Unable to sign out from wicket

Question

I'm managing authentication by extending AuthenticatedWebSession

Signing in

@Override
protected boolean authenticate(String username, String password) {
    return true/false some auth logic here;
}

Sign out

@Override
    public void signOut() {
        super.signOut();
        this.getApplication().getSecuritySettings().getAuthenticationStrategy().remove();
        this.getSessionStore().invalidate(RequestCycle.get().getRequest());
        throw new RedirectToUrlException("some_url_that_does_not_require_auth", HttpServletResponse.SC_MOVED_TEMPORARILY);
    }

And my page configuration

@AuthorizeInstantiation("ADMIN")
public class Home extends Base {
  //Page stuff here
}

Now the problem is that if I log out I can still access authenticated content. Via clicking back button or pasting url to browser. I can only watch the content, when I click on something it redirect me to non-auth page.

When signing out session id changes and session is removed from SecuritySettings, can't figure it out why it still shows auth content.

score 2 · Accepted Answer · edited May 23 '17 at 11:51

2

Call session.invalidate() instead of session.signOut().

I'll suggest to remove/hide signOut() from the API for Wicket 8.x. Recently someone else had the same problem (What method to use for logout in wicket application?).

edited May 23 '17 at 11:51

Community

1
1

answered Aug 18 '16 at 14:47

martin-g

17,243
2
23
35

Same happens when I call `AuthWebSession.get().invalidate();` – user3960875 Aug 19 '16 at 05:19
Sorry I still had residue left from signOut, invalidate work well. – user3960875 Aug 19 '16 at 05:27

Unable to sign out from wicket

1 Answers1