So, I have an web-based application that is using the Wicket 1.4 framework, and it uses Spring beans, the Java Persistence API (JPA), and the OpenSessionInView pattern. I’m hoping to find a security model that is declarative, but doesn’t require gobs of XML configuration — I’d prefer annotations.
Here are the options so far:
-
Spring Security (guide) – looks complete, but every guide I find that combines it with Wicket still calls it Acegi Security, which makes me think it must be old.
-
Wicket-Auth-Roles (guide 1 and guide 2) – Most guides recommend mixing this with Spring Security, and I love the declarative style of @Authorize(“ROLE1″,”ROLE2”,etc). I’m concerned about having to extend AuthenticatedWebApplication, since I’m already extending org.apache.wicket.protocol.http.WebApplication, and Spring is already proxying that behind org.apache.wicket.spring.SpringWebApplicationFactory.
-
SWARM / WASP (guide) – This looks the newest (though the main contributor passed away years ago), but I hate all of the JAAS-styled text files that declare permissions for principals. I also don’t like the idea of making an Action class for every single thing a user might want to do. Secure models also aren’t immediately obvious to me. Plus, there isn’t an Authn example.
Additionally, it looks like lots of folks recommend mixing the first and second options. I can’t tell what the best practice is at all, though.
I don’t know if you saw this blog post so I’m adding it here as reference and I’ll just quote the end:
Based on the information above and the one your provided, and because I prefer annotations too, I’d go for Wicket-Auth-Roles with Spring Security (i.e. guide 2). Extending
AuthenticatedWebApplicationshouldn’t be a problem as this class extendsWebApplication. And pulling your application object out of spring context usingSpringWebApplicationFactoryshould also just work.And if your concerns are really big, this would be pretty easy and fast to confirm with a test IMO 🙂