subject:"Evicting the page store to force Wicket to create a new instance of a page after using the back\-button"

Re: Evicting the page store to force Wicket to create a new instance of a page after using the back-button

2016-04-18 Thread Joachim Rohde

Strange, my reply on friday didn't make it to the mailing-list, so here once 
again:

Thanks to Thorsten Schöning & subes for their feedback, even though none of the 
suggestions worked for my case. But it
helped somehow to think about it from a different perspective. I was thinking 
way too complicated. (My solution is at
the end fo the mail).

@Thorsten:
The user is not the only criteria deciding the visibility. We have several 
links and a lot of them have additional
criteria depending on the state of the application. I am also aware of the 
discussion setVisible vs. isVisible. But on
our project we decided to use isVisible as long as there is no significant 
performance penalty.
Beside that after fixing the problem with the links, I could reproduce the 
problematic behaviour with other pages which
relied on the user-object.

@subes:
I tried also to call invalidate() in my signOut()-method which resulted in a 
stackoverflow since invalidate() calls
itself signout() which resulted in an endless loop.
And replaceSession() was also not helpful since Wicket tried to load the last 
page from the page store and render the
components which needed the user-object which was not there anymore.

How I fixed it:

In MySession I just check if the user is null and throw an PageExpiredException 
if it is.

   public User getUser() {
if (user == null) {
throw new PageExpiredException("No user available. Page seems to be 
expired.");
}
return user;
}

This way I'm always getting to the log-in page if the user-object does not 
exists. My initial thought was, to empty the
page store so that Wicket tries to create a new instance of the page and the 
AuthorizeInstantiation annotation would
have redirected to the login-page. Do not ask me why I was thinking so 
complicated in the beginning.

Have a nice weekend.

On 04/14/2016 03:35 PM, Joachim Rohde wrote:
> Hello,
> 
> short version of my question: how do I evict the page store to force Wicket 
> to create a new instance after using the
> back-button?
> 
> Longer version:
> 
> A user is redirected after login to my main page. On my main page I have 
> several links in onInitialize() which
> overwrites isVisible checking the role of the logged-in user, like this:
> 
> @AuthorizeInstantiation({MyRole.sAdmin})
> public abstract class AbstractSecureBasePage extends AbstractBasePage 
> implements ModelDetacher {
> [...]
> add(new Link("managementLink") {
> @Override
> public void onClick() {
> setResponsePage(Management.class);
> }
> 
> @Override
> public boolean isVisible() {
> return MySession.get().getUser().hasRole(MyRole.ADMIN);
> }
> });
> [...]
> }
> 
> My session:
> 
> public class MySession extends AuthenticatedWebSession {
> [...]
> @Override
> public void signOut() {
> 
> user = null;
> 
> final RequestCycle requestCycle = RequestCycle.get();
> 
> if (RequestCycle.get() != null && requestCycle.getRequest() != null
> && 
> ServletWebRequest.class.isAssignableFrom(RequestCycle.get().getRequest().getClass()))
>  {
> LOGGER.log(Level.FINE, "Invalidating HttpSession-object {0}",
> ((ServletWebRequest) 
> RequestCycle.get().getRequest()).getContainerRequest().getSession().getId());
> ((ServletWebRequest) 
> RequestCycle.get().getRequest()).getContainerRequest().getSession().invalidate();
> }
> super.signOut();
> }
> }
> 
> After the log-out the user is redirected back to the login-page. If the user 
> now click the browsers back button Wicket
> tries to fetch the last page from the page store and checks the links 
> visibility which will result in a
> NullPointerException due to the fact that getUser() returns null.
> 
> I attempted several solutions:
> 
> 1) Checking in every isVisible() if the user is null. This *does* work but I 
> have quite a lot of links and I would like
> to go with this solution only if I cannot find any other.
> 
> 2) Checking at the very beginning of onInitialize() if the user is null. This 
> does not work since the components are
> coming from the page store and onInitialize() is not called.
> 
> 3) Overwriting onBeforeRender() of the main page. This does not work since 
> it's only called if a component is visible.
> 
> 4) My next idea was, to empty the page store within my signOut-method.
> I tried several things:
>getApplication().getSessionStore().destroy();
>getPageManager().clear();
>getPageManager().destroy();
>getPageManager().commitRequest();
> None of them worked.
> 
> getPageManager().destroy(); provokes even a NullPointerException within 
> Wicket itself (after using the back-button):
> 
> java.lang.NullPointerException
>  at 
>

