Posted on by & filed under Content - Highlights and Reviews, Programming & Development.

Wicket provides a perfect framework for developing stateful web applications on top of stateless HTTP. Even though there are ways to write stateful web applications without moving away from HTTP through REST, there are disadvantages to doing so. The REST way of writing stateful web applications means coupling the state with the URL. In this short article we’ll discuss authentication in Wicket, since one of the obvious disadvantages of REST is security loopholes – there’s a greater chance that malicious clients may play with the URL and end up accessing restricted sections of a web app. To keep things simple, let’s just say that Wicket solves this issue without adding additional complications.

Let’s see how we can authenticate a Wicket web app through an OpenID provider. The flow is very straightforward. Whenever a user tries to login, your authentication controller transparently communicates with the configured OpenID provider and upon successful authentication, creates a session for the user and redirects to wherever the user needs to be. This article skips the details on creating and configuring login and session pages for the user, and instead shows how you can use the OpenID4Java library to control the authentication process. This will be our Consumer class and it will have the following functions:

Next, you need to create a page that will handle the callback from the OpenID provider. These next few excerpts come from Chapter 10 in Apache Wicket Cookbook by Igor Vaynberg. Be sure to read this complete chapter on authenticating Wicket applications using OpenID.

Now we have an authentication controller class and a OpenID callback handler class. We will now need to specify our callback handler class within our authorization strategy:

Now since our OpenID handler—the Consumer class—cannot be Serializable, we need a way to keep the “conversations” between our handler and the OpenID provider. For this, we use a Map with a small timeout to make sure its entries are flushed frequently and do not overflow.

Once the authentication is done, we get the credentials of the user from the OpenID provider. Most of the heavy lifting will be done through OpenID4Java library since it implements the OpenID protocol, so all we will need to do is redirect the user through calling either onSuccessfulLogin(…) or onFailedLogin(…). Here’s how we do it:

If the identity we provided to the OpenID provider is authenticated, we get the Identifier object in return. If it’s null, it means authentication failed and an OpenIDException is thrown with the error message “Authentication failed.”

Safari Books Online has the content you need

Check out these Apache Wicket books available from Safari Books Online:

Wicket in Action is an authoritative, comprehensive guide for Java developers building Wicket-based Web applications. This book starts with an introduction to Wicket’s structure and components, and moves quickly into examples of Wicket at work. Written by two of the project’s earliest and most authoritative experts, this book shows you both the “how-to” and the “why” of Wicket. As you move through the book, you’ll learn to use and customize Wicket components, how to interact with other technologies like Spring and Hibernate, and how to build rich, Ajax-driven features into your applications.
Apache Wicket Cookbook provides you with information that gets your problems solved quickly without beating around the bush. This book is perfect for you if you are ready to take the next step from tutorials and step into the practical world. It will take you beyond the basics of using Apache Wicket and show you how to leverage Wicket’s advanced features to create simpler and more maintainable solutions to what at first may seem complex problems

About the author

Salman Ul Haq is a techpreneur, co-founder and CEO of TunaCode, Inc., a startup that delivers GPU-accelerated computing solutions to time-critical application domains. He holds a degree is Computer Systems Engineering. His current focus is on delivering the right solution for cloud security. He can be reached at


Comments are closed.