In Wicket 9, when the user's session expires in certain pages, they are redirected to the login page not the Session Expired page

Question

While upgrading some legacy code from Wicket 1.5 to Wicket 9, I found that redirection to a "Session expired" notification page seems to be partially broken.

I have the following statement, which always used to work before, in the main application file:

getApplicationSettings().setPageExpiredErrorPage(MyErrorPage.class);

Here is the scenario which should trigger redirection to "MyErrorPage":

1. The user successfully logs in and goes into any menu option.
2. They sit around for a while, doing nothing, and their session times out.
3. After this period of inactivity, they click on a link or attempt to submit a form.
4. At this point, they ought to be redirected to "MyErrorPage".

The menu option invoked in point (1) - lets call it MyMenuPage - could have been invoked with two possible types of syntax: Either:

setResponsePage(MyMenuPage.class);

Or:

setResponsePage(new MyMenuPage(params));

It seems that the user will only be redirected to my custom error page if the original menu page was invoked with the SECOND syntax.

If the original page was invoked with the FIRST syntax, the user is sent straight to the login page, without any explanation about the fact that their page has expired.

Please can someone advise me how to get the same result in both types of page - which are not stateless, because the user has logged in.

Answer 1

There is a difference between page being expired and http session expiration.

As PageExpiredException's javadoc [I] explains there are three possible reasons for it:

• the page have never been stored there, eg an error occurred during the storing process
• the http session has expired and thus all pages related to this session are erased too
• the page instance has been erased because the store size is exceeded

Wicket stores all stateful pages on the disk. Later when you use such page, eg by clicking a link, Wicket loads the page instance, executes the click, and render the response.

If the http session is expired then most probably your authentication strategy kicks in and redirects to the login page without even trying to load the old page. If you use Component#continueToOriginalDestination() after successful login then the user will be navigated to a new instance of the old page.

To summarize:

• if the http session expires then your application redirect to the LoginPage
• if a page instance is expired then by default Wicket will create a new instance of it (see PageSettings#setRecreateBookmarkablePagesAfterExpiry(boolean) ) or show the configured getApplicationSettings().setPageExpiredErrorPage(MyPage.class); will be rendered

To debug what happens in your case put some breakpoints at the following places:

1. https://github.com/apache/wicket/blob/6a7e4c3d770324f125fbf43615c7708b67c8d8c5/wicket-core/src/main/java/org/apache/wicket/Component.java#L1061
2. https://github.com/apache/wicket/blob/6a7e4c3d770324f125fbf43615c7708b67c8d8c5/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebApplication.java#L134

I. https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/protocol/http/PageExpiredException.java#L31

Answer 2

Seems like I just have to work round this by always using the following syntax:

setResponsePage(new MyPage());

This is not the end of the world, because at least I don't have to pass any parameters in, in order to trigger the required "Go to session expired page" behaviour.