authorization on wicket component using wicket auth-role

Question

I am using wicket 1.4.9 and implemented spring + wicket auth-role and using @AuthorizeInstantiation based on roles on pages. I have multiple custom roles.

I have followed this link to implement the basics: https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html

After that I have implemented my own UserDetailsService to have my own roles/users from database.

Now, How can I impose controls on roles with components eg, Links,Buttons ? like link A can be accessed only by SUPER_USER, DR_MANAGER. (roles comes from database).

I have done like this and it seems to work, but is that the good way to do this? OrbitWebSession is of type AuthenticatedWebSession.

        @Override
        public boolean isVisible() {
            if(OrbitWebSession.get().getRoles().hasRole("SUPER_USER")){
                return true;
            }
            return false;
        }

thanks.

Answer 1

Overriding isVisible all the time is a major pain. Take a look at MetaDataRoleAuthorizationStrategy instead. You call authorize(Component component, Action action, String roles) with Action RENDER, and the roles you want to allow. This way the component, whatever it is, is automatically hidden for other roles provided that the authorization strategy is registered in your webapplication. Basically it does the same thing as Holms answer, except you don't have to subclass anything.

Answer 2

You are in the right track, the only change I would do is:

@Override
public boolean isVisible() {
    return super.isVisible() && OrbitWebSession.get().getRoles().hasRole("SUPER_USER");
}

That way you don't accidentally override its default visible behavior for example if the parent component is not visible.