Re: Evicting the page store to force Wicket to create a new instance of a page after using the back-button

2016-04-15 Thread Joachim Rohde

Thanks to Thorsten Schöning & subes for their feedback, even though none of the 
suggestions worked for my case. But it
helped somehow to think about it from a different perspective. I was thinking 
way too complicated. (My solution is at
the end fo the mail).

@Thorsten:
The user is not the only criteria deciding the visibility. We have several 
links and a lot of them have additional
criteria depending on the state of the application. I am also aware of the 
discussion setVisible vs. isVisible. But on
our project we decided to use isVisible as long as there is no significant 
performance penalty.
Beside that after fixing the problem with the links, I could reproduce the 
problematic behaviour with other pages which
relied on the user-object.

@subes:
I tried also to call invalidate() in my signOut()-method which resulted in a 
stackoverflow since invalidate() calls
itself signout() which resulted in an endless loop.
And replaceSession() was also not helpful since Wicket tried to load the last 
page from the page store and render the
components which needed the user-object which was not there anymore.

How I fixed it:

In MySession I just check if the user is null and throw an PageExpiredException 
if it is.

   public User getUser() {
if (user == null) {
throw new PageExpiredException("No user available. Page seems to be 
expired.");
}
return user;
}

This way I'm always getting to the log-in page if the user-object does not 
exists. My initial thought was, to empty the
page store so that Wicket tries to create a new instance of the page and the 
AuthorizeInstantiation annotation would
have redirected to the login-page. Do not ask me why I was thinking so 
complicated in the beginning.

Have a nice weekend.

On 04/14/2016 03:35 PM, Joachim Rohde wrote:
> Hello,
> 
> short version of my question: how do I evict the page store to force Wicket 
> to create a new instance after using the
> back-button?
> 
> Longer version:
> 
> A user is redirected after login to my main page. On my main page I have 
> several links in onInitialize() which
> overwrites isVisible checking the role of the logged-in user, like this:
> 
> @AuthorizeInstantiation({MyRole.sAdmin})
> public abstract class AbstractSecureBasePage extends AbstractBasePage 
> implements ModelDetacher {
> [...]
> add(new Link("managementLink") {
> @Override
> public void onClick() {
> setResponsePage(Management.class);
> }
> 
> @Override
> public boolean isVisible() {
> return MySession.get().getUser().hasRole(MyRole.ADMIN);
> }
> });
> [...]
> }
> 
> My session:
> 
> public class MySession extends AuthenticatedWebSession {
> [...]
> @Override
> public void signOut() {
> 
> user = null;
> 
> final RequestCycle requestCycle = RequestCycle.get();
> 
> if (RequestCycle.get() != null && requestCycle.getRequest() != null
> && 
> ServletWebRequest.class.isAssignableFrom(RequestCycle.get().getRequest().getClass()))
>  {
> LOGGER.log(Level.FINE, "Invalidating HttpSession-object {0}",
> ((ServletWebRequest) 
> RequestCycle.get().getRequest()).getContainerRequest().getSession().getId());
> ((ServletWebRequest) 
> RequestCycle.get().getRequest()).getContainerRequest().getSession().invalidate();
> }
> super.signOut();
> }
> }
> 
> After the log-out the user is redirected back to the login-page. If the user 
> now click the browsers back button Wicket
> tries to fetch the last page from the page store and checks the links 
> visibility which will result in a
> NullPointerException due to the fact that getUser() returns null.
> 
> I attempted several solutions:
> 
> 1) Checking in every isVisible() if the user is null. This *does* work but I 
> have quite a lot of links and I would like
> to go with this solution only if I cannot find any other.
> 
> 2) Checking at the very beginning of onInitialize() if the user is null. This 
> does not work since the components are
> coming from the page store and onInitialize() is not called.
> 
> 3) Overwriting onBeforeRender() of the main page. This does not work since 
> it's only called if a component is visible.
> 
> 4) My next idea was, to empty the page store within my signOut-method.
> I tried several things:
>getApplication().getSessionStore().destroy();
>getPageManager().clear();
>getPageManager().destroy();
>getPageManager().commitRequest();
> None of them worked.
> 
> getPageManager().destroy(); provokes even a NullPointerException within 
> Wicket itself (after using the back-button):
> 
> java.lang.NullPointerException
>  at 
> org.apache.wicket.page.PageStoreManager$SessionEntry.getPage(PageStoreManager.java:203)
>  at 
>

