[jira] [Updated] (WICKET-6246) WebSocket request while Ajax request leads to error regarding HtmlHeaderCotnainer

[Thomas Chrenko (JIRA)]

 [ 
https://issues.apache.org/jira/browse/WICKET-6246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thomas Chrenko updated WICKET-6246:
---
Description: 
There is a problem with header contribution with leads to a "Cannot replace a 
component which has not been added: id='_header_'" error.

Short:
- Add at least two components to an AjaxRequestTarget
- The (at least) second component must initiate a WebSocket push update of 
another component in onConfigure/onBeforeRender (maybe others)
- Exception at the end of ajax request (WebSocket request finishes without 
problem)

Long:
AbstractAjaxResponse iterates all components to update in 
writeComponents(Response, String). 
For each component writeComponent(Response, String, Component, String) is 
called in sub class XmlAjaxResponse which calls 
writeHeaderContribution(Response, Component) of AbstractAjaxResponse.
This method creates the HtmlHeaderContainer and adds is to the page when 
rendering of first component added to target starts.
Second component rendering (onConfigure/onBeforeRender) send a component update 
via websocket push to the client.
The websocket request replaces the HtmlHeaderContainer added to the page and at 
the end of the AbstractAjaxResponse.writeTo(Response, String) to header is 
again replaced with a default one.
But this default header is removed on MarkupContainer.detachChildren() method.
Now the ajax request is "continued" and writeHeaderContribution is called for 
the second component.
header is not null in writeHeaderContribution because it was already created 
when processing the first component, so the header is not added to the page 
again (remember it was replaced while websocket request).
Now at the end of writeTo method, wicket tries again to replace the header with 
a default one (comment there says "restore normal header").
This leads to an exception: Cannot replace a component which has not been 
added: id='_header_' 

A little notice:
The error would not happen, if second component would be processed before first 
component, because then the HeaderContainerItem of the ajax request isn't 
craeted before the websocket request is finished and so the header is added to 
the page on creation. So the problem is the removal of the HeaderContainerItem 
in detachChildren() after websocket request.

In Wicket 7.4 (the only one i tested, this works without problems)

  was:
There is a problem with header contribution with leads to a "Cannot replace a 
component which has not been added: id='_header_'" error.

Short:
- Add at least two components to an AjaxRequestTarget
- The (at least) second component must initiate a WebSocket push update of 
another component in onConfigure/onBeforeRender (maybe others)
- Exception at the end of ajax request (WebSocket request finishes without 
problem)

Long:
AbstractAjaxResponse iterates all components to update in 
writeComponents(Response, String). 
For each component writeComponent(Response, String, Component, String) is 
called in sub class XmlAjaxResponse which calls 
writeHeaderContribution(Response, Component) of AbstractAjaxResponse.
This method creates the HtmlHeaderContainer and adds is to the page when 
rendering of first component added to target starts.
Second component rendering (onConfigure/onBeforeRender) send a component update 
via websocket push to the client.
The websocket request replaces the HtmlHeaderContainer added to the page at the 
end of the AbstractAjaxResponse.writeTo(Response, String) method with a default 
one.
But this default header is removed on MarkupContainer.detachChildren() method.
Now the ajax request is "continued" and writeHeaderContribution is called for 
the second component.
header is not null in writeHeaderContribution because it was already created 
when processing the first component, so the header is not added to the page 
again (remember it was replaced while websocket request).
Now at the end of writeTo method, wicket tries again to replace the header with 
a default one (comment there says "restore normal header").
This leads to an exception: Cannot replace a component which has not been 
added: id='_header_' 

A little notice:
The error would not happen, if second component would be processed before first 
component, because then the HeaderContainerItem of the ajax request isn't 
craeted before the websocket request is finished and so the header is added to 
the page on creation. So the problem is the removal of the HeaderContainerItem 
in detachChildren() after websocket request.

In Wicket 7.4 (the only one i tested, this works without problems)


> WebSocket request while Ajax request leads to error regarding 
> HtmlHeaderCotnainer
> -
>
> Key: WICKET-6246
> URL: https://issues.apache.org/jira/browse/WICKET-6246
> Project: Wicket
> 

[jira] [Updated] (WICKET-6246) WebSocket request while Ajax request leads to error regarding HtmlHeaderCotnainer

[Thomas Chrenko (JIRA)]

 [ 
https://issues.apache.org/jira/browse/WICKET-6246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thomas Chrenko updated WICKET-6246:
---
Description: 
There is a problem with header contribution with leads to a "Cannot replace a 
component which has not been added: id='_header_'" error.

