Hi all. I have noticed an error in sample configuration on https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html , Section 'Spring Security setup', sample web.xml.
In this sample Spring securityFilterChainProxy is marked as optional, needed only to secure resources. This leads to the misconfiguration. If we do omit this filter, spring security would not be able to restore (and clear!) the SecurityContext in SecurityContextHolder on each request. This leads to pretty strange behavior. WIth the sample given, on the correct auth, Authenticaiton object is set to the current thread-local SecurityContext immediately. As security filter is omitted, this context is NEVER cleared from the thread. As soon as you continue hitting the same thread of the servlet container, everything is OK, but as soon as server serves you with another thread you get unpredictable results. For instance showing random users' details after login. Also, with spring security 3 the default name of the filter for spring security should be 'springSecurityFilterChain', it is then linked to <security:http> spring element. Hope this helps! I am not subscribed to wicket mailing lists, so if you need some additional info please mail directly to this acct. Kindest regards, -- Alexander Cherednichenko [ the only way out is the way up ]