Re: Evicting the page store to force Wicket to create a new instance of a page after using the back-button

2016-04-14 Thread Thorsten Schöning

Guten Tag Joachim Rohde,
am Donnerstag, 14. April 2016 um 15:35 schrieben Sie:

> 1) Checking in every isVisible() if the user is null. This *does*
> work but I have quite a lot of links and I would like
> to go with this solution only if I cannot find any other.
[...]
> Long story short: is there a more elegant solution to my problem
> than the first solution that I've tried?

I'm implementing a similar approach like you and am simply using a
custom base class for my links which need to be visible by some
criteria only. In this base class you can take a missing user object
because of no session into account at exactly one place. Your role
as the only deciding criteria for visibility or not could easily be
propagated using a CTOR or such.

Additionally, you should not override isVisible, but onConfigure
instead and call setVisible as needed.

Mit freundlichen Grüßen,

Thorsten Schöning

-- 
Thorsten Schöning   E-Mail: thorsten.schoen...@am-soft.de
AM-SoFT IT-Systeme  http://www.AM-SoFT.de/

Telefon...05151-  9468- 55
Fax...05151-  9468- 88
Mobil..0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Evicting the page store to force Wicket to create a new instance of a page after using the back-button

2016-04-14 Thread subes

Or you are just missing a call to "Session.get().invalidate()" despite
calling "((ServletWebRequest) RequestCycle.get().getRequest(
)).getContainerRequest().getSession().invalidate();" on logout.

2016-04-14 15:59 GMT+02:00 subes :

