Tuesday, January 26, 2010

Using Wicket with Shiro for authentication and authorization

In my Wicket application, I'm using Apache Shiro for both authentication and authorization. I needed powerful authorization features that would have taken a lot more work with Wicket alone. Personally, unless you have dead-simple requirements, I'd suggest learning how to do it with shiro and saving yourself some hassles in the future.

To simplify integrating wicket with shiro, I created the wicket-shiro project hosted at wicketstuff. Note that although I created the project, it is pretty much just a port of someone else's wicket-jsecurity implementation. I didn't really write much code for it, I just took the time to port it from jsecurity to shiro 1.0, clean up some things, and add a wicket-shiro-spring-hibernate example. I also wrote up some information about it here:

The wicket-shiro project is currently commented out of the wicketstuff pom because of the lack of shiro being available via maven, but hopefully I'll update the project with real shiro maven resources soon. However, you can still check it out and use it, just mvn install it into your local mvn repo.

So here's a quick tutorial on setting up a user's permissions from data stored in your business objects. I'm using a service layer with a Hibernate data store. A Member contains a username and password and a reference to a Person object. A Person contains a set of ProjectParticipations -- all of the projects that this member works with. I need a member to only be able to perform actions on projects they are participating in, but to see a list of all projects and join those projects if desired. Also, if a member creates a project or a project creator gives them administrative permissions, they should have access to additional management features for that project.

To do this, I extend AuthorizingRealm and injected my MemberService into it. This service is used to build the permissions for a user. Here's a simplified version of mine -- it's certainly not perfect and major improvements are planned, but it should get you started:

Then, in a wicket page, I have this:

If the member manages a project, then he has the "projectmgr" role which has the "project:viewControls" permission. So the above will only show a menu of project management options to members who have that particular permission. If the member doesn't manage any projects, then they won't see that menu option.

You can also dynamically change permissions during runtime. For instance, if a member who doesn't manage a project creates a new project, then they should immediately get the viewControls permission so they can access the management features. You can force this refresh with this:

Hopefully this gets you started using Wicket with Shiro for authorization!



meitian said...

Thank you, Tauren!

I am just looking for some flexible authorization for wicket.

Can you share your codes?


Tauren Mills said...

@meitian - the wicket-shiro code can be found at the link above in the wicketstuff SVN repo. There are several samples included with it of full running applications. It should get your going.

If you need to create permissions based on data from your domain model, then the code in this posting will help you get started. It shouldn't be hard to use the spring-hibernate example from wicket-shiro and add the code in this posting to it.

Good luck!

Nivedan said...

Hi Tauren,

Thanks for the effort in putting this project together. I have implemented authentication using a database Realm.

Could you please let me know the use of the package org.wicketstuff.shiro.wicket.page.store ?

I have integrated Shiro with Wicket application without depending on wicket-shiro project as such, how does not using the above package affect the application?

Many thanks

Tauren Mills said...

@Nivedan: You can certainly integrate wicket and shiro without this project. But for people who don't know how to do that, this project has several example apps that can help them get up to speed faster.

Regarding the page.store package, that is a great question. I didn't implement that, nor have I used it yet, so I can't really comment. But I keep wanting to toy with it, as I'm soon going to need to do some load balancing. I wish I could answer you, but that code was in the project when I ported it from wicket-jsecurity.

Monsignour Chewapchich said...

Hi Tauren ...

I would just like to inform you that link is not working and I would like to take a look at how your implementation of wicket and shiro looks like. I'm working on a big project and have decided to use these two frameworks ...

Tauren Mills said...

@Monsignour; Unfortunately, it looks like the WIcketstuff Wiki has been taken offline to avoid being hacked. Take a look at the home page for details:

I believe you should still be able to access the code via SVN:

There is some additional documentation in the Wiki, but I'm not sure how you can access it right now. Maybe it will be back online soon.

Will Sargent said...

It looks like the project does not compile under 1.4.12: Request and RequestCycle have been moved to

import org.apache.wicket.Request;
import org.apache.wicket.RequestCycle;

and there are a number of interfaces like IPageCache that appear to have been tweaked as well.