All -
I am trying to invalidate an authenticated session as a way of logging
a user out and am having some trouble doing so. I'm doing the following:
add(new Link("logout"){
public void onClick(){
getSession().invalidate();
getRequestCycle().setRedirect(true);
setResponsePage(Logout.class);
}
});
The response page just informs the user that they are logged out and
provides a hard link back to the login page.
However, this solution doesn't seem to be killing the session. I am able to
go right back into the app and start using it without logging back in.
I'm a n00b when it comes to security, so I could be doing something wrong
outside of wicket.
For some more context: Wicket isn't really touching the authentication
process (which is why I wonder if this has anything to do with wicket). I'm
using declarative security through the deployment descriptor and web.xml to
handle the authentication and authorization (for now). The user logs in
through a static page with a form which posts to j_security_check and if
successful, redirects to the app.
Any ideas on what I could be doing wrong?
Thanks!
Zak
