Component component, WaspAction action){ return getStrategy().isModelAuthorized(this, component, action);}protected List<Location> load(){ if (isAuthorized(null, getAction(Instelling.class))){ …} else if (isAuthorized(null, getAction(OrganisatieEenheid.class))){ … }}
![Page 41: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/41.jpg)
grant principal ${package}.MyPrincipal “something"{ permission ${DataPermission} “foo”, "render, school";};
![Page 42: Wicket Security Presentation](https://reader035.vdocument.in/reader035/viewer/2022062220/5558770dd8b42a8d018b536b/html5/thumbnails/42.jpg)
Questions?More information:
http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security