001: /*
002: * Licensed to the Apache Software Foundation (ASF) under one or more
003: * contributor license agreements. See the NOTICE file distributed with
004: * this work for additional information regarding copyright ownership.
005: * The ASF licenses this file to You under the Apache License, Version 2.0
006: * (the "License"); you may not use this file except in compliance with
007: * the License. You may obtain a copy of the License at
008: *
009: * http://www.apache.org/licenses/LICENSE-2.0
010: *
011: * Unless required by applicable law or agreed to in writing, software
012: * distributed under the License is distributed on an "AS IS" BASIS,
013: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014: * See the License for the specific language governing permissions and
015: * limitations under the License.
016: */
017: package org.apache.wicket.authentication;
018:
019: import java.lang.ref.WeakReference;
020:
021: import org.apache.wicket.Component;
022: import org.apache.wicket.Page;
023: import org.apache.wicket.Request;
024: import org.apache.wicket.Response;
025: import org.apache.wicket.RestartResponseAtInterceptPageException;
026: import org.apache.wicket.Session;
027: import org.apache.wicket.WicketRuntimeException;
028: import org.apache.wicket.authorization.IUnauthorizedComponentInstantiationListener;
029: import org.apache.wicket.authorization.UnauthorizedInstantiationException;
030: import org.apache.wicket.authorization.strategies.role.IRoleCheckingStrategy;
031: import org.apache.wicket.authorization.strategies.role.RoleAuthorizationStrategy;
032: import org.apache.wicket.authorization.strategies.role.Roles;
033: import org.apache.wicket.markup.html.WebPage;
034: import org.apache.wicket.protocol.http.WebApplication;
035:
036: /**
037: * A web application subclass that does role-based authentication.
038: *
039: * @author Jonathan Locke
040: */
041: public abstract class AuthenticatedWebApplication extends
042: WebApplication implements IRoleCheckingStrategy,
043: IUnauthorizedComponentInstantiationListener {
044: /** Subclass of authenticated web session to instantiate */
045: private final WeakReference<Class<? extends AuthenticatedWebSession>> webSessionClassRef;
046:
047: /**
048: * Constructor
049: */
050: public AuthenticatedWebApplication() {
051: // Get web session class to instantiate
052: this .webSessionClassRef = new WeakReference<Class<? extends AuthenticatedWebSession>>(
053: getWebSessionClass());
054: }
055:
056: @Override
057: protected void init() {
058: super .init();
059:
060: // Set authorization strategy and unauthorized instantiation listener
061: getSecuritySettings().setAuthorizationStrategy(
062: new RoleAuthorizationStrategy(this ));
063: getSecuritySettings()
064: .setUnauthorizedComponentInstantiationListener(this );
065: }
066:
067: /**
068: * @see IRoleCheckingStrategy#hasAnyRole(Roles)
069: */
070: public final boolean hasAnyRole(final Roles roles) {
071: final Roles sessionRoles = AuthenticatedWebSession.get()
072: .getRoles();
073: return sessionRoles != null && sessionRoles.hasAnyRole(roles);
074: }
075:
076: /**
077: * @see IUnauthorizedComponentInstantiationListener#onUnauthorizedInstantiation(Component)
078: */
079: public final void onUnauthorizedInstantiation(
080: final Component component) {
081: // If there is a sign in page class declared, and the unauthorized
082: // component is a page, but it's not the sign in page
083: if (component instanceof Page) {
084: if (!AuthenticatedWebSession.get().isSignedIn()) {
085: // Redirect to intercept page to let the user sign in
086: throw new RestartResponseAtInterceptPageException(
087: getSignInPageClass());
088: } else {
089: onUnauthorizedPage((Page) component);
090: }
091: } else {
092: // The component was not a page, so throw an exception
093: throw new UnauthorizedInstantiationException(component
094: .getClass());
095: }
096: }
097:
098: /**
099: * @see org.apache.wicket.protocol.http.WebApplication#newSession(org.apache.wicket.Request,
100: * org.apache.wicket.Response)
101: */
102: @Override
103: public Session newSession(final Request request,
104: final Response response) {
105: try {
106: return webSessionClassRef.get().getDeclaredConstructor(
107: AuthenticatedWebApplication.class, Request.class)
108: .newInstance(AuthenticatedWebApplication.this ,
109: request);
110: } catch (Exception e) {
111: throw new WicketRuntimeException(
112: "Unable to instantiate web session "
113: + webSessionClassRef.get(), e);
114: }
115: }
116:
117: /**
118: * @return AuthenticatedWebSession subclass to use in this authenticated web
119: * application.
120: */
121: protected abstract Class<? extends AuthenticatedWebSession> getWebSessionClass();
122:
123: /**
124: * @return Subclass of sign-in page
125: */
126: protected abstract Class<? extends WebPage> getSignInPageClass();
127:
128: /**
129: * Called when an AUTHENTICATED user tries to navigate to a page that they
130: * are not authorized to access. You might want to override this to navigate
131: * to some explanatory page or to the application's home page.
132: *
133: * @param page
134: * The page
135: */
136: protected void onUnauthorizedPage(final Page page) {
137: // The component was not a page, so throw an exception
138: throw new UnauthorizedInstantiationException(page.getClass());
139: }
140: }
|