In my Wicket application, I'm using Apache Shiro for both authentication and authorization. I needed powerful authorization features that would have taken a lot more work with Wicket alone. Personally, unless you have dead-simple requirements, I'd suggest learning how to do it with shiro and saving yourself some hassles in the future.
To simplify integrating wicket with shiro, I created the wicket-shiro project hosted at wicketstuff. Note that although I created the project, it is pretty much just a port of someone else's wicket-jsecurity implementation. I didn't really write much code for it, I just took the time to port it from jsecurity to shiro 1.0, clean up some things, and add a wicket-shiro-spring-hibernate example. I also wrote up some information about it here:
The wicket-shiro project is currently commented out of the wicketstuff pom because of the lack of shiro being available via maven, but hopefully I'll update the project with real shiro maven resources soon. However, you can still check it out and use it, just mvn install it into your local mvn repo.
So here's a quick tutorial on setting up a user's permissions from data stored in your business objects. I'm using a service layer with a Hibernate data store. A Member contains a username and password and a reference to a Person object. A Person contains a set of ProjectParticipations -- all of the projects that this member works with. I need a member to only be able to perform actions on projects they are participating in, but to see a list of all projects and join those projects if desired. Also, if a member creates a project or a project creator gives them administrative permissions, they should have access to additional management features for that project.
To do this, I extend AuthorizingRealm and injected my MemberService into it. This service is used to build the permissions for a user. Here's a simplified version of mine -- it's certainly not perfect and major improvements are planned, but it should get you started:
Then, in a wicket page, I have this:
If the member manages a project, then he has the "projectmgr" role which has the "project:viewControls" permission. So the above will only show a menu of project management options to members who have that particular permission. If the member doesn't manage any projects, then they won't see that menu option.
You can also dynamically change permissions during runtime. For instance, if a member who doesn't manage a project creates a new project, then they should immediately get the viewControls permission so they can access the management features. You can force this refresh with this:
Hopefully this gets you started using Wicket with Shiro for authorization!