Saturday, July 25, 2009

Wicket + Spring Security: do NOT post info to j_spring_security_check as part of the URL

This week, when working on the integration of Spring Security with Wicket, I was trying to understand the best approach to create a customized login page. Then I came across this Apache wiki page:

It suggests that you post the info as a Wicket form and, in the Wicket class, you validate the info and post it to j_spring_security_check. This looks very nice at first, but later I realized a major problem. It posts the username and password as part of the URL. Yes, it posts something like that:


What's wrong with that? If you have access log, this is the URL you are accessing, which shows up in the log files. I updated the Wiki page with this info and definitely did not follow this path.

It turned out that, after searching everything I found on the web, the solution was pretty straightforwad. I added a regular form to my LoginPage with action set to j_spring_security_check and do not intercept this request through Wicket. That simple, no validation or check in my Wicket code at all.

If you have any questions about this, don't hesitate to send me an email.

Monday, July 20, 2009

Wicket:: how to output text (like a Servlet)

I wanted to output regular text, like a servlet, rather than an HTML - which is Wicket's default. This was to be used by a PingPage, to make sure the service is up and running. This is the way you can do that:

public class PingPage extends WebPage {
public PingPage() {
getRequestCycle().setRequestTarget(new IRequestTarget() {
public void detach(RequestCycle requestCycle) {}
public Object getLock(RequestCycle requestCycle) { return null; }

public void respond(RequestCycle requestCycle) {
WebResponse r = (WebResponse)requestCycle.getResponse();
r.setContentType( "text/plain" );

PrintStream printStream = new PrintStream(r.getOutputStream());

Thursday, July 16, 2009

Wicket: link/url relative to the context path

I was trying to figure that out and it took me long enough to find how to do that in wicket that it may be worth posting how to solve this problem.

ExternalLink logoutLink = new ExternalLink("logout_link", "/j_spring_security_logout");

I was integrating Spring Security and wanted to add the logout link. There is no need to figure out the context path, as the ExternalLink class has an option to set the link as relative to the context.

You can find more info here: ExternalLink (javadoc)