We've got the following issue when upgrading from Wicket 7 to Wicket 8:
Using AuthenticatedWebApplication a user will be forwarded to the SignInPage, if he is not logged in.
This is done in AuthenticatedWebApplication#onUnauthorizedInstantiation() which calls AuthenticatedWebApplication#restartResponseAtSignInPage() which throws a RestartResponseAtInterceptPageException.
During construction of RestartResponseAtInterceptPageException the original request destination will be written in the Session's MetaData (InterceptData#set()).
After a successful Login we're calling Component#continueToOriginalDestination() / RestartResponseAtInterceptPageException#continueToOriginalDestination() which reads the previously stored MetaData to redirect the user to his original destination.
The problem is, that before doing this, we're calling Session#replaceSession() in our SignInPage to protect against Session fixation. But Session#destroy() is different in Wicket 8:
As you can see, in Wicket 8 metaData = null; will be called.
This results in RestartResponseAtInterceptPageException#continueToOriginalDestination() not finding any MetaData and being unable to forward the user to his original destination.