[jira] [Updated] (WICKET-6246) WebSocket request while Ajax request leads to error regarding HtmlHeaderCotnainer
[ https://issues.apache.org/jira/browse/WICKET-6246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Thomas Chrenko updated WICKET-6246: --- Description: There is a problem with header contribution with leads to a "Cannot replace a component which has not been added: id='_header_'" error. Short: - Add at least two components to an AjaxRequestTarget - The (at least) second component must initiate a WebSocket push update of another component in onConfigure/onBeforeRender (maybe others) - Exception at the end of ajax request (WebSocket request finishes without problem) Long: AbstractAjaxResponse iterates all components to update in writeComponents(Response, String). For each component writeComponent(Response, String, Component, String) is called in sub class XmlAjaxResponse which calls writeHeaderContribution(Response, Component) of AbstractAjaxResponse. This method creates the HtmlHeaderContainer and adds is to the page when rendering of first component added to target starts. Second component rendering (onConfigure/onBeforeRender) send a component update via websocket push to the client. The websocket request replaces the HtmlHeaderContainer added to the page and at the end of the AbstractAjaxResponse.writeTo(Response, String) to header is again replaced with a default one. But this default header is removed on MarkupContainer.detachChildren() method. Now the ajax request is "continued" and writeHeaderContribution is called for the second component. header is not null in writeHeaderContribution because it was already created when processing the first component, so the header is not added to the page again (remember it was replaced while websocket request). Now at the end of writeTo method, wicket tries again to replace the header with a default one (comment there says "restore normal header"). This leads to an exception: Cannot replace a component which has not been added: id='_header_' A little notice: The error would not happen, if second component would be processed before first component, because then the HeaderContainerItem of the ajax request isn't craeted before the websocket request is finished and so the header is added to the page on creation. So the problem is the removal of the HeaderContainerItem in detachChildren() after websocket request. In Wicket 7.4 (the only one i tested, this works without problems) was: There is a problem with header contribution with leads to a "Cannot replace a component which has not been added: id='_header_'" error. Short: - Add at least two components to an AjaxRequestTarget - The (at least) second component must initiate a WebSocket push update of another component in onConfigure/onBeforeRender (maybe others) - Exception at the end of ajax request (WebSocket request finishes without problem) Long: AbstractAjaxResponse iterates all components to update in writeComponents(Response, String). For each component writeComponent(Response, String, Component, String) is called in sub class XmlAjaxResponse which calls writeHeaderContribution(Response, Component) of AbstractAjaxResponse. This method creates the HtmlHeaderContainer and adds is to the page when rendering of first component added to target starts. Second component rendering (onConfigure/onBeforeRender) send a component update via websocket push to the client. The websocket request replaces the HtmlHeaderContainer added to the page at the end of the AbstractAjaxResponse.writeTo(Response, String) method with a default one. But this default header is removed on MarkupContainer.detachChildren() method. Now the ajax request is "continued" and writeHeaderContribution is called for the second component. header is not null in writeHeaderContribution because it was already created when processing the first component, so the header is not added to the page again (remember it was replaced while websocket request). Now at the end of writeTo method, wicket tries again to replace the header with a default one (comment there says "restore normal header"). This leads to an exception: Cannot replace a component which has not been added: id='_header_' A little notice: The error would not happen, if second component would be processed before first component, because then the HeaderContainerItem of the ajax request isn't craeted before the websocket request is finished and so the header is added to the page on creation. So the problem is the removal of the HeaderContainerItem in detachChildren() after websocket request. In Wicket 7.4 (the only one i tested, this works without problems) > WebSocket request while Ajax request leads to error regarding > HtmlHeaderCotnainer > - > > Key: WICKET-6246 > URL: https://issues.apache.org/jira/browse/WICKET-6246 > Project: Wicket >
[jira] [Updated] (WICKET-6246) WebSocket request while Ajax request leads to error regarding HtmlHeaderCotnainer
[ https://issues.apache.org/jira/browse/WICKET-6246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Thomas Chrenko updated WICKET-6246: --- Description: There is a problem with header contribution with leads to a "Cannot replace a component which has not been added: id='_header_'" error. Short: - Add at least two components to an AjaxRequestTarget - The (at least) second component must initiate a WebSocket push update of another component in onConfigure/onBeforeRender (maybe others) - Exception at the end of ajax request (WebSocket request finishes without problem) Long: AbstractAjaxResponse iterates all components to update in writeComponents(Response, String). For each component writeComponent(Response, String, Component, String) is called in sub class XmlAjaxResponse which calls writeHeaderContribution(Response, Component) of AbstractAjaxResponse. This method creates the HtmlHeaderContainer and adds is to the page when rendering of first component added to target starts. Second component rendering (onConfigure/onBeforeRender) send a component update via websocket push to the client. The websocket request replaces the HtmlHeaderContainer added to the page at the end of the AbstractAjaxResponse.writeTo(Response, String) method with a default one. But this default header is removed on MarkupContainer.detachChildren() method. Now the ajax request is "continued" and writeHeaderContribution is called for the second component. header is not null in writeHeaderContribution because it was already created when processing the first component, so the header is not added to the page again (remember it was replaced while websocket request). Now at the end of writeTo method, wicket tries again to replace the header with a default one (comment there says "restore normal header"). This leads to an exception: Cannot replace a component which has not been added: id='_header_' A little notice: The error would not happen, if second component would be processed before first component, because then the HeaderContainerItem of the ajax request isn't craeted before the websocket request is finished and so the header is added to the page on creation. So the problem is the removal of the HeaderContainerItem in detachChildren() after websocket request. In Wicket 7.4 (the only one i tested, this works without problems) was: There is a problem with header contribution with leads to a "Cannot replace a component which has not been added: id='_header_'" error. Short: - Add at least two components to an AjaxRequestTarget - The (at least) second component must initiate a WebSocket push update of another component in onConfigure/onBeforeRender (maybe others) - Exception at the end of ajax request (WebSocket request finishes without problem) Long: AbstractAjaxResponse iterates all components to update in writeComponents(Response, String). For each component writeComponent(Response, String, Component, String) is called in sub class XmlAjaxResponse which calls writeHeaderContribution(Response, Component) of AbstractAjaxResponse. This method creates the HtmlHeaderContainer and adds is to the page when rendering of first component added to target starts. Second component rendering (onConfigure/onBeforeRender) send a component update via websocket push to the client. The websocket request replaces the HtmlHeaderContainer added to the page at the end of the AbstractAjaxResponse.writeTo(Response, String) method with a default one. But this default header is removed on MarkupContainer.detachChildren() method. Now the ajax request is "continued" and writeHeaderContribution is called for the second component. header is not null in writeHeaderContribution because it was already created when processing the first component, so the header is not added to the page again (remember it was replaced while websocket request). Now at the end of writeTo method, wicket tries again to replace the header with a default one (comment there says "restore normal header"). This leads to an exception: Cannot replace a component which has not been added: id='_header_' A little notice: The error would not happen, if second component would be processed before first component, because then the HeaderContainerItem of the ajax request isn't craeted before the websocket request is finished and so the header is added to the page on creation. So the problem is the removal of the HeaderContainerItem in detachChildren() after websocket request. > WebSocket request while Ajax request leads to error regarding > HtmlHeaderCotnainer > - > > Key: WICKET-6246 > URL: https://issues.apache.org/jira/browse/WICKET-6246 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 6.24.0 >
[jira] [Updated] (WICKET-6246) WebSocket request while Ajax request leads to error regarding HtmlHeaderCotnainer
[ https://issues.apache.org/jira/browse/WICKET-6246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Thomas Chrenko updated WICKET-6246: --- Attachment: quickstart.zip Added quickstart to demonstrate. HomePage.java contains the long description again. > WebSocket request while Ajax request leads to error regarding > HtmlHeaderCotnainer > - > > Key: WICKET-6246 > URL: https://issues.apache.org/jira/browse/WICKET-6246 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 6.24.0 >Reporter: Thomas Chrenko > Labels: header, header-contribution > Attachments: quickstart.zip > > > There is a problem with header contribution with leads to a "Cannot replace a > component which has not been added: id='_header_'" error. > Short: > - Add at least two components to an AjaxRequestTarget > - The (at least) second component must initiate a WebSocket push update of > another component in onConfigure/onBeforeRender (maybe others) > - Exception at the end of ajax request (WebSocket request finishes without > problem) > Long: > AbstractAjaxResponse iterates all components to update in > writeComponents(Response, String). > For each component writeComponent(Response, String, Component, String) is > called in sub class XmlAjaxResponse which calls > writeHeaderContribution(Response, Component) of AbstractAjaxResponse. > This method creates the HtmlHeaderContainer and adds is to the page when > rendering of first component added to target starts. > Second component rendering (onConfigure/onBeforeRender) send a component > update via websocket push to the client. > The websocket request replaces the HtmlHeaderContainer added to the page at > the end of the AbstractAjaxResponse.writeTo(Response, String) method with a > default one. > But this default header is removed on MarkupContainer.detachChildren() method. > Now the ajax request is "continued" and writeHeaderContribution is called for > the second component. > header is not null in writeHeaderContribution because it was already created > when processing the first component, so the header is not added to the page > again (remember it was replaced while websocket request). > Now at the end of writeTo method, wicket tries again to replace the header > with a default one (comment there says "restore normal header"). > This leads to an exception: Cannot replace a component which has not been > added: id='_header_' > A little notice: > The error would not happen, if second component would be processed before > first component, because then the HeaderContainerItem of the ajax request > isn't craeted before the websocket request is finished and so the header is > added to the page on creation. So the problem is the removal of the > HeaderContainerItem in detachChildren() after websocket request. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (WICKET-6246) WebSocket request while Ajax request leads to error regarding HtmlHeaderCotnainer
[ https://issues.apache.org/jira/browse/WICKET-6246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Thomas Chrenko updated WICKET-6246: --- Description: There is a problem with header contribution with leads to a "Cannot replace a component which has not been added: id='_header_'" error. Short: - Add at least two components to an AjaxRequestTarget - The (at least) second component must initiate a WebSocket push update of another component in onConfigure/onBeforeRender (maybe others) - Exception at the end of ajax request (WebSocket request finishes without problem) Long: AbstractAjaxResponse iterates all components to update in writeComponents(Response, String). For each component writeComponent(Response, String, Component, String) is called in sub class XmlAjaxResponse which calls writeHeaderContribution(Response, Component) of AbstractAjaxResponse. This method creates the HtmlHeaderContainer and adds is to the page when rendering of first component added to target starts. Second component rendering (onConfigure/onBeforeRender) send a component update via websocket push to the client. The websocket request replaces the HtmlHeaderContainer added to the page at the end of the AbstractAjaxResponse.writeTo(Response, String) method with a default one. But this default header is removed on MarkupContainer.detachChildren() method. Now the ajax request is "continued" and writeHeaderContribution is called for the second component. header is not null in writeHeaderContribution because it was already created when processing the first component, so the header is not added to the page again (remember it was replaced while websocket request). Now at the end of writeTo method, wicket tries again to replace the header with a default one (comment there says "restore normal header"). This leads to an exception: Cannot replace a component which has not been added: id='_header_' A little notice: The error would not happen, if second component would be processed before first component, because then the HeaderContainerItem of the ajax request isn't craeted before the websocket request is finished and so the header is added to the page on creation. So the problem is the removal of the HeaderContainerItem in detachChildren() after websocket request. was: There is a problem with header contribution with leads to a "Cannot replace a component which has not been added: id='_header_'" error. Short: - Add at least two components to an AjaxRequestTarget - The (at least) second component must initiate a WebSocket push update of another component in onConfigure/onBeforeRender (maybe others) - Exception at the end of ajax request (WebSocket request finishes without problem) Long: AbstractAjaxResponse iterates all components to update in writeComponents(Response, String). For each component writeComponent(Response, String, Component, String) is called in sub class XmlAjaxResponse which calls writeHeaderContribution(Response, Component) of AbstractAjaxResponse. This method creates the HtmlHeaderContainer and adds is to the page when rendering of first component added to target starts. Second component rendering (onConfigure/onBeforeRender) send a component update via websocket push to the client. The websocket request replaces the HtmlHeaderContainer added to the page at the end of the AbstractAjaxResponse.writeTo(Response, String) method with a default one. But this default header is removed on MarkupContainer.detachChildren() method. Now the ajax request is "continued" and writeHeaderContribution is called for the second component. header is not null in writeHeaderContribution because it was already created when processing the first component, so the header is not added to the page again (remember it was replaced while websocket request). Now at the end of writeTo method, wicket tries again to replace the header with a default one (comment there says "restore normal header"). This leads to an exception: Cannot replace a component which has not been added: id='_header_' A little notice: The error would not happen, if second component would be processed before first component, because then the HeaderContainerItem of the ajax request isn't craeted before the websocket request is finished and so the header is added to the page on creation. So the problem is the removal of the HeaderContainerItem in detachChildren() after websocket request. > WebSocket request while Ajax request leads to error regarding > HtmlHeaderCotnainer > - > > Key: WICKET-6246 > URL: https://issues.apache.org/jira/browse/WICKET-6246 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 6.24.0 >Reporter: Thomas Chrenko > Labels: header,
[jira] [Created] (WICKET-6246) WebSocket request while Ajax request leads to error regarding HtmlHeaderCotnainer
