You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Pierre Goiffon <Pi...@interview-efm.com> on 2012/03/21 11:42:03 UTC
Wicket 1.4.20 : error message "Access denied to (static) package
resource"
Hello,
After upgrading from Wicket 1.4.19 to Wicket 1.4.20 I get exceptions in
TinyMCE. We're using the Wicketstuff integration.
When opening TinyMCE lightboxes I get exception like :
org.apache.wicket.markup.html.PackageResource$PackageResourceBlockedException:
Access denied to (static) package resource
com/interview/tool/wicketstuff/tinymce/themes/advanced/image.htm. See
IPackageResourceGuard
It works perfectly in Wicket 1.4.18 or 1.4.19, but when updating in the
pom to the 1.4.20 version we get that exception.
I can't figure what ticket could be related in the 1.4.20 changelog
(https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&version=12317570)
Any idea ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Solved: Mysterious application crash
Posted by Jürgen Lind <Ju...@iteratec.de>.
After some more fiddling around, I found that what caused the problem was
that the base page was using 'wicket:head' instead of simply 'head' (at least
that change solved the problem).
Still, I do not understand how this could affect an application in a way that
it becomes unusable across different users. Maybe one of the developers could
provide an explanation as I am quite curious to know what was going on...
Cheers,
J.
On 21.03.2012 14:24, Jürgen Lind wrote:
> Hi,
>
> I've run into a very odd situation and I have no idea, how to find out what is
> going on... The situation is as follows:
>
> 1. I have a base page that contains some markup and components.
>
> 2. I have a second page, that extends the base page but does not add
> any markup or components, i.e the HTML is empty besides des wicket:extend tag
> and the Java Class is entirely empty
>
> 3. The base page is mounted as 'base', the child page is mounted as 'child'
>
> 4. I open the child page in the browser, it shows ok (all the contents of the
> base page)
>
> 5. I open the base page in the browser and I get an exception:
> Root cause:
>
> org.apache.wicket.markup.MarkupNotFoundException: Markup not found for Component:
> [HtmlHeaderContainer [Component id = _header_0]]
> at org.apache.wicket.Component.internalRender(Component.java:2315)
> at org.apache.wicket.Component.render(Component.java:2275)
> at org.apache.wicket.MarkupContainer.renderNext(MarkupContainer.java:1474)
> at org.apache.wicket.MarkupContainer.renderAll(MarkupContainer.java:1638)
>
> 6. I try to open the base page in another browser, I get the same exception!
>
> For me, that indicates that the application was somehow corrupted. Is that possible?
> Or do I miss something obvious here? I've been trying to track down the error for
> the last couple of hours, but I have not found anything useful...
>
> J.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
Mit freundlichen Grüßen,
Jürgen Lind
--
Dr. Jürgen Lind
iteratec GmbH Fon: +49 (0)89 614551-44
Inselkammerstrasse 4 Fax: +49 (0)89 614551-10
82008 Unterhaching Web: www.iteratec.de
Sitz und Registergericht der iteratec GmbH: München HRB 113 519
Geschäftsführer: Klaus Eberhardt, Mark Goerke, Inge Hanschke, Ralf Menzel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Mysterious application crash
Posted by Jürgen Lind <Ju...@iteratec.de>.
Hi,
I've run into a very odd situation and I have no idea, how to find out what is
going on... The situation is as follows:
1. I have a base page that contains some markup and components.
2. I have a second page, that extends the base page but does not add
any markup or components, i.e the HTML is empty besides des wicket:extend tag
and the Java Class is entirely empty
3. The base page is mounted as 'base', the child page is mounted as 'child'
4. I open the child page in the browser, it shows ok (all the contents of the
base page)
5. I open the base page in the browser and I get an exception:
Root cause:
org.apache.wicket.markup.MarkupNotFoundException: Markup not found for Component:
[HtmlHeaderContainer [Component id = _header_0]]
at org.apache.wicket.Component.internalRender(Component.java:2315)
at org.apache.wicket.Component.render(Component.java:2275)
at org.apache.wicket.MarkupContainer.renderNext(MarkupContainer.java:1474)
at org.apache.wicket.MarkupContainer.renderAll(MarkupContainer.java:1638)
6. I try to open the base page in another browser, I get the same exception!
For me, that indicates that the application was somehow corrupted. Is that possible?
Or do I miss something obvious here? I've been trying to track down the error for
the last couple of hours, but I have not found anything useful...
J.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket 1.4.20 : error message "Access denied to (static)
package resource"
Posted by Pierre Goiffon <Pi...@interview-efm.com>.
Le 21/03/2012 12:24, Martin Grigorov a écrit :
> As I said this change is due to a security related problem.
> An official announcement will come very soon.
> We haven't sent it so far because we wanted to give you some time to
> upgrade to 1.4.20/1.5.5 before making the problem public.
> Sorry for the troubles!
I understand your concern about revealing details of a security problem.
As a wicket user, I'd rather be aware of the details when the version is
out, and make my own decision beceause almost everytime you have to
choose the best compromise between changing your code and the risk your
application is exposed to. Upgrading and finding out that you have to
change your code without knowing why, you just feel inconfortable and
fear that there are lots of things you miss, that will brings you some
extra bugs.
