Hi, Thanks Martin, git-bisect is really helpful!
The involved commit is b8b9b30173921215972238a34395725a08c70fb3: WICKET-5749 add AuthorizeResource to auth-roles so Resources can be protected too I will try to make a quickstart that repro the issue... Best regards, Sebastien On Tue, Apr 21, 2015 at 9:05 AM, Martin Grigorov <[email protected]> wrote: > Hi Sebastien, > > You can use 'git bisect' to track which change in Wicket code led to this > broken behavior for your application. > Or create a quickstart and someone else will do the same :-) > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Mon, Apr 20, 2015 at 8:04 PM, Sebastien <[email protected]> wrote: > > > Hi, > > > > Just to let you know I'm still suffering on this issue. I've forgot I had > > reverted poms version to -M5... Sorry for awaking so late ! > > > > In my case this is not related to AuthenticationWebSession (I do not > extend > > it), and - I guess - nothing related to an authenticated user. The issue > > appear as soon as I reach the homepage... > > > > I will try to make a quickstart asap ! > > > > Best regards, > > Sebastien. > > > > > > On Tue, Mar 10, 2015 at 8:26 PM, Martin Grigorov <[email protected]> > > wrote: > > > > > No. > > > The change has been introduced with > > > https://issues.apache.org/jira/browse/WICKET-5775 - automatic support > > for > > > session fixation attack. > > > > > > Martin Grigorov > > > Funemployed! Available for hire! > > > Wicket Training and Consulting > > > https://twitter.com/mtgrigorov > > > > > > On Tue, Mar 10, 2015 at 6:27 PM, Ernesto Reinaldo Barreiro < > > > [email protected]> wrote: > > > > > > > Is this to secure resources? The same as pages/components? > > > > > > > > On Tue, Mar 10, 2015 at 5:23 PM, Martin Grigorov < > [email protected] > > > > > > > wrote: > > > > > > > > > I think we should revert a change in auth-roles. It caused four > > issues > > > so > > > > > far... > > > > > There is a ticket already! > > > > > On Mar 10, 2015 5:41 PM, "Maxim Solodovnik" <[email protected]> > > > > wrote: > > > > > > > > > > > works :) > > > > > > Thanks! > > > > > > > > > > > > should I add this change to main app? or you going to fix it in > > > Wicket? > > > > > > > > > > > > On Tue, Mar 10, 2015 at 9:37 PM, Martin Grigorov < > > > [email protected] > > > > > > > > > > > wrote: > > > > > > > > > > > > > Maxim, > > > > > > > > > > > > > > Try with MyAuthSession extends AuthenticatedWebSession { > > > > > > > > > > > > > > @Override public void replaceSession() {} > > > > > > > } > > > > > > > > > > > > > > i.e. make #replaceSession() a noop > > > > > > > > > > > > > > Martin Grigorov > > > > > > > Funemployed! Available for hire! > > > > > > > Wicket Training and Consulting > > > > > > > https://twitter.com/mtgrigorov > > > > > > > > > > > > > > On Tue, Mar 10, 2015 at 5:29 PM, Maxim Solodovnik < > > > > > [email protected]> > > > > > > > wrote: > > > > > > > > > > > > > > > This is the code: > > https://github.com/solomax/WicketSelect2Clear > > > > > > > > > > > > > > > > On Tue, Mar 10, 2015 at 9:27 PM, Sebastien <[email protected] > > > > > > wrote: > > > > > > > > > > > > > > > > > Well done Maxim, this will probably ease upcoming > > > > investigation.... > > > > > > > > > > > > > > > > > > On Tue, Mar 10, 2015 at 4:20 PM, Maxim Solodovnik < > > > > > > > [email protected]> > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > I can provide a link to the github project demonstrating > > this > > > > > > > > > > > > > > > > > > > > On Tue, Mar 10, 2015 at 9:20 PM, Maxim Solodovnik < > > > > > > > > [email protected]> > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Yes > > > > > > > > > > > It is reproducible with dummy App based on > > > > > > > > AuthenticatedWebApplication > > > > > > > > > > > Seems like resources are not being available for > download > > > > > without > > > > > > > > auth > > > > > > > > > > > anymore > > > > > > > > > > > > > > > > > > > > > > On Tue, Mar 10, 2015 at 9:14 PM, Maxim Solodovnik < > > > > > > > > > [email protected]> > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > >> Simple app works as expected :( > > > > > > > > > > >> Will try to convert it to AuthApp (seems to be > security > > > > > related > > > > > > > > issue) > > > > > > > > > > >> > > > > > > > > > > >> On Tue, Mar 10, 2015 at 8:52 PM, Maxim Solodovnik < > > > > > > > > > [email protected] > > > > > > > > > > > > > > > > > > > > > >> wrote: > > > > > > > > > > >> > > > > > > > > > > >>> It's our main application, will try to create simple > > > > > quickstart > > > > > > > > > > >>> > > > > > > > > > > >>> On Tue, Mar 10, 2015 at 8:51 PM, Sebastien < > > > > [email protected] > > > > > > > > > > > > > > wrote: > > > > > > > > > > >>> > > > > > > > > > > >>>> Hi Maxim, > > > > > > > > > > >>>> > > > > > > > > > > >>>> Thank you very much for confirming, because I am > > > battling > > > > to > > > > > > > > > reproduce > > > > > > > > > > >>>> it > > > > > > > > > > >>>> in a simple quickstart!.. :( > > > > > > > > > > >>>> > > > > > > > > > > >>>> Best regards, > > > > > > > > > > >>>> Sebastien. > > > > > > > > > > >>>> > > > > > > > > > > >>>> > > > > > > > > > > >>>> On Tue, Mar 10, 2015 at 3:46 PM, Maxim Solodovnik < > > > > > > > > > > [email protected] > > > > > > > > > > >>>> > > > > > > > > > > > >>>> wrote: > > > > > > > > > > >>>> > > > > > > > > > > >>>> > Got this exception in the logs: > > > > > > > > > > >>>> > > > > > > > > > > > >>>> > WARN 03-10 20:44:41.513 RequestCycle.java 74324 > 347 > > > > > > > > > > RequestCycleExtra > > > > > > > > > > >>>> > [http-nio-0.0.0.0-5080-exec-10] - Handling the > > > following > > > > > > > > exception > > > > > > > > > > >>>> > org.apache.wicket.markup.MarkupException: The > > > component > > > > > > > > > > >>>> > [TransparentWebMarkupContainer [Component id = > > > > > > > > > > >>>> > wicket_relative_path_prefix_0]] was rendered > > already. > > > > You > > > > > > can > > > > > > > > > render > > > > > > > > > > >>>> it > > > > > > > > > > >>>> > only once during a render phase. Class relative > > path: > > > > > > > > > > >>>> > > > > > > > > > > > >>>> > > > > > > > > > > > >>>> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.apache.wicket.markup.html.TransparentWebMarkupContainer:html:wicket_relative_path_prefix_0 > > > > > > > > > > >>>> > at > > > > org.apache.wicket.Page.componentRendered(Page.java:211) > > > > > > > > > > >>>> > ~[wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] > > > > > > > > > > >>>> > at > > > > > org.apache.wicket.Component.rendered(Component.java:2622) > > > > > > > > > > >>>> > ~[wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] > > > > > > > > > > >>>> > at > > > > > > > > > org.apache.wicket.Component.internalRender(Component.java:2383) > > > > > > > > > > >>>> > ~[wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] > > > > > > > > > > >>>> > at > > > > org.apache.wicket.Component.render(Component.java:2307) > > > > > > > > > > >>>> > ~[wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] > > > > > > > > > > >>>> > > > > > > > > > > > >>>> > > > > > > > > > > > >>>> > On Tue, Mar 10, 2015 at 8:44 PM, Maxim Solodovnik > < > > > > > > > > > > >>>> [email protected]> > > > > > > > > > > >>>> > wrote: > > > > > > > > > > >>>> > > > > > > > > > > > >>>> > > Can confirm :( > > > > > > > > > > >>>> > > Same here with our main application > > > > > > > > > > >>>> > > > > > > > > > > > > >>>> > > On Tue, Mar 10, 2015 at 8:23 PM, Sebastien < > > > > > > > [email protected]> > > > > > > > > > > >>>> wrote: > > > > > > > > > > >>>> > > > > > > > > > > > > >>>> > >> Hi team :) > > > > > > > > > > >>>> > >> > > > > > > > > > > >>>> > >> Back to work this morning...As usual, I am > > > > recompiling > > > > > > and > > > > > > > > > > >>>> redeploy the > > > > > > > > > > >>>> > >> webapp I am working on, based on > 7.0.0-SNAPSHOT. > > > > > > > > > > >>>> > >> > > > > > > > > > > >>>> > >> It seems that I am facing to a serious issue: > no > > > > > resource > > > > > > > > > > >>>> reference can > > > > > > > > > > >>>> > be > > > > > > > > > > >>>> > >> downloaded by the client, for instance: > > > > > > > > > > >>>> > >> > > > > > > > > > > >>>> > >> "NetworkError: 403 Forbidden - > > > > > > > > > > >>>> > >> > > > > > > > > > > >>>> > >> > > > > > > > > > > >>>> > > > > > > > > > > > >>>> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://localhost:8080/hawk/wicket/resource/org.apache.wicket.ajax.AbstractDefaultAjaxBehavior/res/js/wicket-ajax-jquery-ver-1425374806000.js > > > > > > > > > > >>>> > >> " > > > > > > > > > > >>>> > >> > > > > > > > > > > >>>> > >> I did recompiled/redeployed with -M5, all is > ok. > > > > > > > > > > >>>> > >> > > > > > > > > > > >>>> > >> As I was on vacation these last 2 weeks (it was > > > very > > > > > > great > > > > > > > > > thank > > > > > > > > > > >>>> you :) > > > > > > > > > > >>>> > ), > > > > > > > > > > >>>> > >> I am not very aware of what did changed > recently. > > > Any > > > > > > > ideas? > > > > > > > > > > >>>> > >> > > > > > > > > > > >>>> > >> Thanks a lot in advance, > > > > > > > > > > >>>> > >> Sebastien. > > > > > > > > > > >>>> > >> > > > > > > > > > > >>>> > > > > > > > > > > > > >>>> > > > > > > > > > > > > >>>> > > > > > > > > > > > > >>>> > > -- > > > > > > > > > > >>>> > > WBR > > > > > > > > > > >>>> > > Maxim aka solomax > > > > > > > > > > >>>> > > > > > > > > > > > > >>>> > > > > > > > > > > > >>>> > > > > > > > > > > > >>>> > > > > > > > > > > > >>>> > -- > > > > > > > > > > >>>> > WBR > > > > > > > > > > >>>> > Maxim aka solomax > > > > > > > > > > >>>> > > > > > > > > > > > >>>> > > > > > > > > > > >>> > > > > > > > > > > >>> > > > > > > > > > > >>> > > > > > > > > > > >>> -- > > > > > > > > > > >>> WBR > > > > > > > > > > >>> Maxim aka solomax > > > > > > > > > > >>> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > >> -- > > > > > > > > > > >> WBR > > > > > > > > > > >> Maxim aka solomax > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > WBR > > > > > > > > > > > Maxim aka solomax > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > WBR > > > > > > > > > > Maxim aka solomax > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > WBR > > > > > > > > Maxim aka solomax > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > WBR > > > > > > Maxim aka solomax > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Regards - Ernesto Reinaldo Barreiro > > > > > > > > > >