Short:
- Add at least two components to an AjaxRequestTarget
- The (at least) second component must initiate a WebSocket push update of 
another component in onConfigure/onBeforeRender (maybe others)
- Exception at the end of ajax request (WebSocket request finishes without 
problem)

Long:
AbstractAjaxResponse iterates all components to update in 
writeComponents(Response, String). 
For each component writeComponent(Response, String, Component, String) is 
called in sub class XmlAjaxResponse which calls 
writeHeaderContribution(Response, Component) of AbstractAjaxResponse.
This method creates the HtmlHeaderContainer and adds is to the page when 
rendering of first component added to target starts.
Second component rendering (onConfigure/onBeforeRender) send a component update 
via websocket push to the client.
The websocket request replaces the HtmlHeaderContainer added to the page at the 
end of the AbstractAjaxResponse.writeTo(Response, String) method with a default 
one.
But this default header is removed on MarkupContainer.detachChildren() method.
Now the ajax request is "continued" and writeHeaderContribution is called for 
the second component.
header is not null in writeHeaderContribution because it was already created 
when processing the first component, so the header is not added to the page 
again (remember it was replaced while websocket request).
Now at the end of writeTo method, wicket tries again to replace the header with 
a default one (comment there says "restore normal header").
This leads to an exception: Cannot replace a component which has not been 
added: id='_header_' 

A little notice:
The error would not happen, if second component would be processed before first 
component, because then the HeaderContainerItem of the ajax request isn't 
craeted before the websocket request is finished and so the header is added to 
the page on creation. So the problem is the removal of the HeaderContainerItem 
in detachChildren() after websocket request.

In Wicket 7.4 (the only one i tested, this works without problems)

  was:
There is a problem with header contribution with leads to a "Cannot replace a 
component which has not been added: id='_header_'" error.

Short:
- Add at least two components to an AjaxRequestTarget
- The (at least) second component must initiate a WebSocket push update of 
another component in onConfigure/onBeforeRender (maybe others)
- Exception at the end of ajax request (WebSocket request finishes without 
problem)

Long:
AbstractAjaxResponse iterates all components to update in 
writeComponents(Response, String). 
For each component writeComponent(Response, String, Component, String) is 
called in sub class XmlAjaxResponse which calls 
writeHeaderContribution(Response, Component) of AbstractAjaxResponse.
This method creates the HtmlHeaderContainer and adds is to the page when 
rendering of first component added to target starts.
Second component rendering (onConfigure/onBeforeRender) send a component update 
via websocket push to the client.
The websocket request replaces the HtmlHeaderContainer added to the page at the 
end of the AbstractAjaxResponse.writeTo(Response, String) method with a default 
one.
But this default header is removed on MarkupContainer.detachChildren() method.
Now the ajax request is "continued" and writeHeaderContribution is called for 
the second component.
header is not null in writeHeaderContribution because it was already created 
when processing the first component, so the header is not added to the page 
again (remember it was replaced while websocket request).
Now at the end of writeTo method, wicket tries again to replace the header with 
a default one (comment there says "restore normal header").
This leads to an exception: Cannot replace a component which has not been 
added: id='_header_' 

A little notice:
The error would not happen, if second component would be processed before first 
component, because then the HeaderContainerItem of the ajax request isn't 
craeted before the websocket request is finished and so the header is added to 
the page on creation. So the problem is the removal of the HeaderContainerItem 
in detachChildren() after websocket request.


> WebSocket request while Ajax request leads to error regarding 
> HtmlHeaderCotnainer
> -
>
> Key: WICKET-6246
> URL: https://issues.apache.org/jira/browse/WICKET-6246
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket
>Affects Versions: 6.24.0
>   

[jira] [Updated] (WICKET-6246) WebSocket request while Ajax request leads to error regarding HtmlHeaderCotnainer

[Thomas Chrenko (JIRA)]

 [ 
https://issues.apache.org/jira/browse/WICKET-6246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thomas Chrenko updated WICKET-6246:
---
Attachment: quickstart.zip

Added quickstart to demonstrate. HomePage.java contains the long description 
again. 

