Hi Martin,
we have an application with some mounted pages and some not mounted.
With #setEnforceMounts(true) all redirects to non-mounted pages will fail.
This is clearly not what this feature was meant for: WICKET-5094 just
restores the old behavior as it was in 1.4.x and how it was working in
our application before migration to WIcket 6.
ISecuritySettings' javadoc:
/**
* Gets whether mounts should be enforced. If true, requests for
mounted targets have to done
* through the mounted paths. If, for instance, a bookmarkable page
is mounted to a path, a
* request to that same page via the bookmarkablePage parameter
will be denied.
*
* @return Whether mounts should be enforced
*/
boolean getEnforceMounts();
WebRequestCycleProcessor.java in 1.4.x:
if (Application.get().getSecuritySettings().getEnforceMounts() &&
requestCodingStrategy.pathForTarget(target) != null)
Note the check for pathForTarget(target).
If *all* requests to /wicket/bookmarkable/* should be disallowed, you
can just remove the BookmarkableMapper.
> Igor also gave me his '+1' on this.
Perhaps Igor can confirm my findings.
Regards
Sven
On 03/12/2013 07:49 PM, Martin Grigorov wrote:
Hi Sven,
I haven't used this setting in 1.3/1.4 but as far as I understood the
feature its purpose it to disallow requests to pages via
/wicket/bookmarkable/my.package.MyPage completely.
This feature has been lost in the early 1.5 days and then some user asked
for it and with his help I re-introduced it. Igor also gave me his '+1' on
this.
I personally don't see much value in the new implementation. Since the
setting is in ISecuritySettings I think that it should reject access by
name to the pages completely, not just for the mounted pages.
On Tue, Mar 12, 2013 at 4:05 PM, <[email protected]> wrote:
Updated Branches:
refs/heads/wicket-1.5.x 2a7ba5ef1 -> 34735e027
WICKET-5094 enforce mount for mounted pages only
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/34735e02
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/34735e02
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/34735e02
Branch: refs/heads/wicket-1.5.x
Commit: 34735e027071bba98100f3fc291c667959b46eee
Parents: 2a7ba5e
Author: svenmeier <[email protected]>
Authored: Tue Mar 12 15:26:49 2013 +0100
Committer: svenmeier <[email protected]>
Committed: Tue Mar 12 15:26:49 2013 +0100
----------------------------------------------------------------------
.../wicket/request/mapper/BookmarkableMapper.java | 29 +++++++++++----
.../wicket/settings/ISecuritySettingsTest.java | 8 ++++
2 files changed, 29 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/wicket/blob/34735e02/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
----------------------------------------------------------------------
diff --git
a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
index 759f389..eb917e1 100644
---
a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
+++
b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BookmarkableMapper.java
@@ -20,6 +20,8 @@ import org.apache.wicket.Application;
import org.apache.wicket.request.Request;
import org.apache.wicket.request.Url;
import org.apache.wicket.request.component.IRequestablePage;
+import org.apache.wicket.request.handler.PageProvider;
+import org.apache.wicket.request.handler.RenderPageRequestHandler;
import org.apache.wicket.request.mapper.info.PageComponentInfo;
import org.apache.wicket.request.mapper.parameter.IPageParametersEncoder;
import org.apache.wicket.request.mapper.parameter.PageParameters;
@@ -91,14 +93,6 @@ public class BookmarkableMapper extends
AbstractBookmarkableMapper
@Override
protected UrlInfo parseRequest(Request request)
{
- if (Application.exists())
- {
- if
(Application.get().getSecuritySettings().getEnforceMounts())
- {
- return null;
- }
- }
-
Url url = request.getUrl();
if (matches(url))
{
@@ -111,6 +105,25 @@ public class BookmarkableMapper extends
AbstractBookmarkableMapper
if (pageClass != null &&
IRequestablePage.class.isAssignableFrom(pageClass))
{
+ if (Application.exists())
+ {
+ Application application =
Application.get();
+
+ if
(application.getSecuritySettings().getEnforceMounts())
+ {
+ // we make an excepion if
the homepage itself was mounted, see WICKET-1898
+ if
(!pageClass.equals(application.getHomePage()))
+ {
+ // WICKET-5094
only enforce mount if page is mounted
+ Url reverseUrl =
application.getRootRequestMapper().mapHandler(
+ new
RenderPageRequestHandler(new PageProvider(pageClass)));
+ if
(!matches(reverseUrl))
+ {
+ return
null;
+ }
+ }
+ }
+ }
// extract the PageParameters from URL if
there are any
PageParameters pageParameters =
extractPageParameters(request, 3,
http://git-wip-us.apache.org/repos/asf/wicket/blob/34735e02/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
----------------------------------------------------------------------
diff --git
a/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
b/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
index ddcde75..7822531 100644
---
a/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
+++
b/wicket-core/src/test/java/org/apache/wicket/settings/ISecuritySettingsTest.java
@@ -58,6 +58,14 @@ public class ISecuritySettingsTest extends
WicketTestCase
tester.assertRenderedPage(UnknownPage.class);
tester.getApplication().getSecuritySettings().setEnforceMounts(true);
+
+ tester.startPage(pageWithLink);
+ tester.assertRenderedPage(MockPageWithLink.class);
+ tester.clickLink(MockPageWithLink.LINK_ID);
+ tester.assertRenderedPage(UnknownPage.class);
+
+ tester.getApplication().mountPackage("unknown",
UnknownPage.class);
+
tester.startPage(pageWithLink);
tester.assertRenderedPage(MockPageWithLink.class);
tester.clickLink(MockPageWithLink.LINK_ID);