> Hi,
>
> I had a similar problem while developing the model aware page cache in the
> NoWicket framework. I used a page factory wrapper to control when a new
> page or an old page is required.
>
> https://github.com/subes/invesdwin-nowicket/blob/master/invesdwin-nowicket-parent/invesdwin-nowicket/src/main/java/de/invesdwin/nowicket/application/filter/internal/ModelCacheUsingPageFactory.java
>
> Dunno if it completely matches your requirement, but I remember that
> fiddling with the PageStore directly was to no avail, so I had to get to a
> step before the page store was queried.
>
> Though since you are talking about login, maybe you are missing the
> creation of a fresh session upon login?
>
> See signIn method here:
> https://github.com/subes/invesdwin-nowicket/blob/master/invesdwin-nowicket-parent/invesdwin-nowicket/src/main/java/de/invesdwin/nowicket/application/auth/AWebSession.java
> Which calls "Session.get().replaceSession()" to start from fresh and thus
> get a new page instance on next request. It is a good idea regarding
> security to replace the session on signIn/signOut to prevent data leaks.
>
> Best regards,
> Edwin
>
> 2016-04-14 15:35 GMT+02:00 Joachim Rohde :
>
>> Hello,
>>
>> short version of my question: how do I evict the page store to force
>> Wicket to create a new instance after using the
>> back-button?
>>
>> Longer version:
>>
>> A user is redirected after login to my main page. On my main page I have
>> several links in onInitialize() which
>> overwrites isVisible checking the role of the logged-in user, like this:
>>
>> @AuthorizeInstantiation({MyRole.sAdmin})
>> public abstract class AbstractSecureBasePage extends AbstractBasePage
>> implements ModelDetacher {
>> [...]
>> add(new Link("managementLink") {
>> @Override
>> public void onClick() {
>> setResponsePage(Management.class);
>> }
>>
>> @Override
>> public boolean isVisible() {
>> return
>> MySession.get().getUser().hasRole(MyRole.ADMIN);
>> }
>> });
>> [...]
>> }
>>
>> My session:
>>
>> public class MySession extends AuthenticatedWebSession {
>> [...]
>> @Override
>> public void signOut() {
>>
>> user = null;
>>
>> final RequestCycle requestCycle = RequestCycle.get();
>>
>> if (RequestCycle.get() != null && requestCycle.getRequest() !=
>> null
>> &&
>> ServletWebRequest.class.isAssignableFrom(RequestCycle.get().getRequest().getClass()))
>> {
>> LOGGER.log(Level.FINE, "Invalidating HttpSession-object {0}",
>> ((ServletWebRequest)
>> RequestCycle.get().getRequest()).getContainerRequest().getSession().getId());
>> ((ServletWebRequest)
>> RequestCycle.get().getRequest()).getContainerRequest().getSession().invalidate();
>> }
>> super.signOut();
>> }
>> }
>>
>> After the log-out the user is redirected back to the login-page. If the
>> user now click the browsers back button Wicket
>> tries to fetch the last page from the page store and checks the links
>> visibility which will result in a
>> NullPointerException due to the fact that getUser() returns null.
>>
>> I attempted several solutions:
>>
>> 1) Checking in every isVisible() if the user is null. This *does* work
>> but I have quite a lot of links and I would like
>> to go with this solution only if I cannot find any other.
>>
>> 2) Checking at the very beginning of onInitialize() if the user is null.
>> This does not work since the components are
>> coming from the page store and onInitialize() is not called.
>>
>> 3) Overwriting onBeforeRender() of the main page. This does not work
>> since it's only called if a component is visible.
>>
>> 4) My next idea was, to empty the page store within my signOut-method.
>> I tried several things:
>>getApplication().getSessionStore().destroy();
>>getPageManager().clear();
>>getPageManager().destroy();
>>getPageManager().commitRequest();
>> None of them worked.
>>
>> getPageManager().destroy(); provokes even a NullPointerException within
>> Wicket itself (after using the back-button):
>>
>> java.lang.NullPointerException
>>  at
>> org.apache.wicket.page.PageStoreManager$SessionEntry.getPage(PageStoreManager.java:203)
>>  at
>> org.apache.wicket.page.PageStoreManager$PersistentRequestAdapter.getPage(PageStoreManager.java:357)
>>  at
>> org.apache.wicket.page.AbstractPageManager.getPage(AbstractPageManager.java:82)
>>  at
>> org.apache.wicket.page.PageManagerDecorator.getPage(PageManagerDecorator.java:50)
>>  at
>>

Re: Evicting the page store to force Wicket to create a new instance of a page after using the back-button

2016-04-14 Thread subes

Hi,

I had a similar problem while developing the model aware page cache in the
NoWicket framework. I used a page factory wrapper to control when a new
page or an old page is required.
https://github.com/subes/invesdwin-nowicket/blob/master/invesdwin-nowicket-parent/invesdwin-nowicket/src/main/java/de/invesdwin/nowicket/application/filter/internal/ModelCacheUsingPageFactory.java

Dunno if it completely matches your requirement, but I remember that
fiddling with the PageStore directly was to no avail, so I had to get to a
step before the page store was queried.

Though since you are talking about login, maybe you are missing the
creation of a fresh session upon login?

See signIn method here:
https://github.com/subes/invesdwin-nowicket/blob/master/invesdwin-nowicket-parent/invesdwin-nowicket/src/main/java/de/invesdwin/nowicket/application/auth/AWebSession.java
Which calls "Session.get().replaceSession()" to start from fresh and thus
get a new page instance on next request. It is a good idea regarding
security to replace the session on signIn/signOut to prevent data leaks.

