You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Martin Grigorov (JIRA)" <ji...@apache.org> on 2017/01/19 09:01:26 UTC

[jira] [Commented] (WICKET-6310) WicketTester - Test failed in Wicket 8 but Works in 7 - Spring Security

    [ https://issues.apache.org/jira/browse/WICKET-6310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15829550#comment-15829550 ] 

Martin Grigorov commented on WICKET-6310:
-----------------------------------------

By reading the description I think I see the reason.
If the login page is stateless then the data stored in InterceptData is lost because there is no http session yet.
If you use `setResponsePage(new SomePage())` then Wicket binds a Session to make sure that this particular page instance is used after the redirect and then the InterceptData is still around and used.

I don't have a solution for this though.
The only workaround I see is to make the LoginPage stateful but then the application will be vulnerable to attacks unless additional logic is added to invalidate the session in case of unsuccessful authentication. But then we are back to square one (lost InterceptData).

> WicketTester - Test failed in Wicket 8 but Works in 7 - Spring Security
> -----------------------------------------------------------------------
>
>                 Key: WICKET-6310
>                 URL: https://issues.apache.org/jira/browse/WICKET-6310
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 8.0.0-M3
>            Reporter: Marc G.
>         Attachments: spring-security.zip
>
>
> I've created a simple project to show that I've a test which works in Wicket 7 but is failing in Wicket 8. Its a simple login form which authenticates a user with Spring Security.
> In Wicket 8 the user is redirected to the LoginPage after a succesul login without an error. In Wicket 7 the user is redirected to the HomePage as expected.
> You can change the version in the maven property section. 
> I've tried to debug by myself but I didn't found anything...
> Hint: The test is working in Wicket 8 if you redirect the page with setResponsePage(new HomePage.class) instead of setResponsePage(Homepage.class)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)