Zip, Git, RSS, RPC, and Pages all depend on AuthenticationFilter, so in your setup none
of them will work properly.  :(
AuthenticationFilter and those servlets have nothing to do with Wicket which is why
your WicketFilter does not work here.

Matthias and I discussed your SAML2 architecture a while ago.  In re-reading his message
it looks like there is a container-supplied UserPrincipal in the request which perhaps
can be directly checked/used and then mapped to a UserModel.  For now, maybe inject
something like this in AuthenticationFilter.getUser()...

protected UserModel getUser(HttpServletRequest httpRequest) {
    UserModel user = null;
    // look for a container-supplied user principal
    if (httpRequest.getUserPrincipal() != null) {
        Principal principal = httpRequest.getUserPrincipal();
        String name = principal.getName();
        if (!StringUtils.isEmpty(name)) {
            user = GitBlit.self().getUserModel(name);
            if (user == null) {
                // maybe create user? or at least instantiate a temporary UserModel?
            } else {
                return user;
            }
        }
    }

From my exchange with Matthias:
"We use SAML2 [1] to get single-sign-on as we have a couple more systems used by developers
which all require authentication. 
In order to prevent the need to manually login to all these different systems we use
the client certificate based single-sign-on
solution which uses our SAML2 based identity management server on the server side which
is provided by our IT department. 

This is transparent to the application, it requires to add some security constraints
to the application's web.xml to instruct
the web container that it should care for authentication. Requests which can't be authenticated
by the container will never
reach the application. Requests which have successfully authenticated reach the application
which gets the authenticated
user by calling HttpServletRequest.html.getUserPrincipal(). Gerrit allows to configure
which HTTP header will have the
user principal name, this allows integration with application servers which do not
strictly follow the servlet spec."

Hi James,

thanks for your quick response. 

We found the following (easy) workaround: We ensure that our own Wicket-Filter is the
first one in the queue. Then it runs before any other Filter inheriting from AuthenticationFilter
wraps the request. We do it by putting the declaration of our Filter before all others
in the web.xml. I'm however not sure if we can rely on the order. But currently it
works.

Yes, we can get the user from the request with httpRequest.getUserPrincipal().

When I have time I can contribute something like you proposed. Do you think it would
be valuable also for other?

Stefan

Good fix.  I'm 99% sure that order is preserved on servlet filters for precisely your
use-case.

Don't worry about contributing the above code, I will take care of that and test it
with a Tomcat realm or something like that.  I would be interested in your SAML2 WicketFilter,
if that is not too site-specific.

Master now supports authentication for Wicket and the servlets via the servlet container
principal, if available.

v1.2.0 has been deployed.