You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Martin Grigorov <mg...@apache.org> on 2013/03/12 19:49:54 UTC
Re: git commit: WICKET-5094 enforce mount for mounted pages only
Hi Sven,
I haven't used this setting in 1.3/1.4 but as far as I understood the
feature its purpose it to disallow requests to pages via
/wicket/bookmarkable/my.package.MyPage completely.
This feature has been lost in the early 1.5 days and then some user asked
for it and with his help I re-introduced it. Igor also gave me his '+1' on
this.
I personally don't see much value in the new implementation. Since the
setting is in ISecuritySettings I think that it should reject access by
name to the pages completely, not just for the mounted pages.
On Tue, Mar 12, 2013 at 4:05 PM, <sv...@apache.org> wrote:
> Updated Branches:
> refs/heads/wicket-1.5.x 2a7ba5ef1 -> 34735e027
>
>
> WICKET-5094 enforce mount for mounted pages only
>
>
> Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
> Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/34735e02
> Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/34735e02
> Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/34735e02
>
> Branch: refs/heads/wicket-1.5.x
> Commit: 34735e027071bba98100f3fc291c667959b46eee
> Parents: 2a7ba5e
> Author: svenmeier <sv...@apache.org>
> Authored: Tue Mar 12 15:26:49 2013 +0100
> Committer: svenmeier <sv...@apache.org>
> Committed: Tue Mar 12 15:26:49 2013 +0100
>
> ----------------------------------------------------------------------
> .../wicket/request/mapper/BookmarkableMapper.java | 29 +++++++++++----
> .../wicket/settings/ISecuritySettingsTest.java | 8 ++++
> 2 files changed, 29 insertions(+), 8 deletions(-)
> ----------------------------------------------------------------------
>
>
>
> http://git-wip-us.apache.org/repos/asf/wicket/blob/34735e02/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
> ----------------------------------------------------------------------
> diff --git
> a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
> b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
> index 759f389..eb917e1 100644
> ---
> a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
> +++
> b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
> @@ -20,6 +20,8 @@ import org.apache.wicket.Application;
> import org.apache.wicket.request.Request;
> import org.apache.wicket.request.Url;
> import org.apache.wicket.request.component.IRequestablePage;
> +import org.apache.wicket.request.handler.PageProvider;
> +import org.apache.wicket.request.handler.RenderPageRequestHandler;
> import org.apache.wicket.request.mapper.info.PageComponentInfo;
> import org.apache.wicket.request.mapper.parameter.IPageParametersEncoder;
> import org.apache.wicket.request.mapper.parameter.PageParameters;
> @@ -91,14 +93,6 @@ public class BookmarkableMapper extends
> AbstractBookmarkableMapper
> @Override
> protected UrlInfo parseRequest(Request request)
> {
> - if (Application.exists())
> - {
> - if
> (Application.get().getSecuritySettings().getEnforceMounts())
> - {
> - return null;
> - }
> - }
> -
> Url url = request.getUrl();
> if (matches(url))
> {
> @@ -111,6 +105,25 @@ public class BookmarkableMapper extends
> AbstractBookmarkableMapper
>
> if (pageClass != null &&
> IRequestablePage.class.isAssignableFrom(pageClass))
> {
> + if (Application.exists())
> + {
> + Application application =
> Application.get();
> +
> + if
> (application.getSecuritySettings().getEnforceMounts())
> + {
> + // we make an excepion if
