Wicket Security Presentation


Published on

Presentation given at the Amsterdam wicket meetup 2007 about new wicket security

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Wicket Security Presentation

    1. 1. Wicket Security Wasp & Swarm
    2. 2. Introduction <ul><li>Maurice Marrink </li></ul><ul><li>Topicus </li></ul><ul><ul><li>Core </li></ul></ul><ul><ul><li>Healthcare </li></ul></ul><ul><ul><li>Education </li></ul></ul><ul><ul><li>Finance </li></ul></ul><ul><li>Using Wicket since 2004 </li></ul>
    3. 3. <ul><li>History </li></ul><ul><li>Wasp </li></ul><ul><li>Swarm </li></ul><ul><li>Examples </li></ul><ul><ul><li>Simple setup </li></ul></ul><ul><ul><li>Custom actions </li></ul></ul><ul><ul><li>Secure models </li></ul></ul><ul><li>Questions? </li></ul>Agenda
    4. 4. History
    5. 5. <ul><li>Pre Wicket: Jaas </li></ul><ul><li>2004 Wicket POC authentication only </li></ul><ul><li>2005 Custom Wicket for authorization </li></ul><ul><li>2006 Wicket: IAuthorizationStrategy </li></ul><ul><li>2006 Wicket-Jaas internal project </li></ul><ul><li>2007 Wasp and Swarm </li></ul>
    6. 6. WASP
    7. 7. <ul><li>Wicket Abstract Security Platform </li></ul><ul><li>Action based </li></ul><ul><li>Authentication and Authorization </li></ul><ul><li>Flexible base </li></ul><ul><li>Support classes </li></ul><ul><li>Java 1.4 </li></ul><ul><li>Wicket 1.3 </li></ul>
    8. 8. 1 Permission for instantiation or authorization? 2a Authorization permission? 3a Authenticated and or authorized? 3b Custom security checks. 3c Check model. 2b Authorization permission? 4a Authenticated and or authorized? 4b Custom security checks. 3c Wicket Wasp strategy ISecurity Check ISecureModel Security implemen-tation Custom security check 1 2a 2b 3a 3b 4a 4b
    9. 9. <ul><li>Implement ISecurePage </li></ul><ul><ul><li>Instantiation + login redirect </li></ul></ul><ul><li>Add ISecurityCheck </li></ul><ul><li>Or add ISecureModel </li></ul><ul><ul><li>Or use an ISecureComponent </li></ul></ul><ul><ul><ul><li>Authorization and or Authentication </li></ul></ul></ul>
    10. 10. SWARM
    11. 11. <ul><li>Standard Wicket Authentication and Rights Management </li></ul><ul><li>Based on Wasp </li></ul><ul><li>ACL based </li></ul><ul><li>Session scope </li></ul><ul><li>Easy to use with dynamic roles </li></ul><ul><li>Jaas like security implementation </li></ul><ul><ul><li>Subjects </li></ul></ul><ul><ul><li>Principals </li></ul></ul><ul><ul><li>Permissions </li></ul></ul><ul><ul><li>Actions </li></ul></ul><ul><ul><li>Policy files </li></ul></ul>
    12. 12. grant principal nl.example.Principal &quot;basic&quot; { permission ${ComponentPermission} &quot;${myPackage}.SomePage&quot;, &quot;inherit, render&quot;; };
    13. 13. Simple setup Example
    14. 14. <ul><li>Extend SwarmWebApplication </li></ul><ul><li>Create Principal(s) </li></ul><ul><li>Write policy files </li></ul>
    15. 15. public class App extends SwarmWebApplication { public Class<HomePage> getHomePage(){ return HomePage.class; } public Class<LoginPage> getLoginPage(){ return LoginPage.class; } protected Object getHiveKey(){ return getServletContext().getContextPath(); } …
    16. 16. protected void setUpHive(){ PolicyFileHiveFactory factory = new PolicyFileHiveFactory(); factory.setAlias(&quot;package&quot;, &quot;nl.example&quot;); try{ factory.addPolicyFile(getServletContext() .getResource(&quot;/WEB-INF/beheer.hive&quot;)); } ... HiveMind. registerHive(getHiveKey(), factory); }
    17. 17. public class MyPrincipal implements Principal{ private String name; public MyPrincipal(String name){ this.name = name; } public String getName(){ return name; } public boolean implies(Subject subject){ return false; } … }
    18. 18. <ul><li>Design your Pages </li></ul><ul><li>Implement ISecurePage </li></ul><ul><li>Add security checks </li></ul><ul><li>Or add secure models </li></ul><ul><li>Or use secure component </li></ul>
    19. 21. grant principal ${package}.MyPrincipal &quot;instelling.deelnemers&quot; { permission ${ComponentPermission} &quot;${package}.SearchPage&quot;, &quot;inherit, render&quot;; permission ${ComponentPermission} &quot;${package}.SearchPage&quot;, &quot;enable&quot;; permission ${ComponentPermission} &quot;${package}.detailPage&quot;, &quot;inherit, render&quot;; permission ${ComponentPermission} &quot;${package}.detailPage&quot;, &quot;enable&quot;; };