But this is a long debate :)
Thanks anyway very much for your almost immediate help, it was much
appreciate !
Best regards,
P. Goiffon
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket 1.4.20 : error message "Access denied to (static) package resource"
Posted by Martin Grigorov <mg...@apache.org>.
As I said this change is due to a security related problem.
An official announcement will come very soon.
We haven't sent it so far because we wanted to give you some time to
upgrade to 1.4.20/1.5.5 before making the problem public.
Sorry for the troubles!
On Wed, Mar 21, 2012 at 1:19 PM, Pierre Goiffon
<Pi...@interview-efm.com> wrote:
> Martin and Antoine, thanks very much for your quick answers, it solves
> of course my problem !
> SecurePackageResourceGuard has already a lot of common extensions, and
> it's easy to add the ones you eventualy need !
>
> Martin, I still can't see in the 1.4.20 changelog
> (https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&version=12318545)
> what ticket could be related to this change ?
> And nothing in the version announcement :
> http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html.
>
> For us this is a major regression and I just discovered it by chance...
> I recommend to have a word maybe in the 1.4.20 announcement, and change
> the title of the related 1.4.20 ticket to be more comprehensive ?
> Thanks !
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket 1.4.20 : error message "Access denied to (static)
package resource"
Posted by Pierre Goiffon <Pi...@interview-efm.com>.
Martin and Antoine, thanks very much for your quick answers, it solves
of course my problem !
SecurePackageResourceGuard has already a lot of common extensions, and
it's easy to add the ones you eventualy need !
Martin, I still can't see in the 1.4.20 changelog
(https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&version=12318545)
what ticket could be related to this change ?
And nothing in the version announcement :
http://wicket.apache.org/2012/03/12/wicket-1.4.20-released.html.
For us this is a major regression and I just discovered it by chance...
I recommend to have a word maybe in the 1.4.20 announcement, and change
the title of the related 1.4.20 ticket to be more comprehensive ?
Thanks !
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket 1.4.20 : error message "Access denied to (static) package
resource"
Posted by Antoine Angenieux <aa...@clinigrid.com>.
Hi !
I faced a similar issue, but with PDF files used as PackageResource.
It boils down to wicket relying now by default on
SecurePackageResourceGuard which only authorizes file with some
extensions (defined in the SecurePackageResourceGuard constructor).
What I did was create my own subclass of SecurePackageResourceGuard as
follows:
public class MyResourceGuard extends SecurePackageResourceGuard {
/**
* Default constructor
*/
public EDCResourceGuard() {
super(new SimpleCache(100));
addPattern("+*.pdf");
}
}
And then in my Application subclass, in the init method, I do
getResourceSettings().setPackageResourceGuard(new MyResourceGuard ());
I guess if you simply add the following line
addPattern("+*.htm") to your MyResourceGuard constructor, your error
will go away.
Hope this helps !
Antoine.
Le 21/03/2012 11:42, Pierre Goiffon a écrit :
> Hello,
>
> After upgrading from Wicket 1.4.19 to Wicket 1.4.20 I get exceptions in
> TinyMCE. We're using the Wicketstuff integration.
> When opening TinyMCE lightboxes I get exception like :
>
> org.apache.wicket.markup.html.PackageResource$PackageResourceBlockedException:
> Access denied to (static) package resource
> com/interview/tool/wicketstuff/tinymce/themes/advanced/image.htm. See
> IPackageResourceGuard
>
> It works perfectly in Wicket 1.4.18 or 1.4.19, but when updating in the
> pom to the 1.4.20 version we get that exception.
> I can't figure what ticket could be related in the 1.4.20 changelog
> (https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&version=12317570)
>
> Any idea ?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket 1.4.20 : error message "Access denied to (static) package resource"
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
Yes, in 1.4.20 Wicket uses SecurePackageResourceGuard by default
because there was a security related issue. We will send an official
mail soon.
Many of the common extensions are allowed by default but .htm is not
one of them. You need to add this to YourApp#init():
IPackageResourceGuard packageResourceGuard =
getResourceSettings().getPackageResourceGuard();
if (packageResourceGuard instanceof SecurePackageResourceGuard)
{
SecurePackageResourceGuard guard = (SecurePackageResourceGuard)
packageResourceGuard;
guard.addPattern("+*.htm");
}
On Wed, Mar 21, 2012 at 12:42 PM, Pierre Goiffon
<Pi...@interview-efm.com> wrote:
> Hello,
>
> After upgrading from Wicket 1.4.19 to Wicket 1.4.20 I get exceptions in
> TinyMCE. We're using the Wicketstuff integration.
> When opening TinyMCE lightboxes I get exception like :
>
> org.apache.wicket.markup.html.PackageResource$PackageResourceBlockedException:
> Access denied to (static) package resource
> com/interview/tool/wicketstuff/tinymce/themes/advanced/image.htm. See
> IPackageResourceGuard
>
> It works perfectly in Wicket 1.4.18 or 1.4.19, but when updating in the
> pom to the 1.4.20 version we get that exception.
> I can't figure what ticket could be related in the 1.4.20 changelog
> (https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310561&version=12317570)
>
> Any idea ?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org