You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Matt Smith <ma...@gmail.com> on 2008/02/04 17:57:26 UTC
Session Expiration. UnauthorizedComponentInstantiationException. PageExpiredException. IllegalStateException. Ajax and Bookmarkable links.
A co-worker and I are looking into how to provide a consistent
handling of session expiration with an AuthenticatedWebApplication.
If a session expires, ideally, we'd like to provide a consistent
behavior of redirecting to a login page with a helpful message (i.e. -
"Your session expired, please re-login"), re-authenticate, and then
proceed to the original request regardless of what type of request is
made of the server.
Examples of the scenarios we'd like to handle consistently are:
1. User logs in. Session expires, then user clicks a wicket
generated Page link.
2. User logs in. Session expires, then user clicks the back button
in the browser and then clicks on a wicket generated component link.
3. User logs in. User performs an action which results in them
being redirected to a bookmarkable page. The session expires, then
user submits a form
4. User logs in. User performs an action which results in them
being redirected to a bookmarkable page. The session expires, then
user clicks a wicket generated link on the current page.
5. User logs in. User performs an action which results in them
being redirected to a bookmarkable page. The session expires, then
user triggers an AJAX request of the server.
6. User logs in. The session expires. User then triggers an AJAX
request of the server.
7. User logs in. The session expires, then user gets redirected to
login page (thus creating a new session). User then clicks back and
clicks on a wicket generated link, gets redirected to a login page,
clicks back, clicks a wicket generated link.
The examples above seem to cause various behaviors in:
#1. The Web app's UnauthorizedComponentInstantiation listener is
fired and given the page the user was on as an argument (thus
redirecting them directly to the page without a message).
#2 throws an UnauthorizedComponentInstantiationException
#3 throws a PageExpiredException
#4 throws a PageExpiredException
#5 throws a PageExpiredException
#6 throws an IllegalStateException (unmatched key/value pairs).
#7 A WicketRuntimeException exception is thrown ("component not found
in page")(because the page id in the link is referring to a different
page in the current/new session than the page it referred to in the
old session). It seems that using nextnumber id's (starting at 0)
allows for potential overlap in id's between a new session and an old
session.
We are able to handle PageExpiredException consistently by overriding
onRuntimeException() in our own custom RequestCycle.
Is there a way we can specify some consistent behavior for the other scenarios?
- Matt
http://netsmith.blogspot.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Session Expiration.
UnauthorizedComponentInstantiationException. PageExpiredException.
IllegalStateException. Ajax and Bookmarkable links.
Posted by mattsmith <ma...@gmail.com>.
Here's what we ended up doing to address this (since there didn't seem to be
a consistent approach to handling the variety of scenarios from the the
framework's perspective):
1. Disabled the back button by agressively expiring visited pages (negating
a huge benefit of using wicket in the first place :).
2. Remove the bookmarkablePage link from the equation.
3. onRuntimeException() in our custom request cycle handles the various
exceptions (PageExpired, Unauthorized,etc)
4. custom modification to our web session to prevent feedback message
clearing in some cases of #3 where the message was getting too aggressively
cleared.
5. we are not using the expired page setting that comes with wicket because
it didn't seem to cover the variety of scenarios mentioned.
We would have really liked to see this handling offered with some default
mechanism in wicket (For common scenarios mentioned in my prior msg).
- Matt
Matt Smith-20 wrote:
>
> A co-worker and I are looking into how to provide a consistent
> handling of session expiration with an AuthenticatedWebApplication.
>
> If a session expires, ideally, we'd like to provide a consistent
> behavior of redirecting to a login page with a helpful message (i.e. -
> "Your session expired, please re-login"), re-authenticate, and then
> proceed to the original request regardless of what type of request is
> made of the server.
>
> Examples of the scenarios we'd like to handle consistently are:
> 1. User logs in. Session expires, then user clicks a wicket
> generated Page link.
> 2. User logs in. Session expires, then user clicks the back button
> in the browser and then clicks on a wicket generated component link.
> 3. User logs in. User performs an action which results in them
> being redirected to a bookmarkable page. The session expires, then
> user submits a form
> 4. User logs in. User performs an action which results in them
> being redirected to a bookmarkable page. The session expires, then
> user clicks a wicket generated link on the current page.
> 5. User logs in. User performs an action which results in them
> being redirected to a bookmarkable page. The session expires, then
> user triggers an AJAX request of the server.
> 6. User logs in. The session expires. User then triggers an AJAX
> request of the server.
> 7. User logs in. The session expires, then user gets redirected to
> login page (thus creating a new session). User then clicks back and
> clicks on a wicket generated link, gets redirected to a login page,
> clicks back, clicks a wicket generated link.
>
> The examples above seem to cause various behaviors in:
> #1. The Web app's UnauthorizedComponentInstantiation listener is
> fired and given the page the user was on as an argument (thus
> redirecting them directly to the page without a message).
> #2 throws an UnauthorizedComponentInstantiationException
> #3 throws a PageExpiredException
> #4 throws a PageExpiredException
> #5 throws a PageExpiredException
> #6 throws an IllegalStateException (unmatched key/value pairs).
> #7 A WicketRuntimeException exception is thrown ("component not found
> in page")(because the page id in the link is referring to a different
> page in the current/new session than the page it referred to in the
> old session). It seems that using nextnumber id's (starting at 0)
> allows for potential overlap in id's between a new session and an old
> session.
>
> We are able to handle PageExpiredException consistently by overriding
> onRuntimeException() in our own custom RequestCycle.
>
> Is there a way we can specify some consistent behavior for the other
> scenarios?
>
> - Matt
> http://netsmith.blogspot.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Session-Expiration.-UnauthorizedComponentInstantiationException.-PageExpiredException.-IllegalStateException.-Ajax-and-Bookmarkable-links.-tp15272371p15306738.html
Sent from the Wicket - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org