Hi, The Wiki pages are editable by everyone. You just need to register an account. Feel free to improve any inconsistencies! Thanks!
On Thu, Oct 20, 2011 at 5:44 PM, Alexander Cherednichenko <[email protected]> wrote: > Hi all. > > I have noticed an error in sample configuration on > https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html , > Section 'Spring Security setup', sample web.xml. > > In this sample Spring securityFilterChainProxy is marked as optional, needed > only to secure resources. This leads to the misconfiguration. > If we do omit this filter, spring security would not be able to restore (and > clear!) the SecurityContext in SecurityContextHolder on each request. This > leads to pretty strange behavior. > > WIth the sample given, on the correct auth, Authenticaiton object is set to > the current thread-local SecurityContext immediately. As security filter is > omitted, this context is NEVER cleared from the thread. As soon as you > continue hitting the same thread of the servlet container, everything is OK, > but as soon as server serves you with another thread you get unpredictable > results. For instance showing random users' details after login. > > Also, with spring security 3 the default name of the filter for spring > security should be 'springSecurityFilterChain', it is then linked to > <security:http> spring element. > > Hope this helps! > I am not subscribed to wicket mailing lists, so if you need some additional > info please mail directly to this acct. > > Kindest regards, > -- > Alexander Cherednichenko > > [ the only way out is the way up ] > -- Martin Grigorov jWeekend Training, Consulting, Development http://jWeekend.com
