In Wicket when you want to require user login for some pages, you typically inherit the pages from a superclass called say ProtectedPage and then use a wicket SimplePageAuthorizationStrategy to protect these pages as follows:
[sourcecode language=”java”]
getSecuritySettings().setAuthorizationStrategy(new SimplePageAuthorizationStrategy(ProtectedPage.class, LoginPage.class) {
@Override
protected boolean isAuthorized() {
return ((ApplicationSession) Session.get()).getLoggedInUser() != null;
}
});
[/sourcecode]
This will cause any access to a protected page by a non-logged-in user to be redirected to the login page first.
In the real world, its likely however, that your application will also require administrator privileges for access to certain pages. To do this, you need to use a wicket CompoundAuthorizationStrategy as follows:
[sourcecode language=”java”]
CompoundAuthorizationStrategy pageAuthorizationStrategy = new CompoundAuthorizationStrategy();
pageAuthorizationStrategy.add(new SimplePageAuthorizationStrategy(AdminPage.class, AccessDeniedPage.class) {
@Override
protected boolean isAuthorized() {
return (((ApplicationSession) Session.get()).getLoggedInUser() != null) && (((ApplicationSession) Session.get()).getLoggedInUser().isAdministrator());
}
});
pageAuthorizationStrategy.add(new SimplePageAuthorizationStrategy(ProtectedPage.class, LoginPage.class) {
@Override
protected boolean isAuthorized() {
return ((ApplicationSession) Session.get()).getLoggedInUser() != null;
}
});
getSecuritySettings().setAuthorizationStrategy(pageAuthorizationStrategy);
[/sourcecode]
The above requires the user to be logged in to access any page inherited from ProtectedPage and to be both logged in AND be an administrator to access any page inherited from AdminPage.
Thanks to selckin for the tip!