Best regards,
Edwin

2016-04-14 15:35 GMT+02:00 Joachim Rohde :

> Hello,
>
> short version of my question: how do I evict the page store to force
> Wicket to create a new instance after using the
> back-button?
>
> Longer version:
>
> A user is redirected after login to my main page. On my main page I have
> several links in onInitialize() which
> overwrites isVisible checking the role of the logged-in user, like this:
>
> @AuthorizeInstantiation({MyRole.sAdmin})
> public abstract class AbstractSecureBasePage extends AbstractBasePage
> implements ModelDetacher {
> [...]
> add(new Link("managementLink") {
> @Override
> public void onClick() {
> setResponsePage(Management.class);
> }
>
> @Override
> public boolean isVisible() {
> return MySession.get().getUser().hasRole(MyRole.ADMIN);
> }
> });
> [...]
> }
>
> My session:
>
> public class MySession extends AuthenticatedWebSession {
> [...]
> @Override
> public void signOut() {
>
> user = null;
>
> final RequestCycle requestCycle = RequestCycle.get();
>
> if (RequestCycle.get() != null && requestCycle.getRequest() != null
> &&
> ServletWebRequest.class.isAssignableFrom(RequestCycle.get().getRequest().getClass()))
> {
> LOGGER.log(Level.FINE, "Invalidating HttpSession-object {0}",
> ((ServletWebRequest)
> RequestCycle.get().getRequest()).getContainerRequest().getSession().getId());
> ((ServletWebRequest)
> RequestCycle.get().getRequest()).getContainerRequest().getSession().invalidate();
> }
> super.signOut();
> }
> }
>
> After the log-out the user is redirected back to the login-page. If the
> user now click the browsers back button Wicket
> tries to fetch the last page from the page store and checks the links
> visibility which will result in a
> NullPointerException due to the fact that getUser() returns null.
>
> I attempted several solutions:
>
> 1) Checking in every isVisible() if the user is null. This *does* work but
> I have quite a lot of links and I would like
> to go with this solution only if I cannot find any other.
>
> 2) Checking at the very beginning of onInitialize() if the user is null.
> This does not work since the components are
> coming from the page store and onInitialize() is not called.
>
> 3) Overwriting onBeforeRender() of the main page. This does not work since
> it's only called if a component is visible.
>
> 4) My next idea was, to empty the page store within my signOut-method.
> I tried several things:
>getApplication().getSessionStore().destroy();
>getPageManager().clear();
>getPageManager().destroy();
>getPageManager().commitRequest();
> None of them worked.
>
> getPageManager().destroy(); provokes even a NullPointerException within
> Wicket itself (after using the back-button):
>
> java.lang.NullPointerException
>  at
> org.apache.wicket.page.PageStoreManager$SessionEntry.getPage(PageStoreManager.java:203)
>  at
> org.apache.wicket.page.PageStoreManager$PersistentRequestAdapter.getPage(PageStoreManager.java:357)
>  at
> org.apache.wicket.page.AbstractPageManager.getPage(AbstractPageManager.java:82)
>  at
> org.apache.wicket.page.PageManagerDecorator.getPage(PageManagerDecorator.java:50)
>  at
> org.apache.wicket.page.PageAccessSynchronizer$2.getPage(PageAccessSynchronizer.java:246)
>  at
> org.apache.wicket.DefaultMapperContext.getPageInstance(DefaultMapperContext.java:113)
>  at
> org.apache.wicket.core.request.handler.PageProvider.getStoredPage(PageProvider.java:299)
>  at
> org.apache.wicket.core.request.handler.PageProvider.isNewPageInstance(PageProvider.java:211)
>  at
>

Evicting the page store to force Wicket to create a new instance of a page after using the back-button

2016-04-14 Thread Joachim Rohde

Hello,

short version of my question: how do I evict the page store to force Wicket to 
create a new instance after using the
back-button?

