While testing Wicket 6.19.0 with Isis I've found that most menu items were not displayed.
The reason was that since http://issues.apache.org/jira/browse/WICKET-5775 Wicket(-auth-roles) replaces the http session after successful login to prevent session fixation attacks.
This leads to problems with Shiro authorizations later because Shiro is not notified about the replacement and keeps using the old http session data.
https://issues.apache.org/jira/browse/SHIRO-170?focusedCommentId=13108301&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13108301 suggests how to do session replacement with Shiro.
With session replacement with Shiro or without any replacement I suggest to make Wicket's Session#replaceSession() a no-op method to avoid any similar problems in the future.