Apache wicket has a decent authentication / security structure / system.
It is based on authenticated web session.
https://nightlies.apache.org/wicket/guide/10.x/single.html#_authenticatedwebsession
https://nightlies.apache.org/wicket/guide/9.x/single.html#_authenticatedwebsession
I did my checks in onConfigure() as documented in the guide above.
This is well and sound.
But there is a catch, the constructors and onInitialize() for classes
runs before onConfigure() runs.
If you do some processing in the constructors or in onInitialize(), it
runs prior authentication.
I 'discovered' this fixing a bug caused primarily by this, because if
you try to get the user say at this state, it could for instance be
*null* , not authenticated / invalid.
I worked this around by doing
if (!AuthenticatedWebSession.get().isSignedIn()) return;
In constructors and in onInitialize(), to make this work, a way is to
re-direct to the sign in page in onConfigure().
So that when the user returns to the page, it should be an authenticated
access.
This in some ways prevents authentication leaks and unauthorized access
for protected resources.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