> WebSocket request while Ajax request leads to error regarding 
> HtmlHeaderCotnainer
> -
>
> Key: WICKET-6246
> URL: https://issues.apache.org/jira/browse/WICKET-6246
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket
>Affects Versions: 6.24.0
>Reporter: Thomas Chrenko
>  Labels: header, header-contribution
> Attachments: quickstart.zip
>
>
> There is a problem with header contribution with leads to a "Cannot replace a 
> component which has not been added: id='_header_'" error.
> Short:
> - Add at least two components to an AjaxRequestTarget
> - The (at least) second component must initiate a WebSocket push update of 
> another component in onConfigure/onBeforeRender (maybe others)
> - Exception at the end of ajax request (WebSocket request finishes without 
> problem)
> Long:
> AbstractAjaxResponse iterates all components to update in 
> writeComponents(Response, String). 
> For each component writeComponent(Response, String, Component, String) is 
> called in sub class XmlAjaxResponse which calls 
> writeHeaderContribution(Response, Component) of AbstractAjaxResponse.
> This method creates the HtmlHeaderContainer and adds is to the page when 
> rendering of first component added to target starts.
> Second component rendering (onConfigure/onBeforeRender) send a component 
> update via websocket push to the client.
> The websocket request replaces the HtmlHeaderContainer added to the page at 
> the end of the AbstractAjaxResponse.writeTo(Response, String) method with a 
> default one.
> But this default header is removed on MarkupContainer.detachChildren() method.
> Now the ajax request is "continued" and writeHeaderContribution is called for 
> the second component.
> header is not null in writeHeaderContribution because it was already created 
> when processing the first component, so the header is not added to the page 
> again (remember it was replaced while websocket request).
> Now at the end of writeTo method, wicket tries again to replace the header 
> with a default one (comment there says "restore normal header").
> This leads to an exception: Cannot replace a component which has not been 
> added: id='_header_' 
> A little notice:
> The error would not happen, if second component would be processed before 
> first component, because then the HeaderContainerItem of the ajax request 
> isn't craeted before the websocket request is finished and so the header is 
> added to the page on creation. So the problem is the removal of the 
> HeaderContainerItem in detachChildren() after websocket request.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (WICKET-6246) WebSocket request while Ajax request leads to error regarding HtmlHeaderCotnainer

[Thomas Chrenko (JIRA)]

 [ 
https://issues.apache.org/jira/browse/WICKET-6246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thomas Chrenko updated WICKET-6246:
---
Description: 
There is a problem with header contribution with leads to a "Cannot replace a 
component which has not been added: id='_header_'" error.

Short:
- Add at least two components to an AjaxRequestTarget
- The (at least) second component must initiate a WebSocket push update of 
another component in onConfigure/onBeforeRender (maybe others)
- Exception at the end of ajax request (WebSocket request finishes without 
problem)

Long:
AbstractAjaxResponse iterates all components to update in 
writeComponents(Response, String). 
For each component writeComponent(Response, String, Component, String) is 
called in sub class XmlAjaxResponse which calls 
writeHeaderContribution(Response, Component) of AbstractAjaxResponse.
This method creates the HtmlHeaderContainer and adds is to the page when 
rendering of first component added to target starts.
Second component rendering (onConfigure/onBeforeRender) send a component update 
via websocket push to the client.
The websocket request replaces the HtmlHeaderContainer added to the page at the 
end of the AbstractAjaxResponse.writeTo(Response, String) method with a default 
one.
But this default header is removed on MarkupContainer.detachChildren() method.
Now the ajax request is "continued" and writeHeaderContribution is called for 
the second component.
header is not null in writeHeaderContribution because it was already created 
when processing the first component, so the header is not added to the page 
again (remember it was replaced while websocket request).
Now at the end of writeTo method, wicket tries again to replace the header with 
a default one (comment there says "restore normal header").
This leads to an exception: Cannot replace a component which has not been 
added: id='_header_' 

A little notice:
The error would not happen, if second component would be processed before first 
component, because then the HeaderContainerItem of the ajax request isn't 
craeted before the websocket request is finished and so the header is added to 
the page on creation. So the problem is the removal of the HeaderContainerItem 
in detachChildren() after websocket request.

  was:
There is a problem with header contribution with leads to a "Cannot replace a 
component which has not been added: id='_header_'" error.

