Well shoot. I was hoping to avoid that for the time being, but I was afraid I would have to do it for a real logoff to work. I could always throw in some javascript to close the current browser and open a new one with the login page ;)
Thanks Ed, Zak On Tue, Dec 15, 2009 at 8:37 PM, Edward Zarecor <[email protected]>wrote: > > > > For some more context: Wicket isn't really touching the authentication > > process (which is why I wonder if this has anything to do with wicket). > I'm > > using declarative security through the deployment descriptor and web.xml > to > > handle the authentication and authorization (for now). The user logs in > > through a static page with a form which posts to j_security_check and if > > successful, redirects to the app. > > > > Any ideas on what I could be doing wrong? > > > > Thanks! > > > > Zak > > > > If your pages or application aren't enforcing authentication or > authorization, invalidating the session as you do won't prevent your > pages from rendering. > > Check out this example: > http://www.wicket-library.com/wicket-examples/authorization/ > > Ultimately, you'll probably want to role you own session and add > methods to the your application to return the login page and the > unauthorized page, etc. > > > Ed. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
