You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by eh...@apache.org on 2007/04/16 04:24:32 UTC
svn commit: r529120 - in
/incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src:
main/java/org/apache/wicket/protocol/http/
main/java/org/apache/wicket/protocol/http/servlet/
main/java/org/apache/wicket/settings/ test/java/org/apache/wicket/
test/jav...
Author: ehillenius
Date: Sun Apr 15 19:24:31 2007
New Revision: 529120
URL: http://svn.apache.org/viewvc?view=rev&rev=529120
Log:
WICKET-411
Added:
incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/request/target/coding/TestPage.html
- copied unchanged from r529101, incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/request/target/coding/MixedParamUrlCodingStrategyTest$TestPage.html
Removed:
incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/HomePageRedirectTest.java
incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/request/target/coding/MixedParamUrlCodingStrategyTest$TestPage.html
Modified:
incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/WebRequestCycleProcessor.java
incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/AbortWithWebErrorCodeException.java
incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/ISecuritySettings.java
incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java
incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/request/target/coding/PackageRequestTargetUrlCodingStrategyTest.java
Modified: incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/WebRequestCycleProcessor.java
URL: http://svn.apache.org/viewvc/incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/WebRequestCycleProcessor.java?view=diff&rev=529120&r1=529119&r2=529120
==============================================================================
--- incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/WebRequestCycleProcessor.java (original)
+++ incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/WebRequestCycleProcessor.java Sun Apr 15 19:24:31 2007
@@ -16,7 +16,12 @@
*/
package org.apache.wicket.protocol.http;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.apache.wicket.AccessStackPageMap;
+import org.apache.wicket.Application;
import org.apache.wicket.Component;
import org.apache.wicket.IPageMap;
import org.apache.wicket.IRequestTarget;
@@ -26,6 +31,7 @@
import org.apache.wicket.Session;
import org.apache.wicket.AccessStackPageMap.Access;
import org.apache.wicket.protocol.http.request.WebRequestCodingStrategy;
+import org.apache.wicket.protocol.http.servlet.AbortWithWebErrorCodeException;
import org.apache.wicket.request.AbstractRequestCycleProcessor;
import org.apache.wicket.request.IRequestCodingStrategy;
import org.apache.wicket.request.RequestParameters;
@@ -40,6 +46,8 @@
*/
public class WebRequestCycleProcessor extends AbstractRequestCycleProcessor
{
+ private static final Log log = LogFactory.getLog(WebRequestCycleProcessor.class);
+
/**
* Construct.
*/
@@ -54,11 +62,53 @@
public IRequestTarget resolve(final RequestCycle requestCycle,
final RequestParameters requestParameters)
{
+ // First, see whether we can find any mount
+ IRequestCodingStrategy requestCodingStrategy = requestCycle.getProcessor()
+ .getRequestCodingStrategy();
+ IRequestTarget mounted = requestCodingStrategy.targetForRequest(requestParameters);
+
+ // If we've found a mount, only use it if the componentPath is null.
+ // Otherwise, we'll service it later with the components.
