さくっと出来た．
これで Page クラスにアノテーションでアクセス権限書けばOK
wicket は楽でいいね

package org.yoshiori.gae.wicket.auth;

import org.apache.wicket.Application;
import org.apache.wicket.Page;
import org.apache.wicket.authentication.AuthenticatedWebApplication;
import org.apache.wicket.authentication.AuthenticatedWebSession;
import org.apache.wicket.markup.html.WebPage;

/**
 * @author yoshiori
 * 
 */
public class WicketApplication extends AuthenticatedWebApplication {

	@Override
	public String getConfigurationType() {
		return Application.DEPLOYMENT;
	}

	@Override
	protected void init() {
		super.init();
		mountBookmarkablePage("/home", HomePage.class);
	}

	/*
	 * (non-Javadoc)
	 * 
	 * @see org.apache.wicket.Application#getHomePage()
	 */
	@Override
	public Class<? extends Page> getHomePage() {
		return HomePage.class;
	}

	@Override
	protected Class<? extends WebPage> getSignInPageClass() {
		return SignInPage.class;
	}

	@Override
	protected Class<? extends AuthenticatedWebSession> getWebSessionClass() {
		return AuthSession.class;
	}

}

package org.yoshiori.gae.wicket.auth;

import org.apache.wicket.markup.html.pages.RedirectPage;

import com.google.appengine.api.users.UserServiceFactory;

/**
 * @author yoshiori
 *
 */
public class SignInPage extends RedirectPage {

	public SignInPage() {
		super(UserServiceFactory.getUserService().createLoginURL("/home"));
	}
}

package org.yoshiori.gae.wicket.auth;

import org.apache.wicket.Request;
import org.apache.wicket.authentication.AuthenticatedWebSession;
import org.apache.wicket.authorization.strategies.role.Roles;

import com.google.appengine.api.users.User;
import com.google.appengine.api.users.UserServiceFactory;

/**
 * @author yoshiori
 *
 */
public class AuthSession extends AuthenticatedWebSession {

	public AuthSession(Request request) {
		super(request);
	}

	/**
	 * 
	 */
	private static final long serialVersionUID = 1L;

	/* (non-Javadoc)
	 * @see org.apache.wicket.authentication.AuthenticatedWebSession#authenticate(java.lang.String, java.lang.String)
	 */
	@Override
	public boolean authenticate(String userid, String password) {
		return UserServiceFactory.getUserService().isUserLoggedIn();
	}

	/* (non-Javadoc)
	 * @see org.apache.wicket.authentication.AuthenticatedWebSession#getRoles()
	 */
	@Override
	public Roles getRoles() {
		User user = UserServiceFactory.getUserService().getCurrentUser();
		if(user == null){
			return null;
		}else if(UserServiceFactory.getUserService().isUserAdmin()){
			return new Roles(Roles.ADMIN);
		}else{
			return new Roles(Roles.USER);
		}
	}

}

package org.yoshiori.gae.wicket.auth;

import org.apache.wicket.authorization.strategies.role.Roles;
import org.apache.wicket.authorization.strategies.role.annotations.AuthorizeInstantiation;
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.markup.html.basic.Label;
import org.apache.wicket.markup.html.link.ExternalLink;

import com.google.appengine.api.users.User;
import com.google.appengine.api.users.UserService;
import com.google.appengine.api.users.UserServiceFactory;

/**
 * @author yoshiori
 * 
 */
@AuthorizeInstantiation({Roles.ADMIN,Roles.USER})
public class HomePage extends WebPage {

	public HomePage() {
		UserService userService = UserServiceFactory.getUserService();
		User user = userService.getCurrentUser();
		add(new Label("label", user.getNickname()));
		add(new ExternalLink("logout", userService.createLogoutURL("/home")));
	}

}