How should I secure my webapp written using Wicket, Spring, and JPA?

Question

So, I have an web-based application that is using the Wicket 1.4 framework, and it uses Spring beans, the Java Persistence API (JPA), and the OpenSessionInView pattern. I'm hoping to find a security model that is declarative, but doesn't require gobs of XML configuration -- I'd prefer annotations.

Here are the options so far:

1. Spring Security (guide) - looks complete, but every guide I find that combines it with Wicket still calls it Acegi Security, which makes me think it must be old.

2. Wicket-Auth-Roles (guide 1 and guide 2) - Most guides recommend mixing this with Spring Security, and I love the declarative style of @Authorize("ROLE1","ROLE2",etc). I'm concerned about having to extend AuthenticatedWebApplication, since I'm already extending org.apache.wicket.protocol.http.WebApplication, and Spring is already proxying that behind org.apache.wicket.spring.SpringWebApplicationFactory.

3. SWARM / WASP (guide) - This looks the newest (though the main contributor passed away years ago), but I hate all of the JAAS-styled text files that declare permissions for principals. I also don't like the idea of making an Action class for every single thing a user might want to do. Secure models also aren't immediately obvious to me. Plus, there isn't an Authn example.

Additionally, it looks like lots of folks recommend mixing the first and second options. I can't tell what the best practice is at all, though.

Answer 1

I don't know if you saw this blog post so I'm adding it here as reference and I'll just quote the end:

Update 2009/03/12: those interested in securing Wicket applications should also be aware that there is an alternative to Wicket-Security, called wicket-auth-roles. This thread will give you a good overview of the status of the two frameworks. Integrating wicket-auth-roles with Spring Security is covered here.
One compelling feature of wicket-auth-roles is the ability to configure authorizations with Java annotations. I find it somehow more elegant than a centralized configuration file. There is an example here.

Based on the information above and the one your provided, and because I prefer annotations too, I'd go for Wicket-Auth-Roles with Spring Security (i.e. guide 2). Extending AuthenticatedWebApplication shouldn't be a problem as this class extends WebApplication. And pulling your application object out of spring context using SpringWebApplicationFactory should also just work.

And if your concerns are really big, this would be pretty easy and fast to confirm with a test IMO :)

Answer 2

We've been using Wicket-security for years now and we have used it together with jaas files and with annotatations. Defining jaas files is quite a hassle and maintaining them is near impossible...

With annotations one has to define actions and principals for every page. This is timeconsuming however it does allow you to let the user define roles and authorizations dynamically. It is also possible to test all the principals using the WicketTester.

Each of the 3 packages has it's (dis)advantages, it's a matter of taste and it also depends on the size of the application.