+ if (mounted != null)
+ {
+ if (mounted instanceof IBookmarkablePageRequestTarget)
+ {
+ IBookmarkablePageRequestTarget bookmarkableTarget = (IBookmarkablePageRequestTarget)mounted;
+ // the path was mounted, so return that directly
+ if (requestParameters.getComponentPath() != null
+ && requestParameters.getInterfaceName() != null)
+ {
+ final String componentPath = requestParameters.getComponentPath();
+ final Page page = Session.get().getPage(requestParameters.getPageMapName(),
+ componentPath, requestParameters.getVersionNumber());
+
+ if (page != null && page.getClass() == bookmarkableTarget.getPageClass())
+ {
+ return resolveListenerInterfaceTarget(requestCycle, page, componentPath,
+ requestParameters.getInterfaceName(), requestParameters);
+ }
+ else
+ {
+ PageParameters params = new PageParameters(requestParameters
+ .getParameters());
+ return new BookmarkableListenerInterfaceRequestTarget(requestParameters
+ .getPageMapName(), bookmarkableTarget.getPageClass(), params,
+ requestParameters.getComponentPath(), requestParameters
+ .getInterfaceName());
+ }
+ }
+ }
+
+ return mounted;
+ }
+
final String path = requestParameters.getPath();
+ IRequestTarget target = null;
+
// See whether this request points to a bookmarkable page
if (requestParameters.getBookmarkablePageClass() != null)
{
- return resolveBookmarkablePage(requestCycle, requestParameters);
+ target = resolveBookmarkablePage(requestCycle, requestParameters);
}
// See whether this request points to a rendered page
else if (requestParameters.getComponentPath() != null)
@@ -119,8 +169,7 @@
}
else
{
- // TODO also this should work.. also forward port to
- // 2.0!!!
+ // TODO also this should work..
}
}
@@ -128,7 +177,7 @@
}
if (processRequest)
{
- return resolveRenderedPage(requestCycle, requestParameters);
+ target = resolveRenderedPage(requestCycle, requestParameters);
}
else
{
@@ -138,57 +187,35 @@
// See whether this request points to a shared resource
else if (requestParameters.getResourceKey() != null)
{
- return resolveSharedResource(requestCycle, requestParameters);
+ target = resolveSharedResource(requestCycle, requestParameters);
}
// See whether this request points to the home page
else if (Strings.isEmpty(path) || ("/".equals(path)))
{
- return resolveHomePageTarget(requestCycle, requestParameters);
+ target = resolveHomePageTarget(requestCycle, requestParameters);
}
- // Lastly, see whether we can find any mount
- IRequestTarget mounted = requestCycle.getProcessor().getRequestCodingStrategy()
- .targetForRequest(requestParameters);
-
- // If we've found a mount, only use it if the componentPath is null.
- // Otherwise, we'll service it later with the components.
- if (mounted != null)
+ if (target != null)
{
- if (mounted instanceof IBookmarkablePageRequestTarget)
+ if (Application.get().getSecuritySettings().getEnforceMounts()
+ && requestCodingStrategy.pathForTarget(target) != null)
{
- IBookmarkablePageRequestTarget bookmarkableTarget = (IBookmarkablePageRequestTarget)mounted;
- // the path was mounted, so return that directly
- if (requestParameters.getComponentPath() != null
- && requestParameters.getInterfaceName() != null)
- {
- final String componentPath = requestParameters.getComponentPath();
- final Page page = Session.get().getPage(requestParameters.getPageMapName(),
- componentPath, requestParameters.getVersionNumber());
-
- if (page != null && page.getClass() == bookmarkableTarget.getPageClass())
- {
- return resolveListenerInterfaceTarget(requestCycle, page, componentPath,
- requestParameters.getInterfaceName(), requestParameters);
- }
- else
- {
- PageParameters params = new PageParameters(requestParameters
- .getParameters());
- return new BookmarkableListenerInterfaceRequestTarget(requestParameters
- .getPageMapName(), bookmarkableTarget.getPageClass(), params,
- requestParameters.getComponentPath(), requestParameters
- .getInterfaceName());
- }
- }
+ String msg = "Direct access not allowed for mounted targets";
+ // the target was mounted, but we got here via another path
+ // : deny the request
+ log.error(msg + " [request=" + requestCycle.getRequest() + ",target=" + target
+ + ",session=" + Session.get() + "]");
+ throw new AbortWithWebErrorCodeException(HttpServletResponse.SC_FORBIDDEN, msg);
}
- return mounted;
+ return target;
+ }
+ else
+ {
+ // if we get here, we have no regconized Wicket target, and thus
+ // regard this as a external (non-wicket) resource request on
+ // this server
+ return resolveExternalResource(requestCycle);
}
-
-
- // if we get here, we have no regconized Wicket target, and thus
- // regard this as a external (non-wicket) resource request on
- // this server
- return resolveExternalResource(requestCycle);
}
/**
Modified: incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/AbortWithWebErrorCodeException.java
URL: http://svn.apache.org/viewvc/incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/AbortWithWebErrorCodeException.java?view=diff&rev=529120&r1=529119&r2=529120
==============================================================================
--- incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/AbortWithWebErrorCodeException.java (original)
+++ incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/servlet/AbortWithWebErrorCodeException.java Sun Apr 15 19:24:31 2007
@@ -16,6 +16,8 @@
*/
package org.apache.wicket.protocol.http.servlet;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.wicket.AbortException;
import org.apache.wicket.RequestCycle;
import org.apache.wicket.protocol.http.request.WebErrorCodeResponseTarget;
@@ -33,6 +35,8 @@
{
private static final long serialVersionUID = 1L;
+ private final int errorCode;
+
/**
* Construct.
