Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6602

AuthenticatedWebApplication login Workflow broken with replaceSession

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 8.1.0
    • 8.2.0, 9.0.0-M1
    • wicket-core
    • None

    Description

      We've got the following issue when upgrading from Wicket 7 to Wicket 8:

      Using AuthenticatedWebApplication a user will be forwarded to the SignInPage, if he is not logged in.
      This is done in AuthenticatedWebApplication#onUnauthorizedInstantiation() which calls AuthenticatedWebApplication#restartResponseAtSignInPage() which throws a RestartResponseAtInterceptPageException.

      During construction of RestartResponseAtInterceptPageException the original request destination will be written in the Session's MetaData (InterceptData#set()).

      After a successful Login we're calling Component#continueToOriginalDestination() / RestartResponseAtInterceptPageException#continueToOriginalDestination() which reads the previously stored MetaData to redirect the user to his original destination.

      The problem is, that before doing this, we're calling Session#replaceSession() in our SignInPage to protect against Session fixation. But Session#destroy() is different in Wicket 8:

      Wicket 7:

      	private void destroy()
      	{
      		if (getSessionStore() != null)
      		{
      			sessionStore.invalidate(RequestCycle.get().getRequest());
      			sessionStore = null;
      			id = null;
      			RequestCycle.get().setMetaData(SESSION_INVALIDATED, false);
      		}
      	}

      Wicket 8:

      	private void destroy()
      	{
      		if (getSessionStore() != null)
      		{
      			sessionStore.invalidate(RequestCycle.get().getRequest());
      			sessionStore = null;
      			id = null;
      			RequestCycle.get().setMetaData(SESSION_INVALIDATED, false);
      			clientInfo = null;
      			dirty = false;
      			metaData = null;
      		}
      	}

      As you can see, in Wicket 8 metaData = null; will be called.
      This results in RestartResponseAtInterceptPageException#continueToOriginalDestination() not finding any MetaData and being unable to forward the user to his original destination.

      Attachments

        Issue Links

          Activity

            People

              bitstorm Andrea Del Bene
              skyYaga Andreas Müller
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: