HTTPS to HTTP invalidates Session

2016-01-11 Thread Arjun Dhar 
Hi,
I have an admin Panel that is on HTTPS. It allows a user to preview a link
on the site on HTTP.
The problem is when doing that, when I return to the Admin Pane land perform
any Ajax request, then what I get is:
org.apache.wicket.protocol.http.PageExpiredException: Request cannot be
processed. The target page does not exist anymore.

Observations:
a. The session is being invalidated. 
b. The JSESSION ID in the admin to start and the target page were the same
(surprised, since I thought from HTTPS to HTTP a new JSESSIONID should be
grated in target Window?) 

If someone can explain (a) & (b) and as a bonus any work around without
compromising security.
FOr me this is a Nice to Have not a Must have, but I need to understand
whats going on here.

thanks




-
Software documentation is like sex: when it is good, it is very, very good; and 
when it is bad, it is still better than nothing!
--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/HTTPS-to-HTTP-invalidates-Session-tp4673262.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Invalid JS src url for ajax behaviors - degradation after 6.17.0

2016-01-11 Thread Daniel Stoch 
Hi,

Thanks for your answer.

I have tried to reproduce this problem in quickstart app and it seems
that it is a problem in my application.
Problem is related to Wicket-Ajax-BaseURL encoding, when parameter
values contains "#" (eg. abx#xyz). In 6.17.0 there were some problems
with these encodings and I have internal patch in overridden
MultipartServletWebRequestImpl.getHeader() method - I forgot to make
JIRA for that. It seems that in 6.21.0 these problems do not exist, so
my internal patch is not necessary, moreover generates an error which
I described in a previous email. So when I remove it, it seems that
everything works ok.

--
Best regards,
Daniel

On Fri, Jan 8, 2016 at 10:47 PM, Sven Meier  wrote:
> Hi,
>
> please create a quickstart and/or test case and attach it to a new Jira
> issue.
>
> This way we can dissect the problem.
>
> Best regards
> Sven
>
>
>
> On 08.01.2016 18:19, Daniel Stoch wrote:
>>
>> Hi,
>>
>> I have upgraded Wicket from 6.17.0 to 6.21.0. And there is some
>> problem after this upgrade. I am using UrlPathPageParametersEncoder so
>> my page parameters are encoded like:
>> /param1Name/param1Value/param2Name/param2Value
>>
>> Sample scenario to reproduce this problem:
>> 1. User enters a bookmarkable page with four parameters, so url looks
>> like:
>> http://localhost:8080/app/somepage/p1/v1/p2/v2/p3/v3/p4/v4
>> 2. User clicks checkbox with AjaxFormChoiceComponentUpdatingBehavior
>> and the generated ajax response contains invalid (in 6.21.0) url to
>> JavaScript resources, eg.:
>>
>> 6.21.0
>> >
>> src="../../../../wicket/resource/org.apache.wicket.ajax.AbstractDefaultAjaxBehavior/res/js/wicket-event-jquery-ver-1446158378000.js">
>>
>> but it shoud be:
>>
>> 6.17.0
>> >
>> src="../../../../../../../../wicket/resource/org.apache.wicket.ajax.AbstractDefaultAjaxBehavior/res/js/wicket-event-jquery-ver-140930656.js">
>>
>>
>> So there are only 4 "../" url parts in new Wicket version, instead of
>> 8 in older one (6.17.0). This leads to invalid requests that come to
>> server (request contains invalid parameters in a path).
>>
>> Are there any changes in 6.x branch after 6.17.0 version which can
>> cause such problems?
>>
>> --
>> Best regards,
>> Daniel
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> For additional commands, e-mail: users-h...@wicket.apache.org
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: HTTPS to HTTP invalidates Session

2016-01-11 Thread Martin Grigorov 
Hi,

The HttpSession must be created within HTTP request if you want to share it
between HTTP and HTTPS requests.
A session created by HTTPS request is not shared with HTTP requests.
The reason is that the JSESSIONID cookie created in HTTPS is "secure" and
it is not preserved for the HTTP requests, so the session is "lost". I
guess encoding the jsessionid in the url will fix this problem.

