wicket-auth-roles is actually an example of IAuthenticationStrategy and IAuthorizationStrategy interfaces. Most of the people that use it actually just see how it works and copy/paste the related parts of it and later extend them with their specific business logic.
afaik it uses "rememberMe" cookie but it is removed when you log out. Put a breakpoint in CookieUtils#remove(String) and you will see whether this really happens. Another interesting point in AuthenticatedWebSession#invalidate(). You can also use Firebug/Dev utils to see what cookies are left after logout and whether they are send with the next request and used to log you in. On Mon, Jun 25, 2012 at 2:38 PM, Tom Eugelink <[email protected]> wrote: > Ok. The actual problem I have is that wicket auth keeps logging in > automatically. This is a side effect of a.o. BASIC authentication (not sure > if that is used in this case, but the behavior is similar) which sends the > login credentials with every request, even if you have logged out in the > mean time. To enforce a new login via the login page, one usually places > some marker in the session telling the authenticator class that it should > not accept the current credentials until a valid login page submit was done. > But since Wicket keeps doing things to the session, I'm not able to get this > marker to work. > > Are there any people using auth and that are able to fully log out? > > Tom > > > > On 2012-06-25 13:29, Martin Grigorov wrote: >> >> Hi Tom, >> >> I agree with your vision. >> But since Wicket is a framework around the Servlet API we call >> HttpSession.invalidate(). This triggers some web container internal >> workings and at some point Wicket is called back (see >> javax.servlet.http.HttpSessionListener/HttpSessionBindingListener) and >> Wicket clears everything that it added to this session. >> What happens with this session later is not our business. It may be >> teared down or recycled, we really don't care. Next time we need to >> store something in the http session we just call: >> httpRequest.getSession(true) and use it. >> >> I know you use recent version of Wicket (6.x ?) and there are no >> pagemaps since Wicket 1.5.0 but if you find that anything leaks then >> it is a bug and it should be fixed. >> >> On Sat, Jun 23, 2012 at 11:31 AM, Tom Eugelink <[email protected]> wrote: >>> >>> Which means that upon logout, these values should be removed / cleared. A >>> session does not represent a user, it is a construct to bind request, no >>> more no less. All other usages are bolted on and should be bolted off. >>> You >>> don't tear down the house, just because you are moving. >>> >>> Tom >>> >>> >>> On 2012-06-23 10:18, Bert wrote: >>>> >>>> But Wicket also stores the page map in the session to support back >>>> button functionality. If you only change the status, than the user >>>> could possibly (depending on how you construct your page) go back >>>> after the logout and see the last pages. >>>> >>>> This could be a problem on public computers. >>>> >>>> You could also see a session as representing a user, not a browser. >>>> Than, invalidating the session on logout makes perfect sense to me. >>>> >>>> regards >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > -- Martin Grigorov jWeekend Training, Consulting, Development http://jWeekend.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