Longer version:

A user is redirected after login to my main page. On my main page I have 
several links in onInitialize() which
overwrites isVisible checking the role of the logged-in user, like this:

@AuthorizeInstantiation({MyRole.sAdmin})
public abstract class AbstractSecureBasePage extends AbstractBasePage 
implements ModelDetacher {
[...]
add(new Link("managementLink") {
@Override
public void onClick() {
setResponsePage(Management.class);
}

@Override
public boolean isVisible() {
return MySession.get().getUser().hasRole(MyRole.ADMIN);
}
});
[...]
}

My session:

public class MySession extends AuthenticatedWebSession {
[...]
@Override
public void signOut() {

user = null;

final RequestCycle requestCycle = RequestCycle.get();

if (RequestCycle.get() != null && requestCycle.getRequest() != null
&& 
ServletWebRequest.class.isAssignableFrom(RequestCycle.get().getRequest().getClass()))
 {
LOGGER.log(Level.FINE, "Invalidating HttpSession-object {0}",
((ServletWebRequest) 
RequestCycle.get().getRequest()).getContainerRequest().getSession().getId());
((ServletWebRequest) 
RequestCycle.get().getRequest()).getContainerRequest().getSession().invalidate();
}
super.signOut();
}
}

After the log-out the user is redirected back to the login-page. If the user 
now click the browsers back button Wicket
tries to fetch the last page from the page store and checks the links 
visibility which will result in a
NullPointerException due to the fact that getUser() returns null.

I attempted several solutions:

1) Checking in every isVisible() if the user is null. This *does* work but I 
have quite a lot of links and I would like
to go with this solution only if I cannot find any other.

2) Checking at the very beginning of onInitialize() if the user is null. This 
does not work since the components are
coming from the page store and onInitialize() is not called.

3) Overwriting onBeforeRender() of the main page. This does not work since it's 
only called if a component is visible.

4) My next idea was, to empty the page store within my signOut-method.
I tried several things:
   getApplication().getSessionStore().destroy();
   getPageManager().clear();
   getPageManager().destroy();
   getPageManager().commitRequest();
None of them worked.

getPageManager().destroy(); provokes even a NullPointerException within Wicket 
itself (after using the back-button):

java.lang.NullPointerException
 at 
org.apache.wicket.page.PageStoreManager$SessionEntry.getPage(PageStoreManager.java:203)
 at 
org.apache.wicket.page.PageStoreManager$PersistentRequestAdapter.getPage(PageStoreManager.java:357)
 at 
org.apache.wicket.page.AbstractPageManager.getPage(AbstractPageManager.java:82)
 at 
org.apache.wicket.page.PageManagerDecorator.getPage(PageManagerDecorator.java:50)
 at 
org.apache.wicket.page.PageAccessSynchronizer$2.getPage(PageAccessSynchronizer.java:246)
 at 
org.apache.wicket.DefaultMapperContext.getPageInstance(DefaultMapperContext.java:113)
 at 
org.apache.wicket.core.request.handler.PageProvider.getStoredPage(PageProvider.java:299)
 at 
org.apache.wicket.core.request.handler.PageProvider.isNewPageInstance(PageProvider.java:211)
 at 
org.apache.wicket.core.request.mapper.AbstractBookmarkableMapper.processHybrid(AbstractBookmarkableMapper.java:261)
 at 
org.apache.wicket.core.request.mapper.AbstractBookmarkableMapper.mapRequest(AbstractBookmarkableMapper.java:365)
 at 
org.apache.wicket.request.mapper.CompoundRequestMapper.mapRequest(CompoundRequestMapper.java:150)
 at 
org.apache.wicket.request.cycle.RequestCycle.resolveRequestHandler(RequestCycle.java:189)
 at 
org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:219)
 at 
org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293)
 at 
org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261)
 at 
org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203)
 at 
org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284)
[...]

Line 203 of the PageStoreManager looks like:

// not found, ask pagestore for the page
return getPageStore().getPage(sessionId, id);

I am not sure if here should be a null-check on getPageStore (since I have no 
clue what should be returned if
getPageStore() returns null).

Long story short: is there a more elegant solution to my problem than the first 
solution that I've tried?
I had the hope I could

Re: Evicting the page store to force Wicket to create a new instance of a page after using the back-button

Re: Evicting the page store to force Wicket to create a new instance of a page after using the back-button

Re: Evicting the page store to force Wicket to create a new instance of a page after using the back-button

Re: Evicting the page store to force Wicket to create a new instance of a page after using the back-button

Re: Evicting the page store to force Wicket to create a new instance of a page after using the back-button

Evicting the page store to force Wicket to create a new instance of a page after using the back-button

6 matches

Site Navigation

Mail list logo

Footer information