[jira] [Created] (WICKET-6602) AuthenticatedWebApplication login Workflow broken with replaceSession

Tue, 23 Oct 2018 00:17:53 -0700 

Andreas Müller created WICKET-6602:
--------------------------------------

             Summary: AuthenticatedWebApplication login Workflow broken with 
replaceSession
                 Key: WICKET-6602
                 URL: https://issues.apache.org/jira/browse/WICKET-6602
             Project: Wicket
          Issue Type: Bug
          Components: wicket-core
    Affects Versions: 8.1.0
            Reporter: Andreas Müller


We've got the following issue when upgrading from Wicket 7 to Wicket 8:

Using AuthenticatedWebApplication a user will be forwarded to the SignInPage, 
if he is not logged in. 
 This is done in {{AuthenticatedWebApplication#onUnauthorizedInstantiation()}} 
which calls {{AuthenticatedWebApplication#restartResponseAtSignInPage()}} which 
throws a {{RestartResponseAtInterceptPageException}}.

During construction of {{RestartResponseAtInterceptPageException}} the original 
request destination will be written in the Session's MetaData 
({{InterceptData#set()}}).

After a successful Login we're calling 
{{Component#continueToOriginalDestination()}} / 
{{RestartResponseAtInterceptPageException#continueToOriginalDestination()}} 
which reads the previously stored MetaData to redirect the user to his original 
destination.

The problem is, that before doing this, we're calling 
{{Session#replaceSession()}} in our SignInPage to protect against Session 
fixation. But {{Session#destroy()}} is different in Wicket 8:

Wicket 7:
{code:java}
        private void destroy()
        {
                if (getSessionStore() != null)
                {
                        
sessionStore.invalidate(RequestCycle.get().getRequest());
                        sessionStore = null;
                        id = null;
                        RequestCycle.get().setMetaData(SESSION_INVALIDATED, 
false);
                }
        }{code}
Wicket 8:
{code:java}
        private void destroy()
        {
                if (getSessionStore() != null)
                {
                        
sessionStore.invalidate(RequestCycle.get().getRequest());
                        sessionStore = null;
                        id = null;
                        RequestCycle.get().setMetaData(SESSION_INVALIDATED, 
false);
                        clientInfo = null;
                        dirty = false;
                        metaData = null;
                }
        }{code}
As you can see, in Wicket 8 {{metaData = null;}} will be called. 
 This results in 
{{RestartResponseAtInterceptPageException#continueToOriginalDestination()}} not 
finding any MetaData and being unable to forward the user to his original 
destination.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to