Hi, isn't IAuthorizationStrategy#isInstantiationAuthorized() quite prone to security related bugs? Authorization is checked only when a page (or any other component) is instantiated - the page instance is then stored in a page map. After a user logs out he can still access these secured pages stored in the page map. This IMHO opens dangerous security holes in secured wicket applications...
One possible solution is to call Session.get().clear() when a user logs out - but it won't work when user's authorization can dynamically change during his session (e.g. roles are added or removed). Moreover, Session.get().clear() does not work in current wicket-2.0 snapshot (I just created WICKET-331 issue). I think that there should be a mechanism that checks authorization everytime a page instance is created or retrieved from a page map. Something like isAccessAuthorized(Class<? extends Page> pageClass). Another question: do we need this fine-grained isInstantisationAuthorized(componentClass) at all? WDYT? Regards, Bendis