Short:
- Add at least two components to an AjaxRequestTarget
- The (at least) second component must initiate a WebSocket push update of 
another component in onConfigure/onBeforeRender (maybe others)
- Exception at the end of ajax request (WebSocket request finishes without 
problem)

Long:
AbstractAjaxResponse iterates all components to update in 
writeComponents(Response, String). For each component writeComponent(Response, 
String, Component, String) is called in 
sub class XmlAjaxResponse which calls writeHeaderContribution(Response, 
Component) of AbstractAjaxResponse. This method creates the
HtmlHeaderContainer and adds is to the page when rendering of
first component added to target starts. Second component rendering 
(onConfigure/onBeforeRender) send a component update via websocket push to the 
client. The websocket request replaces the HtmlHeaderContainer added to the 
page at the end of the
AbstractAjaxResponse.writeTo(Response, String) method with a default one. But 
this default header is removed on
MarkupContainer.detachChildren() method. Now the ajax request is "continued" 
and writeHeaderContribution is called for the second component. header is not 
null in writeHeaderContribution
because it was already created when processing the first component,
so the header is not added to the page again (remember it was replaced while 
websocket request). Now at the end of writeTo method, wicket tries again to 
replace the header with a default one (comment there
says "restore normal header"). This leads to an exception: Cannot replace a 
component which has not been added: id='_header_' 

A little notice:
The error would not happen, if second component would be processed before first 
component, because then the HeaderContainerItem of the ajax request isn't 
craeted before the websocket request is finished and so the header is added to 
the page on creation. So the problem is the removal of the HeaderContainerItem 
in detachChildren() after websocket request.


> WebSocket request while Ajax request leads to error regarding 
> HtmlHeaderCotnainer
> -
>
> Key: WICKET-6246
> URL: https://issues.apache.org/jira/browse/WICKET-6246
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket
>Affects Versions: 6.24.0
>Reporter: Thomas Chrenko
>  Labels: header, 

[jira] [Created] (WICKET-6246) WebSocket request while Ajax request leads to error regarding HtmlHeaderCotnainer

[Thomas Chrenko (JIRA)]

Thomas Chrenko created WICKET-6246:
--

 Summary: WebSocket request while Ajax request leads to error 
regarding HtmlHeaderCotnainer
 Key: WICKET-6246
 URL: https://issues.apache.org/jira/browse/WICKET-6246
 Project: Wicket
  Issue Type: Bug
  Components: wicket
Affects Versions: 6.24.0
Reporter: Thomas Chrenko


There is a problem with header contribution with leads to a "Cannot replace a 
component which has not been added: id='_header_'" error.

Short:
- Add at least two components to an AjaxRequestTarget
- The (at least) second component must initiate a WebSocket push update of 
another component in onConfigure/onBeforeRender (maybe others)
- Exception at the end of ajax request (WebSocket request finishes without 
problem)

Long:
AbstractAjaxResponse iterates all components to update in 
writeComponents(Response, String). For each component writeComponent(Response, 
String, Component, String) is called in 
sub class XmlAjaxResponse which calls writeHeaderContribution(Response, 
Component) of AbstractAjaxResponse. This method creates the
HtmlHeaderContainer and adds is to the page when rendering of
first component added to target starts. Second component rendering 
(onConfigure/onBeforeRender) send a component update via websocket push to the 
client. The websocket request replaces the HtmlHeaderContainer added to the 
page at the end of the
AbstractAjaxResponse.writeTo(Response, String) method with a default one. But 
this default header is removed on
MarkupContainer.detachChildren() method. Now the ajax request is "continued" 
and writeHeaderContribution is called for the second component. header is not 
null in writeHeaderContribution
because it was already created when processing the first component,
so the header is not added to the page again (remember it was replaced while 
websocket request). Now at the end of writeTo method, wicket tries again to 
replace the header with a default one (comment there
says "restore normal header"). This leads to an exception: Cannot replace a 
component which has not been added: id='_header_' 

A little notice:
The error would not happen, if second component would be processed before first 
component, because then the HeaderContainerItem of the ajax request isn't 
craeted before the websocket request is finished and so the header is added to 
the page on creation. So the problem is the removal of the HeaderContainerItem 
in detachChildren() after websocket request.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504460#comment-15504460
 ] 

ASF subversion and git services commented on WICKET-6242:
-

Commit 4fdc8175cab0d842c7aeeb52366338ceaac250d9 in wicket's branch 
refs/heads/master from [~mgrigorov]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=4fdc817 ]

WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn


> Weak concurrency management in AuthenticatedWebSession#signedIn
> ---
>
> Key: WICKET-6242
> URL: https://issues.apache.org/jira/browse/WICKET-6242
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket-auth-roles
>Affects Versions: 8.0.0-M1, 7.4.0
>Reporter: Martin Grigorov
>Assignee: Martin Grigorov
> Fix For: 8.0.0-M2, 7.5.0
>
>
> Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz
> Currently [1] uses a volatile boolean "signedIn" to control the state.
> org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
> tries to make use of it.
> IMO this implementation is a bit weak. There are big windows this state to
> change in the meantime.
> Usually this shouldn't be a big problem, the application will authenticate
> the same user twice.
> But if the application does something in ISessionListener#onBind() then it
> becomes a problem [2].
> 1.
> https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
> 2. https://issues.apache.org/jira/browse/ISIS-1481