*
@@ -58,6 +62,18 @@
*/
public AbortWithWebErrorCodeException(int errorCode, String message)
{
+ this.errorCode = errorCode;
RequestCycle.get().setRequestTarget(new WebErrorCodeResponseTarget(errorCode, message));
+ }
+
+ /**
+ * Gets the error code.
+ *
+ * @return errorCode
+ * @see HttpServletResponse
+ */
+ public int getErrorCode()
+ {
+ return errorCode;
}
}
Modified: incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/ISecuritySettings.java
URL: http://svn.apache.org/viewvc/incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/ISecuritySettings.java?view=diff&rev=529120&r1=529119&r2=529120
==============================================================================
--- incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/ISecuritySettings.java (original)
+++ incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/ISecuritySettings.java Sun Apr 15 19:24:31 2007
@@ -53,6 +53,16 @@
ICryptFactory getCryptFactory();
/**
+ * Gets whether mounts should be enforced. If true, requests for mounted
+ * targets have to done through the mounted paths. If, for instance, a
+ * bookmarkable page is mounted to a path, a request to that same page via
+ * the bookmarkablePage parameter will be denied.
+ *
+ * @return Whether mounts should be enforced
+ */
+ boolean getEnforceMounts();
+
+ /**
* @return The listener
* @see IUnauthorizedComponentInstantiationListener
*/
@@ -80,6 +90,17 @@
* @param cryptFactory
*/
void setCryptFactory(ICryptFactory cryptFactory);
+
+ /**
+ * Sets whether mounts should be enforced. If true, requests for mounted
+ * targets have to done through the mounted paths. If, for instance, a
+ * bookmarkable page is mounted to a path, a request to that same page via
+ * the bookmarkablePage parameter will be denied.
+ *
+ * @param enforce
+ * Whether mounts should be enforced
+ */
+ void setEnforceMounts(boolean enforce);
/**
* @param unauthorizedComponentInstantiationListener
Modified: incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java
URL: http://svn.apache.org/viewvc/incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java?view=diff&rev=529120&r1=529119&r2=529120
==============================================================================
--- incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java (original)
+++ incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java Sun Apr 15 19:24:31 2007
@@ -148,6 +148,14 @@
private String defaultMarkupEncoding;
/**
+ * Whether mounts should be enforced. If true, requests for mounted targets
+ * have to done through the mounted paths. If, for instance, a bookmarkable
+ * page is mounted to a path, a request to that same page via the
+ * bookmarkablePage parameter will be denied.
