org.apache.wicket.authorization.strategies.page.SimplePageAuthorizationStrategy.java Source code

Java tutorial

  1. HOME
  2. Java
  3. org.apache.wicket.authorization.strategies.page.SimplePageAuthorizationStrategy.java

Introduction

Here is the source code for org.apache.wicket.authorization.strategies.page.SimplePageAuthorizationStrategy.java

Source

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.wicket.authorization.strategies.page;

import java.lang.ref.WeakReference;

import org.apache.wicket.Application;
import org.apache.wicket.Component;
import org.apache.wicket.Page;
import org.apache.wicket.RestartResponseAtInterceptPageException;
import org.apache.wicket.authorization.IUnauthorizedComponentInstantiationListener;
import org.apache.wicket.authorization.UnauthorizedInstantiationException;

/**
 * A very simple authorization strategy that takes a supertype (a base class or tagging interface)
 * and performs a simple authorization check by calling the abstract method isAuthorized() whenever
 * a Page class that extends or implements the supertype is about to be instantiated. If that method
 * returns true, page instantiation proceeds normally. If it returns false, the user is
 * automatically directed to the specified sign-in page for authentication, which will presumably
 * allow authorization to succeed once they have signed in.
 * <p>
 * In your Application.init() method do something like the following:
 * 
 * <pre>
 * SimplePageAuthorizationStrategy authorizationStrategy = new SimplePageAuthorizationStrategy(
 *    MySecureWebPage.class, MySignInPage.class)
 * {
 *    protected boolean isAuthorized()
 *    {
 *       // Authorize access based on user authentication in the session
 *       return (((MySession)Session.get()).isSignedIn());
 *    }
 * };
 * 
 * getSecuritySettings().setAuthorizationStrategy(authorizationStrategy);
 * </pre>
 * 
 * @author Eelco Hillenius
 * @author Jonathan Locke
 */
public abstract class SimplePageAuthorizationStrategy extends AbstractPageAuthorizationStrategy {
    /**
     * The super type (class or interface) of Pages that require authorization to be instantiated.
     */
    private final WeakReference<Class<?>> securePageSuperTypeRef;

    /**
     * Construct.
     * 
     * @param <S>
     * 
     * @param securePageSuperType
     *            The class or interface supertype that indicates that a given Page requires
     *            authorization
     * @param signInPageClass
     *            The sign in page class
     */
    public <S extends Page> SimplePageAuthorizationStrategy(final Class<?> securePageSuperType,
            final Class<S> signInPageClass) {
        if (securePageSuperType == null) {
            throw new IllegalArgumentException("Secure page super type must not be null");
        }

        securePageSuperTypeRef = new WeakReference<Class<?>>(securePageSuperType);

        // Handle unauthorized access to pages
        Application.get().getSecuritySettings()
                .setUnauthorizedComponentInstantiationListener(new IUnauthorizedComponentInstantiationListener() {
                    @Override
                    public void onUnauthorizedInstantiation(final Component component) {
                        // If there is a sign in page class declared, and the
                        // unauthorized component is a page, but it's not the
                        // sign in page
                        if (component instanceof Page) {
                            // Redirect to page to let the user sign in
                            throw new RestartResponseAtInterceptPageException(signInPageClass);
                        } else {
                            // The component was not a page, so throw exception
                            throw new UnauthorizedInstantiationException(component.getClass());
                        }
                    }
                });
    }

    /**
     * @see org.apache.wicket.authorization.strategies.page.AbstractPageAuthorizationStrategy#isPageAuthorized(java.lang.Class)
     */
    @Override
    protected <T extends Page> boolean isPageAuthorized(final Class<T> pageClass) {
        if (instanceOf(pageClass, securePageSuperTypeRef.get())) {
            return isAuthorized();
        }

        // Allow construction by default
        return true;
    }

    /**
     * Gets whether the current user/session is authorized to instantiate a page class which extends
     * or implements the supertype (base class or tagging interface) passed to the constructor.
     * 
     * @return True if the instantiation should be allowed to proceed. False, if the user should be
     *         directed to the application's sign-in page.
     */
    protected abstract boolean isAuthorized();
}