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504462#comment-15504462
 ] 

ASF subversion and git services commented on WICKET-6242:
-

Commit 91b9dbac3ad2b05e2e8c7fe47370ea193a4763b5 in wicket's branch 
refs/heads/master from Pedro Henrique Oliveira dos Santos
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=91b9dba ]

WICKET-6242 testing signIn method atomicity


> Weak concurrency management in AuthenticatedWebSession#signedIn
> ---
>
> Key: WICKET-6242
> URL: https://issues.apache.org/jira/browse/WICKET-6242
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket-auth-roles
>Affects Versions: 8.0.0-M1, 7.4.0
>Reporter: Martin Grigorov
>Assignee: Martin Grigorov
> Fix For: 8.0.0-M2, 7.5.0
>
>
> Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz
> Currently [1] uses a volatile boolean "signedIn" to control the state.
> org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
> tries to make use of it.
> IMO this implementation is a bit weak. There are big windows this state to
> change in the meantime.
> Usually this shouldn't be a big problem, the application will authenticate
> the same user twice.
> But if the application does something in ISessionListener#onBind() then it
> becomes a problem [2].
> 1.
> https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
> 2. https://issues.apache.org/jira/browse/ISIS-1481



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Resolved] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn

[Martin Grigorov (JIRA)]

 [ 
https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Martin Grigorov resolved WICKET-6242.
-
   Resolution: Fixed
Fix Version/s: 7.5.0
   8.0.0-M2

> Weak concurrency management in AuthenticatedWebSession#signedIn
> ---
>
> Key: WICKET-6242
> URL: https://issues.apache.org/jira/browse/WICKET-6242
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket-auth-roles
>Affects Versions: 8.0.0-M1, 7.4.0
>Reporter: Martin Grigorov
>Assignee: Martin Grigorov
> Fix For: 8.0.0-M2, 7.5.0
>
>
> Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz
> Currently [1] uses a volatile boolean "signedIn" to control the state.
> org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
> tries to make use of it.
> IMO this implementation is a bit weak. There are big windows this state to
> change in the meantime.
> Usually this shouldn't be a big problem, the application will authenticate
> the same user twice.
> But if the application does something in ISessionListener#onBind() then it
> becomes a problem [2].
> 1.
> https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
> 2. https://issues.apache.org/jira/browse/ISIS-1481



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504463#comment-15504463
 ] 

ASF subversion and git services commented on WICKET-6242:
-

Commit 5e1ced34e30135f3e46c9ab8cea1b8137f72ca8d in wicket's branch 
refs/heads/master from [~bitstorm]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=5e1ced3 ]

WICKET-6242 Improved synchronization for signIn. Added missing header license.


> Weak concurrency management in AuthenticatedWebSession#signedIn
> ---
>
> Key: WICKET-6242
> URL: https://issues.apache.org/jira/browse/WICKET-6242
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket-auth-roles
>Affects Versions: 8.0.0-M1, 7.4.0
>Reporter: Martin Grigorov
>Assignee: Martin Grigorov
> Fix For: 8.0.0-M2, 7.5.0
>
>
> Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz
> Currently [1] uses a volatile boolean "signedIn" to control the state.
> org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
> tries to make use of it.
> IMO this implementation is a bit weak. There are big windows this state to
> change in the meantime.
> Usually this shouldn't be a big problem, the application will authenticate
> the same user twice.
> But if the application does something in ISessionListener#onBind() then it
> becomes a problem [2].
> 1.
> https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
> 2. https://issues.apache.org/jira/browse/ISIS-1481



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504461#comment-15504461
 ] 

ASF subversion and git services commented on WICKET-6242:
-

Commit d1fc5d2cc3c1ef5da9d8569328fa96a8de4abbad in wicket's branch 
refs/heads/master from [~mgrigorov]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=d1fc5d2 ]

WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn

Unset signedIn to 'false' only if the authenticated has failed.


