A co-worker and I are looking into how to provide a consistent
handling of session expiration with an AuthenticatedWebApplication.
If a session expires, ideally, we'd like to provide a consistent
behavior of redirecting to a login page with a helpful message (i.e. -
"Your session expired, please re-login"), re-authenticate, and then
proceed to the original request regardless of what type of request is
made of the server.
Examples of the scenarios we'd like to handle consistently are:
1. User logs in. Session expires, then user clicks a wicket
generated Page link.
2. User logs in. Session expires, then user clicks the back button
in the browser and then clicks on a wicket generated component link.
3. User logs in. User performs an action which results in them
being redirected to a bookmarkable page. The session expires, then
user submits a form
4. User logs in. User performs an action which results in them
being redirected to a bookmarkable page. The session expires, then
user clicks a wicket generated link on the current page.
5. User logs in. User performs an action which results in them
being redirected to a bookmarkable page. The session expires, then
user triggers an AJAX request of the server.
6. User logs in. The session expires. User then triggers an AJAX
request of the server.
7. User logs in. The session expires, then user gets redirected to
login page (thus creating a new session). User then clicks back and
clicks on a wicket generated link, gets redirected to a login page,
clicks back, clicks a wicket generated link.
The examples above seem to cause various behaviors in:
#1. The Web app's UnauthorizedComponentInstantiation listener is
fired and given the page the user was on as an argument (thus
redirecting them directly to the page without a message).
#2 throws an UnauthorizedComponentInstantiationException
#3 throws a PageExpiredException
#4 throws a PageExpiredException
#5 throws a PageExpiredException
#6 throws an IllegalStateException (unmatched key/value pairs).
#7 A WicketRuntimeException exception is thrown ("component not found
in page")(because the page id in the link is referring to a different
page in the current/new session than the page it referred to in the
old session). It seems that using nextnumber id's (starting at 0)
allows for potential overlap in id's between a new session and an old
session.
We are able to handle PageExpiredException consistently by overriding
onRuntimeException() in our own custom RequestCycle.
Is there a way we can specify some consistent behavior for the other scenarios?
- Matt
http://netsmith.blogspot.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]