In Wicket code we have this comment about this:
https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/protocol/https/HttpsMapper.java#L336-L337

Some extra links:
- http://stackoverflow.com/a/15067895/497381
- http://www.nuwanbando.com/2010/05/sharing-https-http-sessions-in-tomcat/

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Tue, Jan 12, 2016 at 1:57 AM, Arjun Dhar  wrote:

> Hi,
> I have an admin Panel that is on HTTPS. It allows a user to preview a link
> on the site on HTTP.
> The problem is when doing that, when I return to the Admin Pane land
> perform
> any Ajax request, then what I get is:
> org.apache.wicket.protocol.http.PageExpiredException: Request cannot be
> processed. The target page does not exist anymore.
>
> Observations:
> a. The session is being invalidated.
> b. The JSESSION ID in the admin to start and the target page were the same
> (surprised, since I thought from HTTPS to HTTP a new JSESSIONID should be
> grated in target Window?)
>
> If someone can explain (a) & (b) and as a bonus any work around without
> compromising security.
> FOr me this is a Nice to Have not a Must have, but I need to understand
> whats going on here.
>
> thanks
>
>
>
>
> -
> Software documentation is like sex: when it is good, it is very, very
> good; and when it is bad, it is still better than nothing!
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/HTTPS-to-HTTP-invalidates-Session-tp4673262.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

Re: Checking/Dechecking a checkbox multiple choice

2016-01-11 Thread Martin Grigorov 
JobAdvStates state1 = new JobAdvStates();
JobAdvStates state2 = new JobAdvStates();
JobAdvStates state3 = new JobAdvStates();

List selected = new ArrayList<>();
selected.add(state1);
selected.add(state3);
ListModel model = new ListModel(selected);


List allPossible = new ArrayList<>();
allPossible.add(state1);
allPossible.add(state2);
allPossible.add(state3);

new CheckBoxMultipleChoice(id, model, allPossible)


Make sure JobAdvStates has good impl of #equals()

On Mon, Jan 11, 2016 at 9:24 PM, smoothe19 
wrote:

> Can you display an example?
>
>  I essentially want to be able to have some of the checkboxes checked
> (based
> on a boolean in database) when displayed on the screne
> 
>
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/Checking-Dechecking-a-checkbox-multiple-choice-tp4673251p4673257.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

Re: Checking/Dechecking a checkbox multiple choice

2016-01-11 Thread smoothe19 
Can you display an example?

 I essentially want to be able to have some of the checkboxes checked (based
on a boolean in database) when displayed on the screne 
 

--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Checking-Dechecking-a-checkbox-multiple-choice-tp4673251p4673257.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Checking/Dechecking a checkbox multiple choice

2016-01-11 Thread Martin Grigorov 
Hi,

In  new CheckBoxMultipleChoice(id, modelOfCollection,
allPossibleChoices) you have to add/remove entries to "modelOfCollection"

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Mon, Jan 11, 2016 at 8:29 PM, smoothe19 
wrote:

> How can I check or uncheck one checkbox item from a checkboxmultiple choice
>
> I tried mpCheckBoxes.get(0).setDefaultModel(new Model<>(true)); and also
> mpCheckBoxes.get(0).setDefaultObjectModel(new Model<>(true)); both threw an
> error
>
>
>
>
> List mpDECISIONS = new ArrayList();
>
>
> CheckBoxMultipleChoice mpCheckBoxes =
> new CheckBoxMultipleChoice(
>  "mpToggles", new Model(mpDecisionsSelect),
> mpDECISIONS);
>
>  for (JobAdvStates advanceState: advStatesList){
>
> if (advanceState.getRecordState().equals("MP") ){
> mpDECISIONS.add(advanceState);
> }
>
>  }
>
>
>
> fieldEditForm.add(mpCheckBoxes);
>
> --
> View this message in context:
> http://apache-wicket.1842946.n4.nabble.com/Checking-Dechecking-a-checkbox-multiple-choice-tp4673251.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