> Weak concurrency management in AuthenticatedWebSession#signedIn
> ---
>
> Key: WICKET-6242
> URL: https://issues.apache.org/jira/browse/WICKET-6242
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket-auth-roles
>Affects Versions: 8.0.0-M1, 7.4.0
>Reporter: Martin Grigorov
>Assignee: Martin Grigorov
> Fix For: 8.0.0-M2, 7.5.0
>
>
> Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz
> Currently [1] uses a volatile boolean "signedIn" to control the state.
> org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
> tries to make use of it.
> IMO this implementation is a bit weak. There are big windows this state to
> change in the meantime.
> Usually this shouldn't be a big problem, the application will authenticate
> the same user twice.
> But if the application does something in ISessionListener#onBind() then it
> becomes a problem [2].
> 1.
> https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
> 2. https://issues.apache.org/jira/browse/ISIS-1481



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[2/4] wicket git commit: WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn

[mgrigorov]

WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn

Unset signedIn to 'false' only if the authenticated has failed.


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/d1fc5d2c
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/d1fc5d2c
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/d1fc5d2c

Branch: refs/heads/master
Commit: d1fc5d2cc3c1ef5da9d8569328fa96a8de4abbad
Parents: 4fdc817
Author: Martin Tzvetanov Grigorov 
Authored: Sat Sep 10 13:24:00 2016 +0200
Committer: Martin Tzvetanov Grigorov 
Committed: Mon Sep 19 21:38:34 2016 +0200

--
 .../authroles/authentication/AuthenticatedWebSession.java   | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/d1fc5d2c/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
--
diff --git 
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
 
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
index 744811b..4e3851e 100644
--- 
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
+++ 
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
@@ -70,7 +70,10 @@ public abstract class AuthenticatedWebSession extends 
AbstractAuthenticatedWebSe
{
bind();
}
-   signedIn.set(authenticated);
+   else
+   {
+   signedIn.set(false);
+   }
}
return signedIn.get();
}

[3/4] wicket git commit: WICKET-6242 testing signIn method atomicity

[mgrigorov]

WICKET-6242 testing signIn method atomicity


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/91b9dbac
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/91b9dbac
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/91b9dbac

Branch: refs/heads/master
Commit: 91b9dbac3ad2b05e2e8c7fe47370ea193a4763b5
Parents: d1fc5d2
Author: Pedro Henrique Oliveira dos Santos 
Authored: Sat Sep 10 17:56:07 2016 -0300
Committer: Martin Tzvetanov Grigorov 
Committed: Mon Sep 19 21:40:20 2016 +0200

--
 .../AuthenticatedWebSessionTest.java| 90 
 1 file changed, 90 insertions(+)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/91b9dbac/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
--
diff --git 
a/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
 
b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
new file mode 100644
index 000..c444d81
--- /dev/null
+++ 
b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
@@ -0,0 +1,90 @@
+package org.apache.wicket.authroles.authentication;
+
+import static java.util.Locale.getDefault;
+import static java.util.concurrent.TimeUnit.SECONDS;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+
+import org.apache.wicket.Application;
+import org.apache.wicket.ThreadContext;
+import org.apache.wicket.authroles.authorization.strategies.role.Roles;
+import org.apache.wicket.request.Request;
+import org.apache.wicket.request.Response;
+import org.apache.wicket.session.ISessionStore;
+import org.apache.wicket.util.tester.WicketTestCase;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * @author Pedro Santos
+ */
+public class AuthenticatedWebSessionTest extends WicketTestCase {
+   private Request request;
+   private Response response;
+   private ISessionStore sessionStore;
+   private AuthenticatedWebSession session;
+
+   @Before
+   public void initialize() {
+   request = mock(Request.class);
+   response = mock(Response.class);
+   sessionStore = mock(ISessionStore.class);
+   when(request.getLocale()).thenReturn(getDefault());
+   session = new TestAuthenticatedWebSession(request);
+   }
+
+   @Test
+   public void shouldLookupForSessionOnce() throws InterruptedException {
+   ExecutorService executorService = 
Executors.newFixedThreadPool(10);
+   for (int i = 0; i < 10; i++)
+   executorService.submit(new 
SiginTask(tester.getApplication()));
+   executorService.shutdown();
+   executorService.awaitTermination(5, SECONDS);
+   // counting lookup calls since sesion.bind() is final
+   // TODO: test for bind calls itself
+   verify(sessionStore, times(1)).lookup(request);
+   }
+
+   class SiginTask implements Runnable {
+   Application application;
+
+   public SiginTask(Application application) {
+   this.application = application;
+   }
+
+   @Override
+   public void run() {
+   
ThreadContext.setRequestCycle(application.createRequestCycle(request, 
response));
+   session.signIn("user", "pass");
+   }
+
+   }
+
+   class TestAuthenticatedWebSession extends AuthenticatedWebSession {
+   private static final long serialVersionUID = 1L;
+
+   public TestAuthenticatedWebSession(Request request) {
+   super(request);
+   }
+
+   @Override
+   protected boolean authenticate(String username, String 
password) {
+   return true;
+   }
+
+   @Override
+   protected ISessionStore getSessionStore() {
+   return sessionStore;
+   }
+
+   @Override
+   public Roles getRoles() {
+   return null;
+   }
+   }
+}

[4/4] wicket git commit: WICKET-6242 Improved synchronization for signIn. Added missing header license.

