You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Simon Erhardt (JIRA)" <ji...@apache.org> on 2017/08/02 15:15:00 UTC

[jira] [Created] (WICKET-6432) SignInPanel causes infinite redirect loop if session id is suppressed in URL

Simon Erhardt created WICKET-6432:
-------------------------------------

             Summary: SignInPanel causes infinite redirect loop if session id is suppressed in URL
                 Key: WICKET-6432
                 URL: https://issues.apache.org/jira/browse/WICKET-6432
             Project: Wicket
          Issue Type: Bug
          Components: wicket-auth-roles
    Affects Versions: 7.8.0
            Reporter: Simon Erhardt
         Attachments: redirect-loop.zip

The attached, very simple quickstart causes an infinite redirection loop. It consists of a _AuthenticatedPage_, which is annotated by _@AuthorizeInstantiation_, and a _LoginPage_, using a SingInPanel, which is set up as home page.
The trouble begins if one opens the HTTP URL after signing in with HTTPS.
It happens only if Jetty is forced to suppress the session id as URL parameter (see [Jetty 9.2.X documentation|http://www.eclipse.org/jetty/documentation/9.2.22.v20170531/session-management.html#setting-session-characteristics]):
{code}
    WebAppContext bb = new WebAppContext();

    // The following line causes the trouble
    bb.setInitParameter("org.eclipse.jetty.servlet.SessionIdPathParameterName", "none");
{code}

Steps to reproduce:
# Start the application in test/java/quickstart/Start
# Open https://localhost:8443
# Sign in using "user" and "password"
# After redirected to the AuthenticatedPage, open http://localhost:8080



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)