> the homepage itself was mounted, see WICKET-1898
> + if
> (!pageClass.equals(application.getHomePage()))
> + {
> + // WICKET-5094
> only enforce mount if page is mounted
> + Url reverseUrl =
> application.getRootRequestMapper().mapHandler(
> + new
> RenderPageRequestHandler(new PageProvider(pageClass)));
> + if
> (!matches(reverseUrl))
> + {
> + return
> null;
> + }
> + }
> + }
> + }
>
> // extract the PageParameters from URL if
> there are any
> PageParameters pageParameters =
> extractPageParameters(request, 3,
>
>
> http://git-wip-us.apache.org/repos/asf/wicket/blob/34735e02/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
> ----------------------------------------------------------------------
> diff --git
> a/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
> b/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
> index ddcde75..7822531 100644
> ---
> a/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
> +++
> b/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
> @@ -58,6 +58,14 @@ public class ISecuritySettingsTest extends
> WicketTestCase
> tester.assertRenderedPage(UnknownPage.class);
>
>
> tester.getApplication().getSecuritySettings().setEnforceMounts(true);
> +
> + tester.startPage(pageWithLink);
> + tester.assertRenderedPage(MockPageWithLink.class);
> + tester.clickLink(MockPageWithLink.LINK_ID);
> + tester.assertRenderedPage(UnknownPage.class);
> +
> + tester.getApplication().mountPackage("unknown",
> UnknownPage.class);
> +
> tester.startPage(pageWithLink);
> tester.assertRenderedPage(MockPageWithLink.class);
> tester.clickLink(MockPageWithLink.LINK_ID);
>
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com <http://jweekend.com/>
Re: git commit: WICKET-5094 enforce mount for mounted pages only
Posted by Sven Meier <sv...@meiers.net>.
Hi Martin,
we have an application with some mounted pages and some not mounted.
With #setEnforceMounts(true) all redirects to non-mounted pages will fail.
This is clearly not what this feature was meant for: WICKET-5094 just
restores the old behavior as it was in 1.4.x and how it was working in
our application before migration to WIcket 6.
ISecuritySettings' javadoc:
/**
* Gets whether mounts should be enforced. If true, requests for
mounted targets have to done
* through the mounted paths. If, for instance, a bookmarkable page
is mounted to a path, a
* request to that same page via the bookmarkablePage parameter
will be denied.
*
* @return Whether mounts should be enforced
*/
boolean getEnforceMounts();
WebRequestCycleProcessor.java in 1.4.x:
if (Application.get().getSecuritySettings().getEnforceMounts() &&
requestCodingStrategy.pathForTarget(target) != null)
Note the check for pathForTarget(target).
If *all* requests to /wicket/bookmarkable/* should be disallowed, you
can just remove the BookmarkableMapper.
> Igor also gave me his '+1' on this.
Perhaps Igor can confirm my findings.
Regards
Sven
On 03/12/2013 07:49 PM, Martin Grigorov wrote:
> Hi Sven,
>
> I haven't used this setting in 1.3/1.4 but as far as I understood the
> feature its purpose it to disallow requests to pages via
> /wicket/bookmarkable/my.package.MyPage completely.
> This feature has been lost in the early 1.5 days and then some user asked
> for it and with his help I re-introduced it. Igor also gave me his '+1' on
> this.
>
> I personally don't see much value in the new implementation. Since the
> setting is in ISecuritySettings I think that it should reject access by
> name to the pages completely, not just for the mounted pages.
