In this case I think it would be enough if we use an atomic boolean and
if we change its value with compareAndSet.
Andrea.
On 08/09/2016 13:22, Sven Meier wrote:
Hi Martin,
how easy is it for the application to deal with this?
We could break some stuff by sprinkling 'synchronized' over Wicket's
session-handling methods now.
Regards
Sven
On 07.09.2016 14:59, Martin Grigorov wrote:
Hi,
Currently [1] uses a volatile boolean "signedIn" to control the state.
org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
tries to make use of it.
IMO this implementation is a bit weak. There are big windows this
state to
change in the meantime.
Usually this shouldn't be a big problem, the application will
authenticate
the same user twice.
But if the application does something in ISessionListener#onBind()
then it
becomes a problem [2].
Do you think this is a problem in Wicket or the applications should deal
with it?
1.
https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
2. https://issues.apache.org/jira/browse/ISIS-1481
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
