You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Alexander Cherednichenko <le...@gmail.com> on 2011/10/20 16:44:31 UTC
Wikct-auth-roles wiki error
Hi all.
I have noticed an error in sample configuration on
https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html ,
Section 'Spring Security setup', sample web.xml.
In this sample Spring securityFilterChainProxy is marked as optional, needed
only to secure resources. This leads to the misconfiguration.
If we do omit this filter, spring security would not be able to restore (and
clear!) the SecurityContext in SecurityContextHolder on each request. This
leads to pretty strange behavior.
WIth the sample given, on the correct auth, Authenticaiton object is set to
the current thread-local SecurityContext immediately. As security filter is
omitted, this context is NEVER cleared from the thread. As soon as you
continue hitting the same thread of the servlet container, everything is OK,
but as soon as server serves you with another thread you get unpredictable
results. For instance showing random users' details after login.
Also, with spring security 3 the default name of the filter for spring
security should be 'springSecurityFilterChain', it is then linked to
<security:http> spring element.
Hope this helps!
I am not subscribed to wicket mailing lists, so if you need some additional
info please mail directly to this acct.
Kindest regards,
--
Alexander Cherednichenko
[ the only way out is the way up ]
Re: Wikct-auth-roles wiki error
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
The Wiki pages are editable by everyone. You just need to register an account.
Feel free to improve any inconsistencies!
Thanks!
On Thu, Oct 20, 2011 at 5:44 PM, Alexander Cherednichenko
<le...@gmail.com> wrote:
> Hi all.
>
> I have noticed an error in sample configuration on
> https://cwiki.apache.org/WICKET/spring-security-and-wicket-auth-roles.html ,
> Section 'Spring Security setup', sample web.xml.
>
> In this sample Spring securityFilterChainProxy is marked as optional, needed
> only to secure resources. This leads to the misconfiguration.
> If we do omit this filter, spring security would not be able to restore (and
> clear!) the SecurityContext in SecurityContextHolder on each request. This
> leads to pretty strange behavior.
>
> WIth the sample given, on the correct auth, Authenticaiton object is set to
> the current thread-local SecurityContext immediately. As security filter is
> omitted, this context is NEVER cleared from the thread. As soon as you
> continue hitting the same thread of the servlet container, everything is OK,
> but as soon as server serves you with another thread you get unpredictable
> results. For instance showing random users' details after login.
>
> Also, with spring security 3 the default name of the filter for spring
> security should be 'springSecurityFilterChain', it is then linked to
> <security:http> spring element.
>
> Hope this helps!
> I am not subscribed to wicket mailing lists, so if you need some additional
> info please mail directly to this acct.
>
> Kindest regards,
> --
> Alexander Cherednichenko
>
> [ the only way out is the way up ]
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com