Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
8.1.0
-
None
Description
We've got the following issue when upgrading from Wicket 7 to Wicket 8:
Using AuthenticatedWebApplication a user will be forwarded to the SignInPage, if he is not logged in.
This is done in AuthenticatedWebApplication#onUnauthorizedInstantiation() which calls AuthenticatedWebApplication#restartResponseAtSignInPage() which throws a RestartResponseAtInterceptPageException.
During construction of RestartResponseAtInterceptPageException the original request destination will be written in the Session's MetaData (InterceptData#set()).
After a successful Login we're calling Component#continueToOriginalDestination() / RestartResponseAtInterceptPageException#continueToOriginalDestination() which reads the previously stored MetaData to redirect the user to his original destination.
The problem is, that before doing this, we're calling Session#replaceSession() in our SignInPage to protect against Session fixation. But Session#destroy() is different in Wicket 8:
Wicket 7:
private void destroy() { if (getSessionStore() != null) { sessionStore.invalidate(RequestCycle.get().getRequest()); sessionStore = null; id = null; RequestCycle.get().setMetaData(SESSION_INVALIDATED, false); } }
Wicket 8:
private void destroy() { if (getSessionStore() != null) { sessionStore.invalidate(RequestCycle.get().getRequest()); sessionStore = null; id = null; RequestCycle.get().setMetaData(SESSION_INVALIDATED, false); clientInfo = null; dirty = false; metaData = null; } }
As you can see, in Wicket 8 metaData = null; will be called.
This results in RestartResponseAtInterceptPageException#continueToOriginalDestination() not finding any MetaData and being unable to forward the user to his original destination.
Attachments
Attachments
Issue Links
- is caused by
-
-
- Resolved
-
- relates to
-
-
- Closed
-