You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Martin Grigorov (JIRA)" <ji...@apache.org> on 2013/08/07 17:06:48 UTC

[jira] [Commented] (WICKET-5308) AuthenticatedWebSession#authenticate should be protected, not public

    [ https://issues.apache.org/jira/browse/WICKET-5308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13732079#comment-13732079 ] 

Martin Grigorov commented on WICKET-5308:
-----------------------------------------

The change will be API break and thus cannot be made in 6.x branch.
I understand that all user apps already override this method and it is 'public' in their code, so after changing it to 'protected' in wicket-auth-roles their code should still work, but maven-clirr-plugin won't let you do this. It is not that smart.

I'd suggest you to ask for opinions in dev@ because not all Wicket developers are subscribed to the Jira mails (commits@ mailing list) and even more users (non-core developers).
                
> AuthenticatedWebSession#authenticate should be protected, not public
> --------------------------------------------------------------------
>
>                 Key: WICKET-5308
>                 URL: https://issues.apache.org/jira/browse/WICKET-5308
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-auth-roles
>    Affects Versions: 7.0.0, 6.9.1
>            Reporter: Carl-Eric Menzel
>             Fix For: 7.0.0, 6.10.0
>
>
> A common source of confusion in trainings is that when implementing security using wicket-auth-roles, you have to implement #authenticate in your own session class, but in the login form's #onSubmit you have to call #signIn.
> Both #authenticate and #signIn are public and both have identical signatures. Their names mean basically the same thing too. This is rather error-prone.
> I propose changing the visibility of #authenticate to protected. That way, it will still work the same as it does now, except it won't show up in code-completion anymore and won't compete with #signIn anymore.
> This should not be an API break, since #authenticate is abstract anyway and is always implemented in user code. Raising visibility from protected to public is always legal, so user code should not break from this change.
> Opinions?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira