Chapter 11. Securing your application


In this chapter:

  • Ensuring that only authenticated users can edit a list
  • Accessing discount-editing functionality

In the previous few chapters, we looked at custom components while we developed the discount-list example. In this chapter, we’ll take that example and secure it. The discount list has a function to edit discounts, which is currently available to all users of the web application. We’ll change that so only specific users—administrators—can edit this list.

The first step in doing so is to ensure that users are who they say they are. This is called authentication. The simplest and most common form of authentication requires users to provide a username and password combination. This is what we’ll develop in the first half of this chapter.

In addition to authenticating users, we also need to authorize them. Because we want only administrators to have access to the discount-editing functionality, normal users shouldn’t be aware of the functionality. We’ll discuss how to implement that kind of protection in the second half of this chapter.

We didn’t want to title this chapter “Security,” because that would have increased its scope considerably. But we’d like to say a few words about how Wicket is secure by default.

11.1. Session-relative pages

11.2. Implementing authentication

11.3. Implementing authorization

11.4. Summary