I'm using wicket 1.5-SNAPSHOT along with Shiro for
authentication/authorization security, and when an unauthorized user tries
to go to a page, Shiro calls redirectToInterceptPage behind the scenes, and
during the login process, after a successful login, there is code that says:

if (!continueToOriginalDestination()) {




It is working in the sense that if a user gets redirected to login, they are
taken to the correct destination afterwards, and if a user just clicks the
login link in a new browser they are redirected to the homepage after login.


BUT, the problem is, if an initial user tries to go to a protected page,
gets redirected to the login, logs in, and then logs out, and then, without
closing the browser, clicks the login link and logs in with the same user
again or even another user, it still redirects to the prior "original"
destination, which should no longer take effect.  I would think that this
should be forgotten upon logging out, which replaces the wicket session

Session session = Session.get();



I think I must be misunderstanding how continueToOriginalDestination is
working - I thought it was placing the original destination url into the
users session, which is why I figured that after the login which redirects,
followed by the logout which replaces the session, it would be gone.


Can someone please explain what I'm thinking about wrongly here and why the
destination is being retained across multiple logins.  Also, how can I avoid
this so that the original destination is only used the first time?    Btw,
just to be clear, if I logout and then click to a new protected url, the
"original destination" value is properly replaced with the new protected
destination which redirects back to the intercept page.  The problem is only
if I click directly to the login page without a new intercept, but after
having previously utilized the continueToOriginalDestination in the prior

Thanks very much for any help!


Reply via email to