OK, I upgraded to 1.3.4 and now I remember what was broken for me. Some of my pages are having the wrong relative path prepended to them. Upon further inspection, line 184 of ServletWebRequest is not matching due to an encoding issue where
path = jspfs/legacyUrl/peerReview/pr_start.jsp serveltPath = /jspfs/legacyUrl/peerReview%2Fpr_start.jsp I read up on WICKET-1624 and WICKET-1627 because it was referenced in the code, but I am not sure where to go from here. Johan Compagner wrote: > > onBeginRequest of your RequestCycle or something like that > > but first try to upgrade > > On Fri, Aug 15, 2008 at 4:50 PM, ChuckDeal <[EMAIL PROTECTED]> wrote: > >> >> Sorry, you had asked some questions too: >> >> I had not verified that it was the same httpsession. it just seemed to be >> the same wicket session. Where would you recommend to print the session >> id >> (i'm guessing httpsession id?)? >> >> >> Johan Compagner wrote: >> > >> > do you really see the same httpsession instance? >> > or just the wicket session instance? >> > >> > Can you print out the session ids? >> > >> > But first upgrade to 1.3.4: >> > >> > The Apache Wicket team is proud to announce the availability of the >> fourth >> > maintenance release: Apache Wicket 1.3.4. A lot of bugs have been >> squashed >> > and >> > several improvements implemented. Two noteworthy bugs have been >> squashed: >> > >> > - cross session leakage due to a dangling thread local in >> exceptional >> > circumstances >> > - memory leak in localizer (WICKET-1667) >> > >> > johan >> > >> > >> > >> > On Fri, Aug 15, 2008 at 4:29 PM, ChuckDeal <[EMAIL PROTECTED]> wrote: >> > >> >> >> >> Wicket 1.3.3 >> >> >> >> I am going to attempt to describe what I have experienced in the hopes >> >> that >> >> a core dev can point me in the right direction. >> >> >> >> The background: We previously had a complete JSP system in place. We >> >> decided to use the Wicket framework, but could not convert the entire >> >> system >> >> at once, so the foundation is now wicket with a few of its pieces in >> >> Wicket, >> >> but much of the legacy system is accessed thorugh a technique the Al >> Maw >> >> posted whereby the legacy url is captured then redirected into a >> Wicket >> >> page >> >> hosting an IFrame, which then loads the original URL. All of the pure >> >> Wicket pages are mounted using the HybridUrlCodingStrategy, except for >> >> the >> >> Wicket page that acts as the legacy interface, which is the standard >> >> BookmarkablePageRequestTargetUCS. We use the wicket-auth module for >> >> authentication (with Databinder), so the user (user_id) is stored in >> the >> >> WebSession. >> >> >> >> The problem: It seems that when two users enter the system, there is >> a >> >> scenario where the second user "becomes" the first user. Both users >> >> login >> >> through a Wicket Page, which deposits them on a wicket page. If user1 >> go >> >> to >> >> a legacy URL, then the next wicket page that user2 visits changes to >> >> user1's >> >> session. This can be observed because we display the logged in user >> on >> >> each >> >> page and the name changes. >> >> >> >> My working theory is that it has something to do with loading a >> >> serialized >> >> page from disk. We are using JDK serialization and the std >> >> SecondLevelCache/DiskPageStore session store. Can a dev verify that >> the >> >> Session is serialized with a Page? How on earth is one user loading >> >> another's serialized Page from disk? Has anyone experienced this? >> How >> >> can >> >> I prevent this? Obviously, this is a serious issue for us because >> this >> >> defeats user security. >> >> >> >> Chuck >> >> -- >> >> View this message in context: >> >> http://www.nabble.com/session-%22jumping%22--tp18999615p18999615.html >> >> Sent from the Wicket - User mailing list archive at Nabble.com. >> >> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> > >> > >> >> -- >> View this message in context: >> http://www.nabble.com/session-%22jumping%22--tp18999615p18999966.html >> Sent from the Wicket - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > -- View this message in context: http://www.nabble.com/session-%22jumping%22--tp18999615p19002132.html Sent from the Wicket - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