    20. 22. <ul><li>Design login page </li></ul><ul><li>Extend LoginContext </li></ul><ul><li>Populate Subject with Principals </li></ul>
    21. 23. Wicket Security Example: Simple setup
    22. 24. public boolean signIn(String username, String password, Domain domain){ LoginContext ctx = new MyLoginContext(username, password, domain); try{ ((WaspSession)Session.get()).login(ctx); return true; } catch (LoginException e){ error(e.getMessage()); } return false; }
    23. 25. public Subject login() throws LoginException{ Account accnt = authenticate(username, password, domain); if (accnt != null){ clearFields(); return new MySubject(accnt); } clearFields(); throw new LoginException(“...”); }
    24. 26. public class MySubject extends DefaultSubject{ public MySubject(Account account){ for (Role role : account.getRoles()){ for (MyPrincipal principal: role.getPrincipals()) addPrincipal(principal); } setReadOnly(); } }
    25. 27. Custom actions Example
    26. 28. <ul><li>Should </li></ul><ul><li>Divide authorization in levels </li></ul><ul><li>Direct logic of custom security checks </li></ul><ul><li>Should not </li></ul><ul><li>Roles </li></ul><ul><li>User groups </li></ul>
    27. 29. 1 Component and render or enable action 2a Same 3a Custom actions? Wicket Wasp strategy ISecurity Check Security implemen-tation 1 2a 3a
    28. 30. <ul><li>Create Actions </li></ul><ul><li>Register Actions </li></ul><ul><li>Use Actions in security check or secure model </li></ul>
    29. 32. register(Teacher.class, “teacher&quot;); register(Counselor.class, “counselor&quot;); register(Location.class, new SomeAction( “ location“, Teacher.class, Counselor.class)); register(School.class, new SomeAction( “ school“, Location.class)); public interface School extends WaspAction { // no explicit implementation required }
    30. 33. public boolean isActionAuthorized(WaspAction action){ WaspAction combined = null, additional; ActionFactory factory = getActionFactory(); for (Class< ? extends WaspAction> actionClass : actions){ additional = factory.getAction(actionClass); combined = action.add(additional); if (wrapped.isActionAuthorized(combined)) return verify(additional); } return false; } protected abstract boolean verify(WaspAction action);
    31. 34. protected boolean verify(WaspAction action){ if (action.implies(getAction(School.class))) return student.getSchool() .equals(getUser().getSchool()); if (action.implies(getAction(Location.class))) return student.takesClassesAt(getUser() .getLocations()); if(…….) ……… . return false; }
    32. 35. Secure models Example
    33. 36. <ul><li>Can </li></ul><ul><li>In ListViews and other Repeaters </li></ul><ul><li>In DropDownChoices </li></ul><ul><li>Reuse of security without declaring it on every Component </li></ul><ul><li>Can NOT </li></ul><ul><li>As instantiation check </li></ul>
    34. 38. public interface ISecureModel extends IModel { public boolean isAuthorized(Component c, WaspAction a); public boolean isAuthenticated(Component c); } public interface SwarmModel extends ISecureModel { public String getSecurityId(Component c); }
    35. 39. <ul><li>Implement SwarmModel </li></ul><ul><li>Add DataPermission to policy file </li></ul>
    36. 40. public final String getSecurityId(Component component){ return “foo”; } public boolean isAuthenticated(Component component){ return getStrategy().isModelAuthenticated(this, component); } public boolean isAuthorized(Component component, WaspAction action){ return getStrategy().isModelAuthorized(this, component, action); } protected List<Location> load(){ if (isAuthorized(null, getAction(Instelling.class))){ … } else if (isAuthorized(null, getAction(OrganisatieEenheid.class))){ … } }
    37. 41. grant principal ${package}.MyPrincipal “something&quot; { permission ${DataPermission} “foo”, &quot;render, school&quot;; };
    38. 42. More information: http://wicketstuff.org/confluence/display/STUFFWIKI/Wicket-Security Questions?