>
>
>
>
>
> On Tue, Mar 12, 2013 at 4:05 PM, <sv...@apache.org> wrote:
>
>> Updated Branches:
>> refs/heads/wicket-1.5.x 2a7ba5ef1 -> 34735e027
>>
>>
>> WICKET-5094 enforce mount for mounted pages only
>>
>>
>> Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
>> Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/34735e02
>> Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/34735e02
>> Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/34735e02
>>
>> Branch: refs/heads/wicket-1.5.x
>> Commit: 34735e027071bba98100f3fc291c667959b46eee
>> Parents: 2a7ba5e
>> Author: svenmeier <sv...@apache.org>
>> Authored: Tue Mar 12 15:26:49 2013 +0100
>> Committer: svenmeier <sv...@apache.org>
>> Committed: Tue Mar 12 15:26:49 2013 +0100
>>
>> ----------------------------------------------------------------------
>> .../wicket/request/mapper/BookmarkableMapper.java | 29 +++++++++++----
>> .../wicket/settings/ISecuritySettingsTest.java | 8 ++++
>> 2 files changed, 29 insertions(+), 8 deletions(-)
>> ----------------------------------------------------------------------
>>
>>
>>
>> http://git-wip-us.apache.org/repos/asf/wicket/blob/34735e02/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
>> ----------------------------------------------------------------------
>> diff --git
>> a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
>> b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
>> index 759f389..eb917e1 100644
>> ---
>> a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
>> +++
>> b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
>> @@ -20,6 +20,8 @@ import org.apache.wicket.Application;
>> import org.apache.wicket.request.Request;
>> import org.apache.wicket.request.Url;
>> import org.apache.wicket.request.component.IRequestablePage;
>> +import org.apache.wicket.request.handler.PageProvider;
>> +import org.apache.wicket.request.handler.RenderPageRequestHandler;
>> import org.apache.wicket.request.mapper.info.PageComponentInfo;
>> import org.apache.wicket.request.mapper.parameter.IPageParametersEncoder;
>> import org.apache.wicket.request.mapper.parameter.PageParameters;
>> @@ -91,14 +93,6 @@ public class BookmarkableMapper extends
>> AbstractBookmarkableMapper
>> @Override
>> protected UrlInfo parseRequest(Request request)
>> {
>> - if (Application.exists())
>> - {
>> - if
>> (Application.get().getSecuritySettings().getEnforceMounts())
>> - {
>> - return null;
>> - }
>> - }
>> -
>> Url url = request.getUrl();
>> if (matches(url))
>> {
>> @@ -111,6 +105,25 @@ public class BookmarkableMapper extends
>> AbstractBookmarkableMapper
>>
>> if (pageClass != null &&
>> IRequestablePage.class.isAssignableFrom(pageClass))
>> {
>> + if (Application.exists())
>> + {
>> + Application application =
>> Application.get();
>> +
>> + if
>> (application.getSecuritySettings().getEnforceMounts())
>> + {
>> + // we make an excepion if
>> the homepage itself was mounted, see WICKET-1898
>> + if
>> (!pageClass.equals(application.getHomePage()))
>> + {
>> + // WICKET-5094
>> only enforce mount if page is mounted
>> + Url reverseUrl =
>> application.getRootRequestMapper().mapHandler(
>> + new
>> RenderPageRequestHandler(new PageProvider(pageClass)));
>> + if
>> (!matches(reverseUrl))
>> + {
>> + return
>> null;
>> + }
>> + }
>> + }
>> + }
>>
>> // extract the PageParameters from URL if
>> there are any
>> PageParameters pageParameters =
>> extractPageParameters(request, 3,
>>
>>
>> http://git-wip-us.apache.org/repos/asf/wicket/blob/34735e02/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
>> ----------------------------------------------------------------------
>> diff --git
>> a/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
>> b/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
>> index ddcde75..7822531 100644
>> ---
>> a/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
>> +++
>> b/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
>> @@ -58,6 +58,14 @@ public class ISecuritySettingsTest extends
>> WicketTestCase
>> tester.assertRenderedPage(UnknownPage.class);
>>
>>
>> tester.getApplication().getSecuritySettings().setEnforceMounts(true);
>> +
>> + tester.startPage(pageWithLink);
>> + tester.assertRenderedPage(MockPageWithLink.class);
>> + tester.clickLink(MockPageWithLink.LINK_ID);
>> + tester.assertRenderedPage(UnknownPage.class);
>> +
>> + tester.getApplication().mountPackage("unknown",
>> UnknownPage.class);
>> +
>> tester.startPage(pageWithLink);
>> tester.assertRenderedPage(MockPageWithLink.class);
>> tester.clickLink(MockPageWithLink.LINK_ID);
>>
>>
>