[mgrigorov]

WICKET-6242 Improved synchronization for signIn. Added missing header license.


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/5e1ced34
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/5e1ced34
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/5e1ced34

Branch: refs/heads/master
Commit: 5e1ced34e30135f3e46c9ab8cea1b8137f72ca8d
Parents: 91b9dba
Author: Andrea Del Bene 
Authored: Tue Sep 13 12:37:59 2016 +0200
Committer: Martin Tzvetanov Grigorov 
Committed: Mon Sep 19 21:40:27 2016 +0200

--
 .../authentication/AuthenticatedWebSession.java | 14 --
 .../authentication/AuthenticatedWebSessionTest.java | 16 
 2 files changed, 20 insertions(+), 10 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/5e1ced34/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
--
diff --git 
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
 
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
index 4e3851e..681236a 100644
--- 
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
+++ 
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
@@ -63,17 +63,11 @@ public abstract class AuthenticatedWebSession extends 
AbstractAuthenticatedWebSe
 */
public final boolean signIn(final String username, final String 
password)
{
-   if (signedIn.compareAndSet(false, true))
+   boolean authenticated = authenticate(username, password);
+
+   if (authenticated && signedIn.compareAndSet(false, true))
{
-   boolean authenticated = authenticate(username, 
password);
-   if (authenticated)
-   {
-   bind();
-   }
-   else
-   {
-   signedIn.set(false);
-   }
+   bind();
}
return signedIn.get();
}

http://git-wip-us.apache.org/repos/asf/wicket/blob/5e1ced34/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
--
diff --git 
a/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
 
b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
index c444d81..d91dd9d 100644
--- 
a/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
+++ 
b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
@@ -1,3 +1,19 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.wicket.authroles.authentication;
 
 import static java.util.Locale.getDefault;

[1/4] wicket git commit: WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn

[mgrigorov]

Repository: wicket
Updated Branches:
  refs/heads/master dbfe3461e -> 5e1ced34e


WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/4fdc8175
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/4fdc8175
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/4fdc8175

Branch: refs/heads/master
Commit: 4fdc8175cab0d842c7aeeb52366338ceaac250d9
Parents: dbfe346
Author: Martin Tzvetanov Grigorov 
Authored: Sat Sep 10 13:12:28 2016 +0200
Committer: Martin Tzvetanov Grigorov 
Committed: Mon Sep 19 21:38:11 2016 +0200

--
 .../authentication/AuthenticatedWebSession.java | 23 
 1 file changed, 14 insertions(+), 9 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/4fdc8175/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
--
diff --git 
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
 
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
index a5df531..744811b 100644
--- 
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
+++ 
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
@@ -16,10 +16,11 @@
  */
 package org.apache.wicket.authroles.authentication;
 
+import java.util.concurrent.atomic.AtomicBoolean;
+
 import org.apache.wicket.Session;
 import org.apache.wicket.request.Request;
 
-
 /**
  * Basic authenticated web session. Subclasses must provide a method that 
authenticates the session
  * based on a username and password, and a method implementation that gets the 
Roles
@@ -39,7 +40,7 @@ public abstract class AuthenticatedWebSession extends 
AbstractAuthenticatedWebSe
}
 
/** True when the user is signed in */
-   private volatile boolean signedIn;
+   private final AtomicBoolean signedIn = new AtomicBoolean(false);
 
/**
 * Construct.
@@ -62,12 +63,16 @@ public abstract class AuthenticatedWebSession extends 
AbstractAuthenticatedWebSe
 */
public final boolean signIn(final String username, final String 
password)
{
-   signedIn = authenticate(username, password);
-   if (signedIn)
+   if (signedIn.compareAndSet(false, true))
{
-   bind();
+   boolean authenticated = authenticate(username, 
password);
+   if (authenticated)
+   {
+   bind();
+   }
+   signedIn.set(authenticated);
}
-   return signedIn;
+   return signedIn.get();
}
 
/**
@@ -96,7 +101,7 @@ public abstract class AuthenticatedWebSession extends 
AbstractAuthenticatedWebSe
 */
protected final void signIn(boolean value)
{
-   signedIn = value;
+   signedIn.set(value);
}
 