+ */
+ private boolean enforceMounts = false;
+
+ /**
* Whether Wicket should try to get extensive client info by redirecting to
* {@link BrowserInfoPage a page that polls for client capabilities}. This
* method is used by the default implementation of {@link #newClientInfo()},
@@ -509,6 +517,14 @@
}
/**
+ * @see wicket.settings.ISecuritySettings#getEnforceMounts()
+ */
+ public boolean getEnforceMounts()
+ {
+ return enforceMounts;
+ }
+
+ /**
* @see org.apache.wicket.settings.IRequestCycleSettings#getGatherExtendedBrowserInfo()
*/
public boolean getGatherExtendedBrowserInfo()
@@ -940,6 +956,14 @@
public void setDefaultMarkupEncoding(final String encoding)
{
this.defaultMarkupEncoding = encoding;
+ }
+
+ /**
+ * @see wicket.settings.ISecuritySettings#setEnforceMounts(boolean)
+ */
+ public void setEnforceMounts(boolean enforce)
+ {
+ this.enforceMounts = enforce;
}
/**
Modified: incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/request/target/coding/PackageRequestTargetUrlCodingStrategyTest.java
URL: http://svn.apache.org/viewvc/incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/request/target/coding/PackageRequestTargetUrlCodingStrategyTest.java?view=diff&rev=529120&r1=529119&r2=529120
==============================================================================
--- incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/request/target/coding/PackageRequestTargetUrlCodingStrategyTest.java (original)
+++ incubator/wicket/branches/wicket-1.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/request/target/coding/PackageRequestTargetUrlCodingStrategyTest.java Sun Apr 15 19:24:31 2007
@@ -16,9 +16,13 @@
*/
package org.apache.wicket.request.target.coding;
+import javax.servlet.http.HttpServletResponse;
+
import junit.framework.TestCase;
import org.apache.wicket.WicketRuntimeException;
+import org.apache.wicket.protocol.http.servlet.AbortWithWebErrorCodeException;
+import org.apache.wicket.settings.ISecuritySettings;
import org.apache.wicket.util.lang.PackageName;
import org.apache.wicket.util.tester.WicketTester;
@@ -27,12 +31,12 @@
*/
public class PackageRequestTargetUrlCodingStrategyTest extends TestCase
{
- WicketTester tester;
+ private WicketTester tester;
/**
* Tests mounting.
*/
- public void test1()
+ public void testBadRequest1()
{
tester.getServletRequest().setPath("/mount/XXXpoint");
assertNull(getRequestCodingStrategy());
@@ -41,7 +45,7 @@
/**
* Tests mounting.
*/
- public void test2()
+ public void testBadRequest2()
{
tester.getServletRequest().setPath("/mount/pointXXX");
assertNull(getRequestCodingStrategy());
@@ -50,63 +54,123 @@
/**
* Tests mounting.
*/
- public void test3()
+ public void testBadRequest3()
{
- tester.getServletRequest().setPath("/mount/point");
+ tester.getServletRequest().setPath("/mount/point/nonexistent.TestPage");
IRequestTargetUrlCodingStrategy ucs = getRequestCodingStrategy();
assertNotNull(ucs);
- assertNull(ucs.decode(tester.getWicketRequest().getRequestParameters()));
+ try
+ {
+ ucs.decode(tester.getWicketRequest().getRequestParameters());
+ fail("decode() should have raised a WicketRuntimeException!");
+ }
+ catch (WicketRuntimeException e)
+ {
+ assertEquals(
+ "Unable to load class with name: org.apache.wicket.request.target.coding.nonexistent.TestPage",
+ e.getMessage());
+ }
}
/**
- * Tests mounting.
+ * Test direct access (with wicket parameters) to a mounted page that should
+ * be allowed.
*/
- public void test4()
+ public void testDirectAccessToMountedPageAllowed()
{
- tester.getServletRequest().setPath("/mount/point/TestPage");
- IRequestTargetUrlCodingStrategy ucs = getRequestCodingStrategy();
- assertNotNull(ucs);
- assertNotNull(ucs.decode(tester.getWicketRequest().getRequestParameters()));
+ tester.getApplication().getSecuritySettings().setEnforceMounts(false);
+
+ tester.setupRequestAndResponse();
+ tester.getServletRequest().setURL(
+ "?wicket:bookmarkablePage=:" + TestPage.class.getName() + "");
+ tester.processRequestCycle();
+ tester.assertRenderedPage(TestPage.class);
}
/**
- * Tests mounting.