Thomas Chrenko created WICKET-6246: -- Summary: WebSocket request while Ajax request leads to error regarding HtmlHeaderCotnainer Key: WICKET-6246 URL: https://issues.apache.org/jira/browse/WICKET-6246 Project: Wicket Issue Type: Bug Components: wicket Affects Versions: 6.24.0 Reporter: Thomas Chrenko There is a problem with header contribution with leads to a "Cannot replace a component which has not been added: id='_header_'" error. Short: - Add at least two components to an AjaxRequestTarget - The (at least) second component must initiate a WebSocket push update of another component in onConfigure/onBeforeRender (maybe others) - Exception at the end of ajax request (WebSocket request finishes without problem) Long: AbstractAjaxResponse iterates all components to update in writeComponents(Response, String). For each component writeComponent(Response, String, Component, String) is called in sub class XmlAjaxResponse which calls writeHeaderContribution(Response, Component) of AbstractAjaxResponse. This method creates the HtmlHeaderContainer and adds is to the page when rendering of first component added to target starts. Second component rendering (onConfigure/onBeforeRender) send a component update via websocket push to the client. The websocket request replaces the HtmlHeaderContainer added to the page at the end of the AbstractAjaxResponse.writeTo(Response, String) method with a default one. But this default header is removed on MarkupContainer.detachChildren() method. Now the ajax request is "continued" and writeHeaderContribution is called for the second component. header is not null in writeHeaderContribution because it was already created when processing the first component, so the header is not added to the page again (remember it was replaced while websocket request). Now at the end of writeTo method, wicket tries again to replace the header with a default one (comment there says "restore normal header"). This leads to an exception: Cannot replace a component which has not been added: id='_header_' A little notice: The error would not happen, if second component would be processed before first component, because then the HeaderContainerItem of the ajax request isn't craeted before the websocket request is finished and so the header is added to the page on creation. So the problem is the removal of the HeaderContainerItem in detachChildren() after websocket request. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn
[ https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504460#comment-15504460 ] ASF subversion and git services commented on WICKET-6242: - Commit 4fdc8175cab0d842c7aeeb52366338ceaac250d9 in wicket's branch refs/heads/master from [~mgrigorov] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=4fdc817 ] WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn > Weak concurrency management in AuthenticatedWebSession#signedIn > --- > > Key: WICKET-6242 > URL: https://issues.apache.org/jira/browse/WICKET-6242 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles >Affects Versions: 8.0.0-M1, 7.4.0 >Reporter: Martin Grigorov >Assignee: Martin Grigorov > Fix For: 8.0.0-M2, 7.5.0 > > > Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz > Currently [1] uses a volatile boolean "signedIn" to control the state. > org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() > tries to make use of it. > IMO this implementation is a bit weak. There are big windows this state to > change in the meantime. > Usually this shouldn't be a big problem, the application will authenticate > the same user twice. > But if the application does something in ISessionListener#onBind() then it > becomes a problem [2]. > 1. > https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java > 2. https://issues.apache.org/jira/browse/ISIS-1481 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn
[ https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504462#comment-15504462 ] ASF subversion and git services commented on WICKET-6242: - Commit 91b9dbac3ad2b05e2e8c7fe47370ea193a4763b5 in wicket's branch refs/heads/master from Pedro Henrique Oliveira dos Santos [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=91b9dba ] WICKET-6242 testing signIn method atomicity > Weak concurrency management in AuthenticatedWebSession#signedIn > --- > > Key: WICKET-6242 > URL: https://issues.apache.org/jira/browse/WICKET-6242 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles >Affects Versions: 8.0.0-M1, 7.4.0 >Reporter: Martin Grigorov >Assignee: Martin Grigorov > Fix For: 8.0.0-M2, 7.5.0 > > > Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz > Currently [1] uses a volatile boolean "signedIn" to control the state. > org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() > tries to make use of it. > IMO this implementation is a bit weak. There are big windows this state to > change in the meantime. > Usually this shouldn't be a big problem, the application will authenticate > the same user twice. > But if the application does something in ISessionListener#onBind() then it > becomes a problem [2]. > 1. > https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java > 2. https://issues.apache.org/jira/browse/ISIS-1481 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Resolved] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn
[ https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Martin Grigorov resolved WICKET-6242. - Resolution: Fixed Fix Version/s: 7.5.0 8.0.0-M2 > Weak concurrency management in AuthenticatedWebSession#signedIn > --- > > Key: WICKET-6242 > URL: https://issues.apache.org/jira/browse/WICKET-6242 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles >Affects Versions: 8.0.0-M1, 7.4.0 >Reporter: Martin Grigorov >Assignee: Martin Grigorov > Fix For: 8.0.0-M2, 7.5.0 > > > Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz > Currently [1] uses a volatile boolean "signedIn" to control the state. > org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() > tries to make use of it. > IMO this implementation is a bit weak. There are big windows this state to > change in the meantime. > Usually this shouldn't be a big problem, the application will authenticate > the same user twice. > But if the application does something in ISessionListener#onBind() then it > becomes a problem [2]. > 1. > https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java > 2. https://issues.apache.org/jira/browse/ISIS-1481 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn
[ https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504463#comment-15504463 ] ASF subversion and git services commented on WICKET-6242: - Commit 5e1ced34e30135f3e46c9ab8cea1b8137f72ca8d in wicket's branch refs/heads/master from [~bitstorm] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=5e1ced3 ] WICKET-6242 Improved synchronization for signIn. Added missing header license. > Weak concurrency management in AuthenticatedWebSession#signedIn > --- > > Key: WICKET-6242 > URL: https://issues.apache.org/jira/browse/WICKET-6242 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles >Affects Versions: 8.0.0-M1, 7.4.0 >Reporter: Martin Grigorov >Assignee: Martin Grigorov > Fix For: 8.0.0-M2, 7.5.0 > > > Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz > Currently [1] uses a volatile boolean "signedIn" to control the state. > org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() > tries to make use of it. > IMO this implementation is a bit weak. There are big windows this state to > change in the meantime. > Usually this shouldn't be a big problem, the application will authenticate > the same user twice. > But if the application does something in ISessionListener#onBind() then it > becomes a problem [2]. > 1. > https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java > 2. https://issues.apache.org/jira/browse/ISIS-1481 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn
[ https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504461#comment-15504461 ] ASF subversion and git services commented on WICKET-6242: - Commit d1fc5d2cc3c1ef5da9d8569328fa96a8de4abbad in wicket's branch refs/heads/master from [~mgrigorov] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=d1fc5d2 ] WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn Unset signedIn to 'false' only if the authenticated has failed. > Weak concurrency management in AuthenticatedWebSession#signedIn > --- > > Key: WICKET-6242 > URL: https://issues.apache.org/jira/browse/WICKET-6242 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles >Affects Versions: 8.0.0-M1, 7.4.0 >Reporter: Martin Grigorov >Assignee: Martin Grigorov > Fix For: 8.0.0-M2, 7.5.0 > > > Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz > Currently [1] uses a volatile boolean "signedIn" to control the state. > org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() > tries to make use of it. > IMO this implementation is a bit weak. There are big windows this state to > change in the meantime. > Usually this shouldn't be a big problem, the application will authenticate > the same user twice. > But if the application does something in ISessionListener#onBind() then it > becomes a problem [2]. > 1. > https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java > 2. https://issues.apache.org/jira/browse/ISIS-1481 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[2/4] wicket git commit: WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn
WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn Unset signedIn to 'false' only if the authenticated has failed. Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/d1fc5d2c Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/d1fc5d2c Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/d1fc5d2c Branch: refs/heads/master Commit: d1fc5d2cc3c1ef5da9d8569328fa96a8de4abbad Parents: 4fdc817 Author: Martin Tzvetanov GrigorovAuthored: Sat Sep 10 13:24:00 2016 +0200 Committer: Martin Tzvetanov Grigorov Committed: Mon Sep 19 21:38:34 2016 +0200 -- .../authroles/authentication/AuthenticatedWebSession.java | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/d1fc5d2c/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java -- diff --git a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java index 744811b..4e3851e 100644 --- a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java +++ b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java @@ -70,7 +70,10 @@ public abstract class AuthenticatedWebSession extends AbstractAuthenticatedWebSe { bind(); } - signedIn.set(authenticated); + else + { + signedIn.set(false); + } } return signedIn.get(); }
[3/4] wicket git commit: WICKET-6242 testing signIn method atomicity
WICKET-6242 testing signIn method atomicity Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/91b9dbac Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/91b9dbac Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/91b9dbac Branch: refs/heads/master Commit: 91b9dbac3ad2b05e2e8c7fe47370ea193a4763b5 Parents: d1fc5d2 Author: Pedro Henrique Oliveira dos SantosAuthored: Sat Sep 10 17:56:07 2016 -0300 Committer: Martin Tzvetanov Grigorov Committed: Mon Sep 19 21:40:20 2016 +0200 -- .../AuthenticatedWebSessionTest.java| 90 1 file changed, 90 insertions(+) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/91b9dbac/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java -- diff --git a/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java new file mode 100644 index 000..c444d81 --- /dev/null +++ b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java @@ -0,0 +1,90 @@ +package org.apache.wicket.authroles.authentication; + +import static java.util.Locale.getDefault; +import static java.util.concurrent.TimeUnit.SECONDS; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; + +import org.apache.wicket.Application; +import org.apache.wicket.ThreadContext; +import org.apache.wicket.authroles.authorization.strategies.role.Roles; +import org.apache.wicket.request.Request; +import org.apache.wicket.request.Response; +import org.apache.wicket.session.ISessionStore; +import org.apache.wicket.util.tester.WicketTestCase; +import org.junit.Before; +import org.junit.Test; + +/** + * @author Pedro Santos + */ +public class AuthenticatedWebSessionTest extends WicketTestCase { + private Request request; + private Response response; + private ISessionStore sessionStore; + private AuthenticatedWebSession session; + + @Before + public void initialize() { + request = mock(Request.class); + response = mock(Response.class); + sessionStore = mock(ISessionStore.class); + when(request.getLocale()).thenReturn(getDefault()); + session = new TestAuthenticatedWebSession(request); + } + + @Test + public void shouldLookupForSessionOnce() throws InterruptedException { + ExecutorService executorService = Executors.newFixedThreadPool(10); + for (int i = 0; i < 10; i++) + executorService.submit(new SiginTask(tester.getApplication())); + executorService.shutdown(); + executorService.awaitTermination(5, SECONDS); + // counting lookup calls since sesion.bind() is final + // TODO: test for bind calls itself + verify(sessionStore, times(1)).lookup(request); + } + + class SiginTask implements Runnable { + Application application; + + public SiginTask(Application application) { + this.application = application; + } + + @Override + public void run() { + ThreadContext.setRequestCycle(application.createRequestCycle(request, response)); + session.signIn("user", "pass"); + } + + } + + class TestAuthenticatedWebSession extends AuthenticatedWebSession { + private static final long serialVersionUID = 1L; + + public TestAuthenticatedWebSession(Request request) { + super(request); + } + + @Override + protected boolean authenticate(String username, String password) { + return true; + } + + @Override + protected ISessionStore getSessionStore() { + return sessionStore; + } + + @Override + public Roles getRoles() { + return null; + } + } +}
[4/4] wicket git commit: WICKET-6242 Improved synchronization for signIn. Added missing header license.
WICKET-6242 Improved synchronization for signIn. Added missing header license. Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/5e1ced34 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/5e1ced34 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/5e1ced34 Branch: refs/heads/master Commit: 5e1ced34e30135f3e46c9ab8cea1b8137f72ca8d Parents: 91b9dba Author: Andrea Del BeneAuthored: Tue Sep 13 12:37:59 2016 +0200 Committer: Martin Tzvetanov Grigorov Committed: Mon Sep 19 21:40:27 2016 +0200 -- .../authentication/AuthenticatedWebSession.java | 14 -- .../authentication/AuthenticatedWebSessionTest.java | 16 2 files changed, 20 insertions(+), 10 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/5e1ced34/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java -- diff --git a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java index 4e3851e..681236a 100644 --- a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java +++ b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java @@ -63,17 +63,11 @@ public abstract class AuthenticatedWebSession extends AbstractAuthenticatedWebSe */ public final boolean signIn(final String username, final String password) { - if (signedIn.compareAndSet(false, true)) + boolean authenticated = authenticate(username, password); + + if (authenticated && signedIn.compareAndSet(false, true)) { - boolean authenticated = authenticate(username, password); - if (authenticated) - { - bind(); - } - else - { - signedIn.set(false); - } + bind(); } return signedIn.get(); } http://git-wip-us.apache.org/repos/asf/wicket/blob/5e1ced34/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java -- diff --git a/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java index c444d81..d91dd9d 100644 --- a/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java +++ b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java @@ -1,3 +1,19 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.apache.wicket.authroles.authentication; import static java.util.Locale.getDefault;
[1/4] wicket git commit: WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn
Repository: wicket Updated Branches: refs/heads/master dbfe3461e -> 5e1ced34e WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/4fdc8175 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/4fdc8175 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/4fdc8175 Branch: refs/heads/master Commit: 4fdc8175cab0d842c7aeeb52366338ceaac250d9 Parents: dbfe346 Author: Martin Tzvetanov GrigorovAuthored: Sat Sep 10 13:12:28 2016 +0200 Committer: Martin Tzvetanov Grigorov Committed: Mon Sep 19 21:38:11 2016 +0200 -- .../authentication/AuthenticatedWebSession.java | 23 1 file changed, 14 insertions(+), 9 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/4fdc8175/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java -- diff --git a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java index a5df531..744811b 100644 --- a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java +++ b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java @@ -16,10 +16,11 @@ */ package org.apache.wicket.authroles.authentication; +import java.util.concurrent.atomic.AtomicBoolean; + import org.apache.wicket.Session; import org.apache.wicket.request.Request; - /** * Basic authenticated web session. Subclasses must provide a method that authenticates the session * based on a username and password, and a method implementation that gets the Roles @@ -39,7 +40,7 @@ public abstract class AuthenticatedWebSession extends AbstractAuthenticatedWebSe } /** True when the user is signed in */ - private volatile boolean signedIn; + private final AtomicBoolean signedIn = new AtomicBoolean(false); /** * Construct. @@ -62,12 +63,16 @@ public abstract class AuthenticatedWebSession extends AbstractAuthenticatedWebSe */ public final boolean signIn(final String username, final String password) { - signedIn = authenticate(username, password); - if (signedIn) + if (signedIn.compareAndSet(false, true)) { - bind(); + boolean authenticated = authenticate(username, password); + if (authenticated) + { + bind(); + } + signedIn.set(authenticated); } - return signedIn; + return signedIn.get(); } /** @@ -96,7 +101,7 @@ public abstract class AuthenticatedWebSession extends AbstractAuthenticatedWebSe */ protected final void signIn(boolean value) { - signedIn = value; + signedIn.set(value); } /** @@ -105,7 +110,7 @@ public abstract class AuthenticatedWebSession extends AbstractAuthenticatedWebSe @Override public final boolean isSignedIn() { - return signedIn; + return signedIn.get(); } /** @@ -124,7 +129,7 @@ public abstract class AuthenticatedWebSession extends AbstractAuthenticatedWebSe @Override public void invalidate() { - signedIn = false; + signedIn.set(false); super.invalidate(); } }