Checking/Dechecking a checkbox multiple choice

2016-01-11 Thread smoothe19 
How can I check or uncheck one checkbox item from a checkboxmultiple choice

I tried mpCheckBoxes.get(0).setDefaultModel(new Model<>(true)); and also
mpCheckBoxes.get(0).setDefaultObjectModel(new Model<>(true)); both threw an
error




List mpDECISIONS = new ArrayList();


CheckBoxMultipleChoice mpCheckBoxes = 
new CheckBoxMultipleChoice(
 "mpToggles", new Model(mpDecisionsSelect),
mpDECISIONS);

 for (JobAdvStates advanceState: advStatesList){
   
if (advanceState.getRecordState().equals("MP") ){
mpDECISIONS.add(advanceState);
}
 
 }


  
fieldEditForm.add(mpCheckBoxes); 

--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Checking-Dechecking-a-checkbox-multiple-choice-tp4673251.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Native WebSockets - exceptions and sendRedirect inside WebSocketResponse

2016-01-11 Thread Martin Grigorov 
Hi,

I have improved the quickstart in 7.x/8.x to enable support for JSR-356
websocket in the quickstart by just uncommenting two lines in Start.java:
https://issues.apache.org/jira/browse/WICKET-6072

Thank you for all the feedback!

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Mon, Jan 4, 2016 at 2:57 PM, Daniel Stoch  wrote:

> On Fri, Jan 1, 2016 at 10:25 PM, Martin Grigorov 
> wrote:
> > Hi,
> >
> >
> > On Mon, Dec 28, 2015 at 4:49 PM, Daniel Stoch 
> > wrote:
> >
> >> Hi,
> >>
> >> As I wrote in my previous post "Native WebSockets - cookies and last
> >> handler question": In WebSocketResponse many methods throws
> >> UnsupportedOperationException. Some of them can be customized now
> >> thanks to WICKET-6054.
> >>
> >> But I have found another problem with WebSocketResponse.sendRedirect()
> >> method. When you send a message using
> >> IWebSocketConnection.sendMessage() and an exeption is raised somewhere
> >> during processing of this message you can get the following exception
> >> (the orignal exception is lost):
> >>
> >> Error during processing error message
> >> java.lang.UnsupportedOperationException
> >> at
> >>
> org.apache.wicket.protocol.ws.api.WebSocketResponse.sendRedirect(WebSocketResponse.java:205)
> >> at
> >>
> org.apache.wicket.request.handler.render.WebPageRenderer.redirectTo(WebPageRenderer.java:176)
> >> at
> >>
> org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:327)
> >> at
> >>
> org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:890)
> >> at
> >>
> org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:310)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:233)
> >> at
> >>
> org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:289)
> >> at
> >>
> org.apache.wicket.protocol.ws.api.AbstractWebSocketProcessor.broadcastMessage(AbstractWebSocketProcessor.java:251)
> >> at
> >>
> org.apache.wicket.protocol.ws.api.AbstractWebSocketConnection.sendMessage(AbstractWebSocketConnection.java:43)
> >>
> >>
> >> This is because WebPageRenderer by default calls redirectTo method. So
> >> it looks like WebSocketResponse.sendRedirect() should not throw
> >> exception in the default implementation?
> >>
> >
> > The default is to throw an exception so that you know that you are trying
> > to do something that is really not supported.
> > But now I think we can actually add support for it - as Ajax does with
> > ...
> > Please file a ticket with a quickstart app!
> > Thank you!
> >
>
> WICKET-6064
>
>
> BTW: The quickstart app is not compatible with websockets when you are
> trying to use Start.main():
>
> java.lang.IllegalStateException: Websockets not supported on blocking
> connectors
> at
> org.eclipse.jetty.websocket.WebSocketFactory.upgrade(WebSocketFactory.java:237)
> at
> org.eclipse.jetty.websocket.WebSocketFactory.acceptWebSocket(WebSocketFactory.java:396)
> at
> org.apache.wicket.protocol.ws.jetty.Jetty7WebSocketFilter.acceptWebSocket(Jetty7WebSocketFilter.java:74)
> at
> org.apache.wicket.protocol.ws.AbstractUpgradeFilter.processRequestCycle(AbstractUpgradeFilter.java:55)
> at
> org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:201)
> at
> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:282)
> at
>

