OK, so narrowing down my thought process... Attempting to play with the application or Session AuthorizationStrategy doesn't seem to be a good idea because it I would need to somehow inject the current page into the "Authorization Process".
So, I am back to adding the AuthorizationStrategy to the Page. Now, is there a good reason why component.isActionAuthorized() is final (1.2-SNAPSHOT)? To try an work out my solution, I will remove the final modifier from the codebase, then have my Page class override it to include a check to a Page level IAuthorizationStrategy as well as the Application check. While I am on the topic is there any reason why MetaDataRoleAuthorizationStrategy (or AbstractRoleAuthorizationStrategy) do not implement Serializable? Thanks for any insight that you can offer! ChuckDeal wrote: > > I am using the RoleAuthorizationStrategy (which uses > MetaDataRoleAuthorizationStrategyinternally) in my app and it works fine. > I have a user object that has a list of valid roles in the application. > > What I want to do now is make my pages role-based. For example, if you > are an originator, you would have access to more fields (some enabled, > some visible). In this case, the role depends not only on the User, but > also the specific data being viewed. It looks like I could use the > MetaDataRoleAuthorizationStrategy (MDRAS) with a different > IRoleCheckingStrategy (maybe implemented by the page) to accomplish this. > > If anyone has implmeneted a finer-grained, data-based role system as > opposed to a coarser-grained, application role system, would you mind > sharing your strategy? > > As far as what I am going to look into... > I can see the way to register the MDRAS with the Application (add() method > on CompoundAuthorizationStrategy). I'm pretty sure that I would want to > unregister the instance when the page is done so that the authorization > checking didn't get slowed down by unneeded Authorization Strategies (AS) > (maybe make a new version of CompoundAuthorizationStrategy that has a > remove() method). But when would I unregister the AS for the page? When > the request is done? What about AJAX calls? > > Any suggestions? > -- View this message in context: http://www.nabble.com/Role-authorization-per-page-tf2453766.html#a6855030 Sent from the Wicket - User mailing list archive at Nabble.com. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Wicket-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/wicket-user
