Hi, The reporter of https://issues.apache.org/jira/browse/WICKET-5454 asked to pass the Component instance to IAuthorizationStrategy#isInstantiationAuthorized() instead of just its class. I have no idea why the API has been designed this way but Carl-Eric gave a good explanation - the component is not yet fully constructed.
The thing that bothers me is why it is OK to use the instance in my custom IComponentInstantiationListener and it is not OK to do the same in IAuthorizationStrategy#isInstantiationAuthorized() ? If there is a javadoc explaining the possible problem (as for IComponentInstantiationListener#onInstantiation()) then it is OK. Even more - at https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/Application.java#L276you can see that right ater rejecting the *Class* we pass the *instance* to the UnauthorizedComponentInstantiationListener! Martin Grigorov Wicket Training and Consulting
