Hi! I’ve always used the “other” built-in components for this, the auth strategies in the security settings. We never use AuthenticatedWebSession in our projects as that is mostly for the storage of credentials and we already have some of our own WebSession subclasses.
Wicket has a built-in instantiation listener precisely for this I think? See IAuthorizationStrategy#isInstantiationAuthorized This listener is registered in wicket’s Application base class, and so is guaranteed to be called (unless you remove it yourself). It is called from the Component constructor, so prior to any of your own code, before onInitialize etc. Met vriendelijke groet, Kind regards, Bas Gooren Op 24 nov 2025, 15:33:28 schreef andrew goh via users < [email protected]>: > > Apache wicket has a decent authentication / security structure / system. > It is based on authenticated web session. > > > https://nightlies.apache.org/wicket/guide/10.x/single.html#_authenticatedwebsession > > > https://nightlies.apache.org/wicket/guide/9.x/single.html#_authenticatedwebsession > > I did my checks in onConfigure() as documented in the guide above. > This is well and sound. > > But there is a catch, the constructors and onInitialize() for classes > runs before onConfigure() runs. > > If you do some processing in the constructors or in onInitialize(), it > runs prior authentication. > I 'discovered' this fixing a bug caused primarily by this, because if > you try to get the user say at this state, it could for instance be > *null* , not authenticated / invalid. > > I worked this around by doing > > if (!AuthenticatedWebSession.get().isSignedIn()) return; > > In constructors and in onInitialize(), to make this work, a way is to > re-direct to the sign in page in onConfigure(). > So that when the user returns to the page, it should be an authenticated > access. > > This in some ways prevents authentication leaks and unauthorized access > for protected resources. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