+ * Test direct access (with wicket parameters) to a mounted page that should
+ * NOT be allowed due to the {@link ISecuritySettings#getEnforceMounts()}
+ * setting being set to true.
*/
- public void test5()
+ public void testDirectAccessToMountedPageNotAllowed()
{
- tester.getServletRequest().setPath("/mount/point/nonexistent.TestPage");
- IRequestTargetUrlCodingStrategy ucs = getRequestCodingStrategy();
- assertNotNull(ucs);
+ tester.getApplication().getSecuritySettings().setEnforceMounts(true);
+
+ tester.setupRequestAndResponse();
+ tester.getServletRequest().setURL(
+ "?wicket:bookmarkablePage=:" + TestPage.class.getName() + "");
try
{
- ucs.decode(tester.getWicketRequest().getRequestParameters());
- fail("decode() should have raised a WicketRuntimeException!");
+ tester.processRequestCycle();
+ fail("This request should not have been allowed");
}
- catch (WicketRuntimeException e)
+ catch (AbortWithWebErrorCodeException e)
{
- assertEquals(
- "Unable to load class with name: org.apache.wicket.request.target.coding.nonexistent.TestPage",
- e.getMessage());
+ assertEquals(e.getErrorCode(), HttpServletResponse.SC_FORBIDDEN);
}
}
- protected void setUp() throws Exception
+ /**
+ * Test mount access to a mounted page that should be allowed.
+ */
+ public void testMountAccessToMountedPageAllowed()
{
- tester = new WicketTester();
- tester.getApplication().mount("/mount/point", PackageName.forClass(TestPage.class));
+ tester.getApplication().getSecuritySettings().setEnforceMounts(false);
+
tester.setupRequestAndResponse();
+ tester.getServletRequest().setURL("/mount/point/TestPage");
+ tester.processRequestCycle();
+ tester.assertRenderedPage(TestPage.class);
}
- protected void tearDown() throws Exception
+ /**
+ * Tests mounting.
+ */
+ public void testValidMount1()
{
- tester.destroy();
+ tester.getServletRequest().setPath("/mount/point");
+ IRequestTargetUrlCodingStrategy ucs = getRequestCodingStrategy();
+ assertNotNull(ucs);
+ assertNull(ucs.decode(tester.getWicketRequest().getRequestParameters()));
+ }
+
+ /**
+ * Tests mounting.
+ */
+ public void testValidMount2()
+ {
+ tester.getServletRequest().setPath("/mount/point/TestPage");
+ IRequestTargetUrlCodingStrategy ucs = getRequestCodingStrategy();
+ assertNotNull(ucs);
+ assertNotNull(ucs.decode(tester.getWicketRequest().getRequestParameters()));
}
- IRequestTargetUrlCodingStrategy getRequestCodingStrategy()
+ /**
+ * @return request coding strategy for this test.
+ */
+ private IRequestTargetUrlCodingStrategy getRequestCodingStrategy()
{
String relativePath = tester.getApplication().getWicketFilter().getRelativePath(
tester.getServletRequest());
return tester.getApplication().getRequestCycleProcessor().getRequestCodingStrategy()
.urlCodingStrategyForPath(relativePath);
+ }
+
+ /**
+ * @see junit.framework.TestCase#setUp()
+ */
+ protected void setUp() throws Exception
+ {
+ tester = new WicketTester();
+ tester.getApplication().mount("/mount/point", PackageName.forClass(TestPage.class));
+ tester.setupRequestAndResponse();
+ }
+
+ /**
+ * @see junit.framework.TestCase#tearDown()
+ */
+ protected void tearDown() throws Exception
+ {
+ tester.destroy();
}
}