https://issues.apache.org/jira/browse/WICKET-5775
Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Mon, Nov 24, 2014 at 11:36 AM, Martin Grigorov <[email protected]> wrote: > Hi, > > wicket-auth-roles module was designed and advertised as an example rather > than an extension for security best practices. > But I agree with you that we could add that feature there. > Please create a ticket at JIRA. Preferably with a patch or pull request at > GitHub. > Thank you! > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Mon, Nov 24, 2014 at 10:55 AM, Thorsten Schöning <[email protected] > > wrote: > >> Hi all, >> >> during implementing the login a my current project I came across >> WICKET-1767[1] which deals with session fixation problems, but to my >> surprise it looks like the newly created method is not called >> automatically by Wicket. If I search the code base for >> "replaceSession(" I only get one result, the method itself. >> >> Is there any reason why Wicket doesn't call the method automatically? >> Looks to me like AuthenticatedWebSession.signIn would be a good place >> to call it automatically. When should I call it instead, at the >> beginning of AuthenticatedWebSession.authenticate? This would prevent >> session fixation even if exception got throw during the authentication >> itself for any reason. >> >> [1]: https://issues.apache.org/jira/browse/WICKET-1767 >> >> Mit freundlichen Grüßen, >> >> Thorsten Schöning >> >> -- >> Thorsten Schöning E-Mail: [email protected] >> AM-SoFT IT-Systeme http://www.AM-SoFT.de/ >> >> Telefon...........05151- 9468- 55 >> Fax...............05151- 9468- 88 >> Mobil..............0178-8 9468- 04 >> >> AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln >> AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> >
