You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Evan Sable <ev...@novelution.com> on 2012/02/08 18:55:30 UTC
continueToOriginalDestination seems to be incorrectly retaining destination across multiple logins
Hi,
I'm using wicket 1.5-SNAPSHOT along with Shiro for
authentication/authorization security, and when an unauthorized user tries
to go to a page, Shiro calls redirectToInterceptPage behind the scenes, and
during the login process, after a successful login, there is code that says:
if (!continueToOriginalDestination()) {
setResponsePage(getApplication().getHomePage());
}
It is working in the sense that if a user gets redirected to login, they are
taken to the correct destination afterwards, and if a user just clicks the
login link in a new browser they are redirected to the homepage after login.
BUT, the problem is, if an initial user tries to go to a protected page,
gets redirected to the login, logs in, and then logs out, and then, without
closing the browser, clicks the login link and logs in with the same user
again or even another user, it still redirects to the prior "original"
destination, which should no longer take effect. I would think that this
should be forgotten upon logging out, which replaces the wicket session
with:
Session session = Session.get();
session.replaceSession();
I think I must be misunderstanding how continueToOriginalDestination is
working - I thought it was placing the original destination url into the
users session, which is why I figured that after the login which redirects,
followed by the logout which replaces the session, it would be gone.
Can someone please explain what I'm thinking about wrongly here and why the
destination is being retained across multiple logins. Also, how can I avoid
this so that the original destination is only used the first time? Btw,
just to be clear, if I logout and then click to a new protected url, the
"original destination" value is properly replaced with the new protected
destination which redirects back to the intercept page. The problem is only
if I click directly to the login page without a new intercept, but after
having previously utilized the continueToOriginalDestination in the prior
login.
Thanks very much for any help!
-Evan
RE: continueToOriginalDestination seems to be incorrectly retaining destination across multiple logins
Posted by Evan Sable <ev...@novelution.com>.
Thanks for your response Martin, and sorry for my delayed reply!
I added the breakpoint (it's line 210 in my 1.5-SNAPSHOT). I also put one at line 197, at the start of the mapRequest method, to see if it was getting into the method and finding a null value for the data variable. But neither breakpoint gets reached so the method is not being called. Does this mean that something is wrong with my wicket/shiro integration code, regarding the wicket request processing not being used correctly? I should add that I'm using a library from this "fifyfive-wicket" project (see https://github.com/55minutes/fiftyfive-wicket#readme) that pretty much sets up the wicket/shiro integration for me. Does it sound like the problem is most likely coming from there, or might something else be going on?
Thanks again,
-Evan
-----Original Message-----
From: Martin Grigorov [mailto:mgrigorov@apache.org]
Sent: Thursday, February 09, 2012 3:12 AM
To: users@wicket.apache.org
Subject: Re: continueToOriginalDestination seems to be incorrectly retaining destination across multiple logins
Hi,
The intercept data should be cleaned at
org.apache.wicket.RestartResponseAtInterceptPageException, line 211 - InterceptData.clear(); Put a breakpoint there and see what happens.
On Wed, Feb 8, 2012 at 7:55 PM, Evan Sable <ev...@novelution.com> wrote:
> Hi,
>
>
>
> I'm using wicket 1.5-SNAPSHOT along with Shiro for
> authentication/authorization security, and when an unauthorized user
> tries to go to a page, Shiro calls redirectToInterceptPage behind the
> scenes, and during the login process, after a successful login, there is code that says:
>
> if (!continueToOriginalDestination()) {
>
> setResponsePage(getApplication().getHomePage());
>
> }
>
>
>
> It is working in the sense that if a user gets redirected to login,
> they are taken to the correct destination afterwards, and if a user
> just clicks the login link in a new browser they are redirected to the homepage after login.
>
>
>
> BUT, the problem is, if an initial user tries to go to a protected
> page, gets redirected to the login, logs in, and then logs out, and
> then, without closing the browser, clicks the login link and logs in
> with the same user again or even another user, it still redirects to the prior "original"
> destination, which should no longer take effect. I would think that
> this should be forgotten upon logging out, which replaces the wicket
> session
> with:
>
> Session session = Session.get();
>
> session.replaceSession();
>
>
>
> I think I must be misunderstanding how continueToOriginalDestination
> is working - I thought it was placing the original destination url
> into the users session, which is why I figured that after the login
> which redirects, followed by the logout which replaces the session, it would be gone.
>
>
>
> Can someone please explain what I'm thinking about wrongly here and
> why the destination is being retained across multiple logins. Also,
> how can I avoid this so that the original destination is only used the
> first time? Btw, just to be clear, if I logout and then click to a
> new protected url, the "original destination" value is properly
> replaced with the new protected destination which redirects back to
> the intercept page. The problem is only if I click directly to the
> login page without a new intercept, but after having previously
> utilized the continueToOriginalDestination in the prior login.
>
> Thanks very much for any help!
>
> -Evan
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: continueToOriginalDestination seems to be incorrectly retaining
destination across multiple logins
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
The intercept data should be cleaned at
org.apache.wicket.RestartResponseAtInterceptPageException, line 211 -
InterceptData.clear();
Put a breakpoint there and see what happens.
On Wed, Feb 8, 2012 at 7:55 PM, Evan Sable <ev...@novelution.com> wrote:
> Hi,
>
>
>
> I'm using wicket 1.5-SNAPSHOT along with Shiro for
> authentication/authorization security, and when an unauthorized user tries
> to go to a page, Shiro calls redirectToInterceptPage behind the scenes, and
> during the login process, after a successful login, there is code that says:
>
> if (!continueToOriginalDestination()) {
>
> setResponsePage(getApplication().getHomePage());
>
> }
>
>
>
> It is working in the sense that if a user gets redirected to login, they are
> taken to the correct destination afterwards, and if a user just clicks the
> login link in a new browser they are redirected to the homepage after login.
>
>
>
> BUT, the problem is, if an initial user tries to go to a protected page,
> gets redirected to the login, logs in, and then logs out, and then, without
> closing the browser, clicks the login link and logs in with the same user
> again or even another user, it still redirects to the prior "original"
> destination, which should no longer take effect. I would think that this
> should be forgotten upon logging out, which replaces the wicket session
> with:
>
> Session session = Session.get();
>
> session.replaceSession();
>
>
>
> I think I must be misunderstanding how continueToOriginalDestination is
> working - I thought it was placing the original destination url into the
> users session, which is why I figured that after the login which redirects,
> followed by the logout which replaces the session, it would be gone.
>
>
>
> Can someone please explain what I'm thinking about wrongly here and why the
> destination is being retained across multiple logins. Also, how can I avoid
> this so that the original destination is only used the first time? Btw,
> just to be clear, if I logout and then click to a new protected url, the
> "original destination" value is properly replaced with the new protected
> destination which redirects back to the intercept page. The problem is only
> if I click directly to the login page without a new intercept, but after
> having previously utilized the continueToOriginalDestination in the prior
> login.
>
> Thanks very much for any help!
>
> -Evan
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org