[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn
[ https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504417#comment-15504417 ] ASF subversion and git services commented on WICKET-6242: - Commit a384c6f75df0b13962b65a948d766f73b39e11ba in wicket's branch refs/heads/wicket-7.x from [~mgrigorov] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=a384c6f ] WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn > Weak concurrency management in AuthenticatedWebSession#signedIn > --- > > Key: WICKET-6242 > URL: https://issues.apache.org/jira/browse/WICKET-6242 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles >Affects Versions: 8.0.0-M1, 7.4.0 >Reporter: Martin Grigorov >Assignee: Martin Grigorov > > Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz > Currently [1] uses a volatile boolean "signedIn" to control the state. > org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() > tries to make use of it. > IMO this implementation is a bit weak. There are big windows this state to > change in the meantime. > Usually this shouldn't be a big problem, the application will authenticate > the same user twice. > But if the application does something in ISessionListener#onBind() then it > becomes a problem [2]. > 1. > https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java > 2. https://issues.apache.org/jira/browse/ISIS-1481 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn
[ https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504421#comment-15504421 ] ASF subversion and git services commented on WICKET-6242: - Commit 87fa748998a5c8e54df37d7ee119ede6b98db740 in wicket's branch refs/heads/wicket-7.x from [~mgrigorov] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=87fa748 ] Merge branch 'WICKET-6242-authenticate-once' into wicket-7.x > Weak concurrency management in AuthenticatedWebSession#signedIn > --- > > Key: WICKET-6242 > URL: https://issues.apache.org/jira/browse/WICKET-6242 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles >Affects Versions: 8.0.0-M1, 7.4.0 >Reporter: Martin Grigorov >Assignee: Martin Grigorov > > Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz > Currently [1] uses a volatile boolean "signedIn" to control the state. > org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() > tries to make use of it. > IMO this implementation is a bit weak. There are big windows this state to > change in the meantime. > Usually this shouldn't be a big problem, the application will authenticate > the same user twice. > But if the application does something in ISessionListener#onBind() then it > becomes a problem [2]. > 1. > https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java > 2. https://issues.apache.org/jira/browse/ISIS-1481 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn
[ https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504418#comment-15504418 ] ASF subversion and git services commented on WICKET-6242: - Commit d5425534a568d0cc0d4c6749a8965af69f107b8e in wicket's branch refs/heads/wicket-7.x from [~mgrigorov] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=d542553 ] WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn Unset signedIn to 'false' only if the authenticated has failed. > Weak concurrency management in AuthenticatedWebSession#signedIn > --- > > Key: WICKET-6242 > URL: https://issues.apache.org/jira/browse/WICKET-6242 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles >Affects Versions: 8.0.0-M1, 7.4.0 >Reporter: Martin Grigorov >Assignee: Martin Grigorov > > Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz > Currently [1] uses a volatile boolean "signedIn" to control the state. > org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() > tries to make use of it. > IMO this implementation is a bit weak. There are big windows this state to > change in the meantime. > Usually this shouldn't be a big problem, the application will authenticate > the same user twice. > But if the application does something in ISessionListener#onBind() then it > becomes a problem [2]. > 1. > https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java > 2. https://issues.apache.org/jira/browse/ISIS-1481 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn
[ https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504420#comment-15504420 ] ASF subversion and git services commented on WICKET-6242: - Commit 263e8c14476f9970d2ccfd8476f371149f2e2cb4 in wicket's branch refs/heads/wicket-7.x from [~bitstorm] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=263e8c1 ] WICKET-6242 Improved synchronization for signIn. Added missing header license. > Weak concurrency management in AuthenticatedWebSession#signedIn > --- > > Key: WICKET-6242 > URL: https://issues.apache.org/jira/browse/WICKET-6242 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles >Affects Versions: 8.0.0-M1, 7.4.0 >Reporter: Martin Grigorov >Assignee: Martin Grigorov > > Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz > Currently [1] uses a volatile boolean "signedIn" to control the state. > org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() > tries to make use of it. > IMO this implementation is a bit weak. There are big windows this state to > change in the meantime. > Usually this shouldn't be a big problem, the application will authenticate > the same user twice. > But if the application does something in ISessionListener#onBind() then it > becomes a problem [2]. > 1. > https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java > 2. https://issues.apache.org/jira/browse/ISIS-1481 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn
[ https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504419#comment-15504419 ] ASF subversion and git services commented on WICKET-6242: - Commit 56f947ee52e3b42e69481bac78838e6ec8325573 in wicket's branch refs/heads/wicket-7.x from Pedro Henrique Oliveira dos Santos [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=56f947e ] WICKET-6242 testing signIn method atomicity > Weak concurrency management in AuthenticatedWebSession#signedIn > --- > > Key: WICKET-6242 > URL: https://issues.apache.org/jira/browse/WICKET-6242 > Project: Wicket > Issue Type: Bug > Components: wicket-auth-roles >Affects Versions: 8.0.0-M1, 7.4.0 >Reporter: Martin Grigorov >Assignee: Martin Grigorov > > Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz > Currently [1] uses a volatile boolean "signedIn" to control the state. > org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure() > tries to make use of it. > IMO this implementation is a bit weak. There are big windows this state to > change in the meantime. > Usually this shouldn't be a big problem, the application will authenticate > the same user twice. > But if the application does something in ISessionListener#onBind() then it > becomes a problem [2]. > 1. > https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java > 2. https://issues.apache.org/jira/browse/ISIS-1481 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[2/5] wicket git commit: WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn
WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn Unset signedIn to 'false' only if the authenticated has failed. Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/d5425534 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/d5425534 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/d5425534 Branch: refs/heads/wicket-7.x Commit: d5425534a568d0cc0d4c6749a8965af69f107b8e Parents: a384c6f Author: Martin Tzvetanov GrigorovAuthored: Sat Sep 10 13:24:00 2016 +0200 Committer: Martin Tzvetanov Grigorov Committed: Sat Sep 10 13:24:00 2016 +0200 -- .../authroles/authentication/AuthenticatedWebSession.java | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/d5425534/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java -- diff --git a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java index c8058f5..f0b450c 100644 --- a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java +++ b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java @@ -70,7 +70,10 @@ public abstract class AuthenticatedWebSession extends AbstractAuthenticatedWebSe { bind(); } - signedIn.set(authenticated); + else + { + signedIn.set(false); + } } return signedIn.get(); }
[4/5] wicket git commit: WICKET-6242 Improved synchronization for signIn. Added missing header license.