Re: Native WebSockets - exceptions and sendRedirect inside WebSocketResponse

2016-01-11 Thread Martin Grigorov 
And https://issues.apache.org/jira/browse/WICKET-6073 for Wicket 6.x to use
NIO connector.

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Mon, Jan 11, 2016 at 9:03 PM, Martin Grigorov 
wrote:

> Hi,
>
> I have improved the quickstart in 7.x/8.x to enable support for JSR-356
> websocket in the quickstart by just uncommenting two lines in Start.java:
> https://issues.apache.org/jira/browse/WICKET-6072
>
> Thank you for all the feedback!
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Mon, Jan 4, 2016 at 2:57 PM, Daniel Stoch 
> wrote:
>
>> On Fri, Jan 1, 2016 at 10:25 PM, Martin Grigorov 
>> wrote:
>> > Hi,
>> >
>> >
>> > On Mon, Dec 28, 2015 at 4:49 PM, Daniel Stoch 
>> > wrote:
>> >
>> >> Hi,
>> >>
>> >> As I wrote in my previous post "Native WebSockets - cookies and last
>> >> handler question": In WebSocketResponse many methods throws
>> >> UnsupportedOperationException. Some of them can be customized now
>> >> thanks to WICKET-6054.
>> >>
>> >> But I have found another problem with WebSocketResponse.sendRedirect()
>> >> method. When you send a message using
>> >> IWebSocketConnection.sendMessage() and an exeption is raised somewhere
>> >> during processing of this message you can get the following exception
>> >> (the orignal exception is lost):
>> >>
>> >> Error during processing error message
>> >> java.lang.UnsupportedOperationException
>> >> at
>> >>
>> org.apache.wicket.protocol.ws.api.WebSocketResponse.sendRedirect(WebSocketResponse.java:205)
>> >> at
>> >>
>> org.apache.wicket.request.handler.render.WebPageRenderer.redirectTo(WebPageRenderer.java:176)
>> >> at
>> >>
>> org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:327)
>> >> at
>> >>
>> org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:890)
>> >> at
>> >>
>> org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:310)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.executeExceptionRequestHandler(RequestCycle.java:319)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:233)
>> >> at
>> >>
>> org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:289)
>> >> at
>> >>
>> org.apache.wicket.protocol.ws.api.AbstractWebSocketProcessor.broadcastMessage(AbstractWebSocketProcessor.java:251)
>> >> at
>> >>
>> org.apache.wicket.protocol.ws.api.AbstractWebSocketConnection.sendMessage(AbstractWebSocketConnection.java:43)
>> >>
>> >>
>> >> This is because WebPageRenderer by default calls redirectTo method. So
>> >> it looks like WebSocketResponse.sendRedirect() should not throw
>> >> exception in the default implementation?
>> >>
>> >
>> > The default is to throw an exception so that you know that you are
>> trying
>> > to do something that is really not supported.
>> > But now I think we can actually add support for it - as Ajax does with
>> > ...
>> > Please file a ticket with a quickstart app!
>> > Thank you!
>> >
>>
>> WICKET-6064
>>
>>
>> BTW: The quickstart app is not compatible with websockets when you are
>> trying to use Start.main():
>>
>> java.lang.IllegalStateException: Websockets not supported on blocking
>> connectors
>> at
>> org.eclipse.jetty.websocket.WebSocketFactory.upgrade(WebSocketFactory.java:237)
>> at
>> org.eclipse.jetty.websocket.WebSocketFactory.acceptWebSocket(WebSocketFactory.java:396)
>> at
>>