> > For some more context: Wicket isn't really touching the authentication > process (which is why I wonder if this has anything to do with wicket). I'm > using declarative security through the deployment descriptor and web.xml to > handle the authentication and authorization (for now). The user logs in > through a static page with a form which posts to j_security_check and if > successful, redirects to the app. > > Any ideas on what I could be doing wrong? > > Thanks! > > Zak >
If your pages or application aren't enforcing authentication or authorization, invalidating the session as you do won't prevent your pages from rendering. Check out this example: http://www.wicket-library.com/wicket-examples/authorization/ Ultimately, you'll probably want to role you own session and add methods to the your application to return the login page and the unauthorized page, etc. Ed. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
