Thanks Bas,
I think I'd explore the authorization strategies, that may be a better
way to prevent auth leaks.
I'm doing such as partly, I've some pretty 'custom' stuff, e.g. to
redirect to login page for authenticated pages.
That inevitably needs some codes to run.
On 24/11/2025 22:43, Bas Gooren wrote:
Hi!
I’ve always used the “other” built-in components for this, the auth
strategies in the security settings.
We never use AuthenticatedWebSession in our projects as that is mostly
for the storage of credentials and we already have some of our own
WebSession subclasses.
Wicket has a built-in instantiation listener precisely for this I think?
See IAuthorizationStrategy#isInstantiationAuthorized
This listener is registered in wicket’s Application base class, and so
is guaranteed to be called (unless you remove it yourself).
It is called from the Component constructor, so prior to any of your
own code, before onInitialize etc.
Met vriendelijke groet,
Kind regards,
Bas Gooren
Op 24 nov 2025, 15:33:28 schreef andrew goh via users
<[email protected] <mailto:[email protected]>>:
Apache wicket has a decent authentication / security structure / system.
It is based on authenticated web session.
https://nightlies.apache.org/wicket/guide/10.x/single.html#_authenticatedwebsession
<https://nightlies.apache.org/wicket/guide/10.x/single.html#_authenticatedwebsession>
https://nightlies.apache.org/wicket/guide/9.x/single.html#_authenticatedwebsession
<https://nightlies.apache.org/wicket/guide/9.x/single.html#_authenticatedwebsession>
I did my checks in onConfigure() as documented in the guide above.
This is well and sound.
But there is a catch, the constructors and onInitialize() for classes
runs before onConfigure() runs.
If you do some processing in the constructors or in onInitialize(), it
runs prior authentication.
I 'discovered' this fixing a bug caused primarily by this, because if
you try to get the user say at this state, it could for instance be
*null* , not authenticated / invalid.
I worked this around by doing
if (!AuthenticatedWebSession.get().isSignedIn()) return;
In constructors and in onInitialize(), to make this work, a way is to
re-direct to the sign in page in onConfigure().
So that when the user returns to the page, it should be an authenticated
access.
This in some ways prevents authentication leaks and unauthorized access
for protected resources.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
<mailto:[email protected]>
For additional commands, e-mail: [email protected]
<mailto:[email protected]>
