wicket-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Bresnahan <gudujarl...@gmail.com>
Subject Nested Redirects and REDIRECT_TO_BUFFER
Date Tue, 26 Aug 2014 21:44:08 GMT
Short story:

I have a scenario where the render strategy is REDIRECT_TO_BUFFER and there
are 2 nested redirects. The observed behavior is that the first page gets
displayed rather than the second page. The scenario goes like this:

1) A user logs in and goes idle.
2) The session expires
3) The user clicks on an AJAX button
4) Browser sends AJAX request to server
5) My AuthenticatedWebApplication.onException() override is called with an
instance of PageExpiredException and returns new
RenderPageRequestHandler(new PageProvider(new SessionTimeoutPage(null)));
6) Wicket renders SessionTimeoutPage and saves it in a buffer.
7) Wicket responds with an AJAX redirect order
8) Browser sends request for SessionTimeoutPage
9) For reasons I discuss below, my
AuthenticatedWebApplication.onBeginRequest() override tosses a custom
runtime exception.
10) My AuthenticatedWebApplication.onException() override is called with an
instance of the custom runtime exception and returns new
RenderPageRequestHandler(new PageProvider(new LandingPage(null)));
11) Wicket responds with the buffered response which contains
SessionTimeoutPage instead of rendering LandingPage and responding with the

My observation is that SessionTimeoutPage is displayed to the user, but my
expectation is that LandingPage is displayed to the user.

I googled on the problem and also studied the source code
(WebPageRenderer.respond() in particular), but I did not any elegant way to
accomplish what I want. It seems that it is not possible to redirect more
than one time in a row when the render strategy is REDIRECT_TO_BUFFER. What
I did discover is that I can clear the render buffer by
calling WebApplication.getAndRemoveBufferedResponse(), but I am uneasy with
this solution since it seems like I am playing with Wicket internals;
albeit the function is public.

Is there a better way?

Long Story:

I am integrating Oracle Access Manager with a Wicket 1.5 app to enable a
sign-sign-on feature. OAM has a component called webgate that consists of a
Apache module. Requests from the browser travel through Apache/Webgate on
their way to the Wicket app running in WebLogic. Webgate redirects the user
to a login page if they are not authenticated. If the user is
authenticated, Webgate adds some HTTP headers to the requests that contain
information about the authenticated user (name, roles, etc). In the Wicket
session constructor I look for these headers and auto-sign-in the user if
they are present; effectively bypassing the Wicket application login page.

The first issue I encountered is that if the browser sends an AJAX call
when the OAM session has expired, OAM sends a 302 redirect to the OAM login
page and the browser ignores it. This causes the app to become unresponsive
when the user interacts with AJAX controls. I worked around this by
configuring OAM to not "protect" AJAX calls. This prevents redirects from
occurring during AJAX requests, but it also prevents the OAM headers from
being added to AJAX requests.

The second issue I encountered is that if the browser sends an AJAX call
when the Wicket session has timed out, the session constructor gets called
during the AJAX call when the headers are not present and thus the user
does not get auto-signed-in. Instead they are presented with the session
timeout page. I worked around this by adding additional code to the
AuthenticatedWebApplication.onBeginRequest() override that looks for the
OAM headers and tosses a custom runtime exception if they are detected and
code in onException() that redirects to the landing page.

Is there a better way?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message