Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6602

AuthenticatedWebApplication login Workflow broken with replaceSession

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 8.1.0
    • Fix Version/s: 8.2.0, 9.0.0-M1
    • Component/s: wicket-core
    • Labels:
      None

      Description

      We've got the following issue when upgrading from Wicket 7 to Wicket 8:

      Using AuthenticatedWebApplication a user will be forwarded to the SignInPage, if he is not logged in.
      This is done in AuthenticatedWebApplication#onUnauthorizedInstantiation() which calls AuthenticatedWebApplication#restartResponseAtSignInPage() which throws a RestartResponseAtInterceptPageException.

      During construction of RestartResponseAtInterceptPageException the original request destination will be written in the Session's MetaData (InterceptData#set()).

      After a successful Login we're calling Component#continueToOriginalDestination() / RestartResponseAtInterceptPageException#continueToOriginalDestination() which reads the previously stored MetaData to redirect the user to his original destination.

      The problem is, that before doing this, we're calling Session#replaceSession() in our SignInPage to protect against Session fixation. But Session#destroy() is different in Wicket 8:

      Wicket 7:

      	private void destroy()
      	{
      		if (getSessionStore() != null)
      		{
      			sessionStore.invalidate(RequestCycle.get().getRequest());
      			sessionStore = null;
      			id = null;
      			RequestCycle.get().setMetaData(SESSION_INVALIDATED, false);
      		}
      	}

      Wicket 8:

      	private void destroy()
      	{
      		if (getSessionStore() != null)
      		{
      			sessionStore.invalidate(RequestCycle.get().getRequest());
      			sessionStore = null;
      			id = null;
      			RequestCycle.get().setMetaData(SESSION_INVALIDATED, false);
      			clientInfo = null;
      			dirty = false;
      			metaData = null;
      		}
      	}

      As you can see, in Wicket 8 metaData = null; will be called.
      This results in RestartResponseAtInterceptPageException#continueToOriginalDestination() not finding any MetaData and being unable to forward the user to his original destination.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bitstorm Andrea Del Bene
                Reporter:
                skyYaga Andreas Müller
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: