Or you are just missing a call to "Session.get().invalidate()" despite calling "((ServletWebRequest) RequestCycle.get().getRequest( )).getContainerRequest().getSession().invalidate();" on logout.
2016-04-14 15:59 GMT+02:00 subes <[email protected]>: > Hi, > > I had a similar problem while developing the model aware page cache in the > NoWicket framework. I used a page factory wrapper to control when a new > page or an old page is required. > > https://github.com/subes/invesdwin-nowicket/blob/master/invesdwin-nowicket-parent/invesdwin-nowicket/src/main/java/de/invesdwin/nowicket/application/filter/internal/ModelCacheUsingPageFactory.java > > Dunno if it completely matches your requirement, but I remember that > fiddling with the PageStore directly was to no avail, so I had to get to a > step before the page store was queried. > > Though since you are talking about login, maybe you are missing the > creation of a fresh session upon login? > > See signIn method here: > https://github.com/subes/invesdwin-nowicket/blob/master/invesdwin-nowicket-parent/invesdwin-nowicket/src/main/java/de/invesdwin/nowicket/application/auth/AWebSession.java > Which calls "Session.get().replaceSession()" to start from fresh and thus > get a new page instance on next request. It is a good idea regarding > security to replace the session on signIn/signOut to prevent data leaks. > > Best regards, > Edwin > > 2016-04-14 15:35 GMT+02:00 Joachim Rohde <[email protected]>: > >> Hello, >> >> short version of my question: how do I evict the page store to force >> Wicket to create a new instance after using the >> back-button? >> >> Longer version: >> >> A user is redirected after login to my main page. On my main page I have >> several links in onInitialize() which >> overwrites isVisible checking the role of the logged-in user, like this: >> >> @AuthorizeInstantiation({MyRole.sAdmin}) >> public abstract class AbstractSecureBasePage extends AbstractBasePage >> implements ModelDetacher { >> [...] >> add(new Link("managementLink") { >> @Override >> public void onClick() { >> setResponsePage(Management.class); >> } >> >> @Override >> public boolean isVisible() { >> return >> MySession.get().getUser().hasRole(MyRole.ADMIN); >> } >> }); >> [...] >> } >> >> My session: >> >> public class MySession extends AuthenticatedWebSession { >> [...] >> @Override >> public void signOut() { >> >> user = null; >> >> final RequestCycle requestCycle = RequestCycle.get(); >> >> if (RequestCycle.get() != null && requestCycle.getRequest() != >> null >> && >> ServletWebRequest.class.isAssignableFrom(RequestCycle.get().getRequest().getClass())) >> { >> LOGGER.log(Level.FINE, "Invalidating HttpSession-object {0}", >> ((ServletWebRequest) >> RequestCycle.get().getRequest()).getContainerRequest().getSession().getId()); >> ((ServletWebRequest) >> RequestCycle.get().getRequest()).getContainerRequest().getSession().invalidate(); >> } >> super.signOut(); >> } >> } >> >> After the log-out the user is redirected back to the login-page. If the >> user now click the browsers back button Wicket >> tries to fetch the last page from the page store and checks the links >> visibility which will result in a >> NullPointerException due to the fact that getUser() returns null. >> >> I attempted several solutions: >> >> 1) Checking in every isVisible() if the user is null. This *does* work >> but I have quite a lot of links and I would like >> to go with this solution only if I cannot find any other. >> >> 2) Checking at the very beginning of onInitialize() if the user is null. >> This does not work since the components are >> coming from the page store and onInitialize() is not called. >> >> 3) Overwriting onBeforeRender() of the main page. This does not work >> since it's only called if a component is visible. >> >> 4) My next idea was, to empty the page store within my signOut-method. >> I tried several things: >> getApplication().getSessionStore().destroy(); >> getPageManager().clear(); >> getPageManager().destroy(); >> getPageManager().commitRequest(); >> None of them worked. >> >> getPageManager().destroy(); provokes even a NullPointerException within >> Wicket itself (after using the back-button): >> >> java.lang.NullPointerException >> at >> org.apache.wicket.page.PageStoreManager$SessionEntry.getPage(PageStoreManager.java:203) >> at >> org.apache.wicket.page.PageStoreManager$PersistentRequestAdapter.getPage(PageStoreManager.java:357) >> at >> org.apache.wicket.page.AbstractPageManager.getPage(AbstractPageManager.java:82) >> at >> org.apache.wicket.page.PageManagerDecorator.getPage(PageManagerDecorator.java:50) >> at >> org.apache.wicket.page.PageAccessSynchronizer$2.getPage(PageAccessSynchronizer.java:246) >> at >> org.apache.wicket.DefaultMapperContext.getPageInstance(DefaultMapperContext.java:113) >> at >> org.apache.wicket.core.request.handler.PageProvider.getStoredPage(PageProvider.java:299) >> at >> org.apache.wicket.core.request.handler.PageProvider.isNewPageInstance(PageProvider.java:211) >> at >> org.apache.wicket.core.request.mapper.AbstractBookmarkableMapper.processHybrid(AbstractBookmarkableMapper.java:261) >> at >> org.apache.wicket.core.request.mapper.AbstractBookmarkableMapper.mapRequest(AbstractBookmarkableMapper.java:365) >> at >> org.apache.wicket.request.mapper.CompoundRequestMapper.mapRequest(CompoundRequestMapper.java:150) >> at >> org.apache.wicket.request.cycle.RequestCycle.resolveRequestHandler(RequestCycle.java:189) >> at >> org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:219) >> at >> org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293) >> at >> org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261) >> at >> org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203) >> at >> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) >> [...] >> >> Line 203 of the PageStoreManager looks like: >> >> // not found, ask pagestore for the page >> return getPageStore().getPage(sessionId, id); >> >> I am not sure if here should be a null-check on getPageStore (since I >> have no clue what should be returned if >> getPageStore() returns null). >> >> Long story short: is there a more elegant solution to my problem than the >> first solution that I've tried? >> I had the hope I could empty the page store and Wicket would be so smart >> to create a new instance of the page if the >> page store is empty (which would solve my problem since >> AuthorizeInstantiation would cause Wicket to redirect to the >> LoginPage again). >> >> >> Joachim >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> >