WICKET-6242 Improved synchronization for signIn. Added missing header license. Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/263e8c14 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/263e8c14 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/263e8c14 Branch: refs/heads/wicket-7.x Commit: 263e8c14476f9970d2ccfd8476f371149f2e2cb4 Parents: 56f947e Author: Andrea Del BeneAuthored: Tue Sep 13 12:37:59 2016 +0200 Committer: Andrea Del Bene Committed: Tue Sep 13 14:53:50 2016 +0200 -- .../authentication/AuthenticatedWebSession.java | 14 -- .../authentication/AuthenticatedWebSessionTest.java | 16 2 files changed, 20 insertions(+), 10 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/263e8c14/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java -- diff --git a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java index f0b450c..f11d718 100644 --- a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java +++ b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java @@ -63,17 +63,11 @@ public abstract class AuthenticatedWebSession extends AbstractAuthenticatedWebSe */ public final boolean signIn(final String username, final String password) { - if (signedIn.compareAndSet(false, true)) + boolean authenticated = authenticate(username, password); + + if (authenticated && signedIn.compareAndSet(false, true)) { - boolean authenticated = authenticate(username, password); - if (authenticated) - { - bind(); - } - else - { - signedIn.set(false); - } + bind(); } return signedIn.get(); } http://git-wip-us.apache.org/repos/asf/wicket/blob/263e8c14/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java -- diff --git a/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java index c444d81..d91dd9d 100644 --- a/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java +++ b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java @@ -1,3 +1,19 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.apache.wicket.authroles.authentication; import static java.util.Locale.getDefault;
[5/5] wicket git commit: Merge branch 'WICKET-6242-authenticate-once' into wicket-7.x
Merge branch 'WICKET-6242-authenticate-once' into wicket-7.x Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/87fa7489 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/87fa7489 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/87fa7489 Branch: refs/heads/wicket-7.x Commit: 87fa748998a5c8e54df37d7ee119ede6b98db740 Parents: f2c165c 263e8c1 Author: Martin Tzvetanov GrigorovAuthored: Mon Sep 19 21:31:24 2016 +0200 Committer: Martin Tzvetanov Grigorov Committed: Mon Sep 19 21:31:24 2016 +0200 -- .../authentication/AuthenticatedWebSession.java | 16 +-- .../AuthenticatedWebSessionTest.java| 106 +++ 2 files changed, 115 insertions(+), 7 deletions(-) --
[jira] [Updated] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension
[ https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Martijn Dashorst updated WICKET-6245: - Assignee: Martijn Dashorst Affects Version/s: 6.20.0 7.0.0 6.21.0 7.1.0 7.2.0 7.3.0 8.0.0-M1 6.22.0 6.23.0 7.4.0 6.24.0 Fix Version/s: 7.5.0 6.25.0 8.0.0-M2 Component/s: wicket > Open up CsrfPreventionRequestCycleListener for extension > > > Key: WICKET-6245 > URL: https://issues.apache.org/jira/browse/WICKET-6245 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 6.20.0, 7.0.0, 6.21.0, 7.1.0, 7.2.0, 7.3.0, 8.0.0-M1, > 6.22.0, 6.23.0, 7.4.0, 6.24.0 >Reporter: Martijn Dashorst >Assignee: Martijn Dashorst >Priority: Minor > Fix For: 8.0.0-M2, 6.25.0, 7.5.0 > > > The design of the CsrfPreventionRequestCycleListener is such that it is open > for extension, but fails to provide the right hooks for implementors. We > should allow private methods to be called from event handlers, and allow > overriding of several checkpoints in the API. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
buildbot success in on wicket-master
The Buildbot has detected a restored build on builder wicket-master while building wicket. Full details are available at: https://ci.apache.org/builders/wicket-master/builds/499 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: hemera_ubuntu Build Reason: The SingleBranchScheduler scheduler named 'on-wicket-master-commit' triggered this build Build Source Stamp: [branch master] dbfe3461e5caa4c6d9f2d65b248a1a3e42946d0b Blamelist: Emond PapegaaijBuild succeeded! Sincerely, -The Buildbot
[jira] [Commented] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension
[ https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15503523#comment-15503523 ] ASF subversion and git services commented on WICKET-6245: - Commit f2c165cf994f60753016459ce0d94b3787f6727c in wicket's branch refs/heads/wicket-7.x from [~papegaaij] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=f2c165c ] WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked > Open up CsrfPreventionRequestCycleListener for extension > > > Key: WICKET-6245 > URL: https://issues.apache.org/jira/browse/WICKET-6245 > Project: Wicket > Issue Type: Bug >Reporter: Martijn Dashorst >Priority: Minor > > The design of the CsrfPreventionRequestCycleListener is such that it is open > for extension, but fails to provide the right hooks for implementors. We > should allow private methods to be called from event handlers, and allow > overriding of several checkpoints in the API. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension
[ https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15503522#comment-15503522 ] ASF subversion and git services commented on WICKET-6245: - Commit 89a2aac8c6851ee03ada2ab0c71e8675d31e39d9 in wicket's branch refs/heads/wicket-6.x from [~papegaaij] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=89a2aac ] WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked > Open up CsrfPreventionRequestCycleListener for extension > > > Key: WICKET-6245 > URL: https://issues.apache.org/jira/browse/WICKET-6245 > Project: Wicket > Issue Type: Bug >Reporter: Martijn Dashorst >Priority: Minor > > The design of the CsrfPreventionRequestCycleListener is such that it is open > for extension, but fails to provide the right hooks for implementors. We > should allow private methods to be called from event handlers, and allow > overriding of several checkpoints in the API. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[3/3] wicket git commit: WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked
WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/89a2aac8 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/89a2aac8 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/89a2aac8 Branch: refs/heads/wicket-6.x Commit: 89a2aac8c6851ee03ada2ab0c71e8675d31e39d9 Parents: 3320821 Author: Emond PapegaaijAuthored: Mon Sep 19 15:38:32 2016 +0200 Committer: Emond Papegaaij Committed: Mon Sep 19 15:38:49 2016 +0200 -- .../protocol/http/CsrfPreventionRequestCycleListenerTest.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/89a2aac8/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java -- diff --git a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java index 4dca4b8..4448175 100644 --- a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java @@ -78,13 +78,12 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase tester.assertRenderedPage(SecondPage.class); } - /** Tests the default setting of allowing a missing Origin. */ + /** Tests the default setting of aborting a missing Origin. */ @Test public void withoutOriginAllowed() { tester.clickLink("link"); - assertConflictingOriginsRequestAllowed(); - tester.assertRenderedPage(SecondPage.class); + assertConflictingOriginsRequestAborted(); } /** Tests the alternative action of suppressing a request without Origin header */
[1/3] wicket git commit: WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked
Repository: wicket Updated Branches: refs/heads/master 6c40c919f -> dbfe3461e refs/heads/wicket-6.x 332082134 -> 89a2aac8c refs/heads/wicket-7.x 5c345567c -> f2c165cf9 WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/f2c165cf Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/f2c165cf Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/f2c165cf Branch: refs/heads/wicket-7.x Commit: f2c165cf994f60753016459ce0d94b3787f6727c Parents: 5c34556 Author: Emond PapegaaijAuthored: Mon Sep 19 15:38:32 2016 +0200 Committer: Emond Papegaaij Committed: Mon Sep 19 15:38:32 2016 +0200 -- .../protocol/http/CsrfPreventionRequestCycleListenerTest.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/f2c165cf/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java -- diff --git a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java index beef761..3db62ab 100644 --- a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java @@ -78,13 +78,12 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase tester.assertRenderedPage(SecondPage.class); } - /** Tests the default setting of allowing a missing Origin. */ + /** Tests the default setting of aborting a missing Origin. */ @Test public void withoutOriginAllowed() { tester.clickLink("link"); - assertConflictingOriginsRequestAllowed(); - tester.assertRenderedPage(SecondPage.class); + assertConflictingOriginsRequestAborted(); } /** Tests the alternative action of suppressing a request without Origin header */
[jira] [Commented] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension
[ https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15503521#comment-15503521 ] ASF subversion and git services commented on WICKET-6245: - Commit dbfe3461e5caa4c6d9f2d65b248a1a3e42946d0b in wicket's branch refs/heads/master from [~papegaaij] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=dbfe346 ] WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked > Open up CsrfPreventionRequestCycleListener for extension > > > Key: WICKET-6245 > URL: https://issues.apache.org/jira/browse/WICKET-6245 > Project: Wicket > Issue Type: Bug >Reporter: Martijn Dashorst >Priority: Minor > > The design of the CsrfPreventionRequestCycleListener is such that it is open > for extension, but fails to provide the right hooks for implementors. We > should allow private methods to be called from event handlers, and allow > overriding of several checkpoints in the API. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[2/3] wicket git commit: WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked
WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/dbfe3461 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/dbfe3461 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/dbfe3461 Branch: refs/heads/master Commit: dbfe3461e5caa4c6d9f2d65b248a1a3e42946d0b Parents: 6c40c91 Author: Emond PapegaaijAuthored: Mon Sep 19 15:38:32 2016 +0200 Committer: Emond Papegaaij Committed: Mon Sep 19 15:38:44 2016 +0200 -- .../protocol/http/CsrfPreventionRequestCycleListenerTest.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/dbfe3461/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java -- diff --git a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java index beef761..3db62ab 100644 --- a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java @@ -78,13 +78,12 @@ public class CsrfPreventionRequestCycleListenerTest extends WicketTestCase tester.assertRenderedPage(SecondPage.class); } - /** Tests the default setting of allowing a missing Origin. */ + /** Tests the default setting of aborting a missing Origin. */ @Test public void withoutOriginAllowed() { tester.clickLink("link"); - assertConflictingOriginsRequestAllowed(); - tester.assertRenderedPage(SecondPage.class); + assertConflictingOriginsRequestAborted(); } /** Tests the alternative action of suppressing a request without Origin header */
buildbot failure in on wicket-branch-7.x
The Buildbot has detected a new failure on builder wicket-branch-7.x while building wicket. Full details are available at: https://ci.apache.org/builders/wicket-branch-7.x/builds/276 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: hemera_ubuntu Build Reason: The SingleBranchScheduler scheduler named 'on-wicket-branch-7.x-commit' triggered this build Build Source Stamp: [branch wicket-7.x] 5c345567c75b3cc1f7e4cce6dcf3e692870b4823 Blamelist: Emond PapegaaijBUILD FAILED: failed compile Sincerely, -The Buildbot
buildbot failure in on wicket-branch-6.x
The Buildbot has detected a new failure on builder wicket-branch-6.x while building wicket. Full details are available at: https://ci.apache.org/builders/wicket-branch-6.x/builds/166 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: hemera_ubuntu Build Reason: The SingleBranchScheduler scheduler named 'on-wicket-branch-6.x-commit' triggered this build Build Source Stamp: [branch wicket-6.x] 3320821343f7957a4850f2d9b61ab18eec55fa62 Blamelist: Emond PapegaaijBUILD FAILED: failed compile Sincerely, -The Buildbot
buildbot failure in on wicket-master
The Buildbot has detected a new failure on builder wicket-master while building wicket. Full details are available at: https://ci.apache.org/builders/wicket-master/builds/498 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: hemera_ubuntu Build Reason: The SingleBranchScheduler scheduler named 'on-wicket-master-commit' triggered this build Build Source Stamp: [branch master] 6c40c919f54fce610c584b9e4ec7925c14a5a19b Blamelist: Emond PapegaaijBUILD FAILED: failed compile Sincerely, -The Buildbot
[jira] [Commented] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension
[ https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15503494#comment-15503494 ] ASF subversion and git services commented on WICKET-6245: - Commit 3320821343f7957a4850f2d9b61ab18eec55fa62 in wicket's branch refs/heads/wicket-6.x from [~papegaaij] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=3320821 ] WICKET-6245: open up CsrfPreventionRequestCycleListener for extension > Open up CsrfPreventionRequestCycleListener for extension > > > Key: WICKET-6245 > URL: https://issues.apache.org/jira/browse/WICKET-6245 > Project: Wicket > Issue Type: Bug >Reporter: Martijn Dashorst >Priority: Minor > > The design of the CsrfPreventionRequestCycleListener is such that it is open > for extension, but fails to provide the right hooks for implementors. We > should allow private methods to be called from event handlers, and allow > overriding of several checkpoints in the API. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[3/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension
WICKET-6245: open up CsrfPreventionRequestCycleListener for extension Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/33208213 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/33208213 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/33208213 Branch: refs/heads/wicket-6.x Commit: 3320821343f7957a4850f2d9b61ab18eec55fa62 Parents: 52f0b8a Author: Emond PapegaaijAuthored: Mon Sep 19 15:24:57 2016 +0200 Committer: Emond Papegaaij Committed: Mon Sep 19 15:26:57 2016 +0200 -- .../CsrfPreventionRequestCycleListener.java | 188 +++ 1 file changed, 114 insertions(+), 74 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/33208213/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java -- diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java index 3e81252..a3f8320 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java @@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest; import org.apache.wicket.RestartResponseException; import org.apache.wicket.core.request.handler.IPageRequestHandler; import org.apache.wicket.core.request.handler.RenderPageRequestHandler; +import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.request.IRequestHandler; +import org.apache.wicket.request.IRequestHandlerDelegate; import org.apache.wicket.request.component.IRequestablePage; import org.apache.wicket.request.cycle.AbstractRequestCycleListener; import org.apache.wicket.request.cycle.IRequestCycleListener; @@ -39,9 +41,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * Prevents CSRF attacks on Wicket components by checking the {@code Origin} HTTP header for cross - * domain requests. By default only checks requests that try to perform an action on a component, - * such as a form submit, or link click. + * Prevents CSRF attacks on Wicket components by checking the {@code Origin} and {@code Referer} + * HTTP headers for cross domain requests. By default only checks requests that try to perform an + * action on a component, such as a form submit, or link click. * * Installation * @@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory; * * Configuration * - * A missing {@code Origin} HTTP header is (by default) handled as if it were a good request and - * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a - * different value, suppressing or aborting the request when the {@code Origin} HTTP header is - * missing. + * When the {@code Origin} or {@code Referer} HTTP header is present but doesn't match the requested + * URL this listener will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the + * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. * - * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to - * be from a "privacy-sensitive" context and will trigger the conflicting origin action. You can - * customize what happens in those actions by overriding the respective {@code on} methods. + * A missing {@code Origin} and {@code Referer} HTTP header is handled as if it were a bad request + * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a + * different value, suppressing or allowing the request when the HTTP headers are missing. * - * When the {@code Origin} HTTP header is present but doesn't match the requested URL this listener - * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the request. You can - * {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. + * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to + * be from a "privacy-sensitive" context and will trigger the no origin action. You can customize + * what happens in those actions by overriding the respective {@code on} methods. * * When you want to accept certain cross domain request from a range of hosts, you can * {@link #addAcceptedOrigin(String) whitelist those domains}. @@ -96,7 +97,7 @@ import org.slf4j.LoggerFactory; * {@link #isChecked(IRequestHandler)} to customize this behavior. * * - * You can override the
[jira] [Commented] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension
