Is it possible use a metadata driven component based authorization?
Wicket in Action gives an example
@AdminOnly private class ModeLink extends Link {.....}
Then implement isActionAuthorized() of the Authorization Strategy.
But I feel that it is not a good solution to create new classes for every role.
Is there a metadata driven way to do this? Can I add some metadata to a component and then check based on that in the isActionAuthorized() method of the Authorization Strategy?
I believe I provided a metadata-based solution here : http://stackoverflow.com/questions/2595993/wicket-authorization-using-metadatakey/2603592#2603592 in response to your question.
As for the annotations, you can use a single annotation,say @RequiresRole, parameterized with the role id : @RequiresRole("admin") for example.
You could use string constants for all your roles and do:
@Require(MySession.ADMIN_ROLE)
public class AdminPanel extends Panel {
// snip
}
public boolean isActionAuthorized(Component c, Action a) {
// I usually disallow instantiation of pages and rendering of components
if (c instanceof Page || a == Component.RENDER) {
Require r = c.getClass().getAnnotation(Require.class);
if (r != null && !Strings.isEmpty(r.value()) {
Roles roles = ((AuthenticatedWebSession)Session.get()).getRoles();
return roles != null && roles.hasRole(a.value());
}
}
return true;
}
Instead of strings you could also use an enum to disallow random strings. Simply use a.value().name() in this case to check the role.