Hi all,
I am using Wicket 1.5.8 with wicket-auth and I can across the following
problem.
I have implemented a MyWebSession extends AuthenticatedWebSession with my
own authentication, and a login page with the default loginpanel with the
remember option enabled.
All of my pages are showing the logged on user's username on the top right,
fetched by MyWebSession.get().getUsername()
Now, if a user has saved their credentials (remember me), and they try to
access a private page without logging in, the user is redirected to the
login page, they are automatically authenticated by the cookie, and then
redirected to the original page. Their username is correctly shown on the
top right.
However, if the user accesses an unprotected page, their username is not
shown on the top right, because wicket does not try to authenticate the
user via the login page. Even adding a component with
@AuthorizeAction(action=Action.Render) to the page did not cause the user
to be authenticated.
To fix this, I had to copy the following code from LoginPanel to
MyWebSession's constructor:
IAuthenticationStrategy authenticationStrategy =
getApplication().getSecuritySettings().getAuthenticationStrategy();
// get username and password from persistence store
String[] data = authenticationStrategy.load();
if ((data != null) && (data.length > 1)) {
if (!signIn(data[0], data[1])) {
authenticationStrategy.remove();
}
}
Two questions:
1) Is this the right approach to do this?
2) Shouldn't this be the default behavior or at least a behavior that can
be activated on the AuthenticatedWebSession without having to explicitly
add code to call wicket-auth internals?
Thanks in advance,
Marios
