Hi, wicket-auth-roles module was designed and advertised as an example rather than an extension for security best practices. But I agree with you that we could add that feature there. Please create a ticket at JIRA. Preferably with a patch or pull request at GitHub. Thank you!
Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Nov 24, 2014 at 10:55 AM, Thorsten Schöning <[email protected]> wrote: > Hi all, > > during implementing the login a my current project I came across > WICKET-1767[1] which deals with session fixation problems, but to my > surprise it looks like the newly created method is not called > automatically by Wicket. If I search the code base for > "replaceSession(" I only get one result, the method itself. > > Is there any reason why Wicket doesn't call the method automatically? > Looks to me like AuthenticatedWebSession.signIn would be a good place > to call it automatically. When should I call it instead, at the > beginning of AuthenticatedWebSession.authenticate? This would prevent > session fixation even if exception got throw during the authentication > itself for any reason. > > [1]: https://issues.apache.org/jira/browse/WICKET-1767 > > Mit freundlichen Grüßen, > > Thorsten Schöning > > -- > Thorsten Schöning E-Mail: [email protected] > AM-SoFT IT-Systeme http://www.AM-SoFT.de/ > > Telefon...........05151- 9468- 55 > Fax...............05151- 9468- 88 > Mobil..............0178-8 9468- 04 > > AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln > AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