[ https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15503495#comment-15503495 ] ASF subversion and git services commented on WICKET-6245: - Commit 5c345567c75b3cc1f7e4cce6dcf3e692870b4823 in wicket's branch refs/heads/wicket-7.x from [~papegaaij] [ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=5c34556 ] WICKET-6245: open up CsrfPreventionRequestCycleListener for extension > Open up CsrfPreventionRequestCycleListener for extension > > > Key: WICKET-6245 > URL: https://issues.apache.org/jira/browse/WICKET-6245 > Project: Wicket > Issue Type: Bug >Reporter: Martijn Dashorst >Priority: Minor > > The design of the CsrfPreventionRequestCycleListener is such that it is open > for extension, but fails to provide the right hooks for implementors. We > should allow private methods to be called from event handlers, and allow > overriding of several checkpoints in the API. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[2/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension
WICKET-6245: open up CsrfPreventionRequestCycleListener for extension Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/6c40c919 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/6c40c919 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/6c40c919 Branch: refs/heads/master Commit: 6c40c919f54fce610c584b9e4ec7925c14a5a19b Parents: c04f2b0 Author: Emond PapegaaijAuthored: Mon Sep 19 15:24:57 2016 +0200 Committer: Emond Papegaaij Committed: Mon Sep 19 15:25:21 2016 +0200 -- .../CsrfPreventionRequestCycleListener.java | 182 +++ 1 file changed, 111 insertions(+), 71 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/6c40c919/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java -- diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java index a2bf124..ce03862 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java @@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest; import org.apache.wicket.RestartResponseException; import org.apache.wicket.core.request.handler.IPageRequestHandler; import org.apache.wicket.core.request.handler.RenderPageRequestHandler; +import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.request.IRequestHandler; +import org.apache.wicket.request.IRequestHandlerDelegate; import org.apache.wicket.request.component.IRequestablePage; import org.apache.wicket.request.cycle.AbstractRequestCycleListener; import org.apache.wicket.request.cycle.IRequestCycleListener; @@ -39,9 +41,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * Prevents CSRF attacks on Wicket components by checking the {@code Origin} HTTP header for cross - * domain requests. By default only checks requests that try to perform an action on a component, - * such as a form submit, or link click. + * Prevents CSRF attacks on Wicket components by checking the {@code Origin} and {@code Referer} + * HTTP headers for cross domain requests. By default only checks requests that try to perform an + * action on a component, such as a form submit, or link click. * * Installation * @@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory; * * Configuration * - * A missing {@code Origin} HTTP header is (by default) handled as if it were a good request and - * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a - * different value, suppressing or aborting the request when the {@code Origin} HTTP header is - * missing. + * When the {@code Origin} or {@code Referer} HTTP header is present but doesn't match the requested + * URL this listener will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the + * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. * - * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to - * be from a "privacy-sensitive" context and will trigger the conflicting origin action. You can - * customize what happens in those actions by overriding the respective {@code on} methods. + * A missing {@code Origin} and {@code Referer} HTTP header is handled as if it were a bad request + * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a + * different value, suppressing or allowing the request when the HTTP headers are missing. * - * When the {@code Origin} HTTP header is present but doesn't match the requested URL this listener - * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the request. You can - * {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. + * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to + * be from a "privacy-sensitive" context and will trigger the no origin action. You can customize + * what happens in those actions by overriding the respective {@code on} methods. * * When you want to accept certain cross domain request from a range of hosts, you can * {@link #addAcceptedOrigin(String) whitelist those domains}. @@ -96,7 +97,7 @@ import org.slf4j.LoggerFactory; * {@link #isChecked(IRequestHandler)} to customize this behavior. * * - * You can override the default
[1/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension
Repository: wicket Updated Branches: refs/heads/master c04f2b00b -> 6c40c919f refs/heads/wicket-6.x 52f0b8afa -> 332082134 refs/heads/wicket-7.x 47bc8a8d7 -> 5c345567c WICKET-6245: open up CsrfPreventionRequestCycleListener for extension Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/5c345567 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/5c345567 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/5c345567 Branch: refs/heads/wicket-7.x Commit: 5c345567c75b3cc1f7e4cce6dcf3e692870b4823 Parents: 47bc8a8 Author: Emond PapegaaijAuthored: Mon Sep 19 15:24:57 2016 +0200 Committer: Emond Papegaaij Committed: Mon Sep 19 15:24:57 2016 +0200 -- .../CsrfPreventionRequestCycleListener.java | 182 +++ 1 file changed, 111 insertions(+), 71 deletions(-) -- http://git-wip-us.apache.org/repos/asf/wicket/blob/5c345567/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java -- diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java index 73cebee..4025e7e 100644 --- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java +++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java @@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest; import org.apache.wicket.RestartResponseException; import org.apache.wicket.core.request.handler.IPageRequestHandler; import org.apache.wicket.core.request.handler.RenderPageRequestHandler; +import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.request.IRequestHandler; +import org.apache.wicket.request.IRequestHandlerDelegate; import org.apache.wicket.request.component.IRequestablePage; import org.apache.wicket.request.cycle.AbstractRequestCycleListener; import org.apache.wicket.request.cycle.IRequestCycleListener; @@ -39,9 +41,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * Prevents CSRF attacks on Wicket components by checking the {@code Origin} HTTP header for cross - * domain requests. By default only checks requests that try to perform an action on a component, - * such as a form submit, or link click. + * Prevents CSRF attacks on Wicket components by checking the {@code Origin} and {@code Referer} + * HTTP headers for cross domain requests. By default only checks requests that try to perform an + * action on a component, such as a form submit, or link click. * * Installation * @@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory; * * Configuration * - * A missing {@code Origin} HTTP header is (by default) handled as if it were a good request and - * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a - * different value, suppressing or aborting the request when the {@code Origin} HTTP header is - * missing. + * When the {@code Origin} or {@code Referer} HTTP header is present but doesn't match the requested + * URL this listener will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the + * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. * - * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to - * be from a "privacy-sensitive" context and will trigger the conflicting origin action. You can - * customize what happens in those actions by overriding the respective {@code on} methods. + * A missing {@code Origin} and {@code Referer} HTTP header is handled as if it were a bad request + * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the specific action} to a + * different value, suppressing or allowing the request when the HTTP headers are missing. * - * When the {@code Origin} HTTP header is present but doesn't match the requested URL this listener - * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the request. You can - * {@link #setConflictingOriginAction(CsrfAction) configure} this specific action. + * When the {@code Origin} HTTP header is present and has the value {@code null} it is considered to + * be from a "privacy-sensitive" context and will trigger the no origin action. You can customize + * what happens in those actions by overriding the respective {@code on} methods. * * When you want to accept certain cross domain request from a range of hosts, you can * {@link #addAcceptedOrigin(String)
[jira] [Created] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension
Martijn Dashorst created WICKET-6245: Summary: Open up CsrfPreventionRequestCycleListener for extension Key: WICKET-6245 URL: https://issues.apache.org/jira/browse/WICKET-6245 Project: Wicket Issue Type: Bug Reporter: Martijn Dashorst Priority: Minor The design of the CsrfPreventionRequestCycleListener is such that it is open for extension, but fails to provide the right hooks for implementors. We should allow private methods to be called from event handlers, and allow overriding of several checkpoints in the API. -- This message was sent by Atlassian JIRA (v6.3.4#6332)