I have some files that I have stored in the resource folder, which I only want to be available for authenticated users. So I have added the following contents to my shiro.ini file:
When I am not authenticated, retrieving a page from that folder correctly brings me to Wicket. After logging in, the resource becomes available. However, when I log out, either through the TertiaryActionsPanel in Wicket, or using the logout call from the UserResource, it seems that my cookie is not cleared. I am logged out from Wicket, but I can still access the resources (until I clear my cookie on client side).
In this case i'm trying to protect a few resources, which is a kind of ridiculous use case, but I think that this also applies for other servlet filters, which may lead to some unwanted results.