/**
@@ -105,7 +110,7 @@ public abstract class AuthenticatedWebSession extends 
AbstractAuthenticatedWebSe
@Override
public final boolean isSignedIn()
{
-   return signedIn;
+   return signedIn.get();
}
 
/**
@@ -124,7 +129,7 @@ public abstract class AuthenticatedWebSession extends 
AbstractAuthenticatedWebSe
@Override
public void invalidate()
{
-   signedIn = false;
+   signedIn.set(false);
super.invalidate();
}
 }

[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504417#comment-15504417
 ] 

ASF subversion and git services commented on WICKET-6242:
-

Commit a384c6f75df0b13962b65a948d766f73b39e11ba in wicket's branch 
refs/heads/wicket-7.x from [~mgrigorov]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=a384c6f ]

WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn


> Weak concurrency management in AuthenticatedWebSession#signedIn
> ---
>
> Key: WICKET-6242
> URL: https://issues.apache.org/jira/browse/WICKET-6242
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket-auth-roles
>Affects Versions: 8.0.0-M1, 7.4.0
>Reporter: Martin Grigorov
>Assignee: Martin Grigorov
>
> Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz
> Currently [1] uses a volatile boolean "signedIn" to control the state.
> org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
> tries to make use of it.
> IMO this implementation is a bit weak. There are big windows this state to
> change in the meantime.
> Usually this shouldn't be a big problem, the application will authenticate
> the same user twice.
> But if the application does something in ISessionListener#onBind() then it
> becomes a problem [2].
> 1.
> https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
> 2. https://issues.apache.org/jira/browse/ISIS-1481



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504421#comment-15504421
 ] 

ASF subversion and git services commented on WICKET-6242:
-

Commit 87fa748998a5c8e54df37d7ee119ede6b98db740 in wicket's branch 
refs/heads/wicket-7.x from [~mgrigorov]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=87fa748 ]

Merge branch 'WICKET-6242-authenticate-once' into wicket-7.x


> Weak concurrency management in AuthenticatedWebSession#signedIn
> ---
>
> Key: WICKET-6242
> URL: https://issues.apache.org/jira/browse/WICKET-6242
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket-auth-roles
>Affects Versions: 8.0.0-M1, 7.4.0
>Reporter: Martin Grigorov
>Assignee: Martin Grigorov
>
> Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz
> Currently [1] uses a volatile boolean "signedIn" to control the state.
> org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
> tries to make use of it.
> IMO this implementation is a bit weak. There are big windows this state to
> change in the meantime.
> Usually this shouldn't be a big problem, the application will authenticate
> the same user twice.
> But if the application does something in ISessionListener#onBind() then it
> becomes a problem [2].
> 1.
> https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
> 2. https://issues.apache.org/jira/browse/ISIS-1481



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504418#comment-15504418
 ] 

ASF subversion and git services commented on WICKET-6242:
-

Commit d5425534a568d0cc0d4c6749a8965af69f107b8e in wicket's branch 
refs/heads/wicket-7.x from [~mgrigorov]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=d542553 ]

WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn

Unset signedIn to 'false' only if the authenticated has failed.


> Weak concurrency management in AuthenticatedWebSession#signedIn
> ---
>
> Key: WICKET-6242
> URL: https://issues.apache.org/jira/browse/WICKET-6242
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket-auth-roles
>Affects Versions: 8.0.0-M1, 7.4.0
>Reporter: Martin Grigorov
>Assignee: Martin Grigorov
>
> Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz
> Currently [1] uses a volatile boolean "signedIn" to control the state.
> org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
> tries to make use of it.
> IMO this implementation is a bit weak. There are big windows this state to
> change in the meantime.
> Usually this shouldn't be a big problem, the application will authenticate
> the same user twice.
> But if the application does something in ISessionListener#onBind() then it
> becomes a problem [2].
> 1.
> https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
> 2. https://issues.apache.org/jira/browse/ISIS-1481



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504420#comment-15504420
 ] 

ASF subversion and git services commented on WICKET-6242:
-

Commit 263e8c14476f9970d2ccfd8476f371149f2e2cb4 in wicket's branch 
refs/heads/wicket-7.x from [~bitstorm]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=263e8c1 ]

WICKET-6242 Improved synchronization for signIn. Added missing header license.


> Weak concurrency management in AuthenticatedWebSession#signedIn
> ---
>
> Key: WICKET-6242
> URL: https://issues.apache.org/jira/browse/WICKET-6242
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket-auth-roles
>Affects Versions: 8.0.0-M1, 7.4.0
>Reporter: Martin Grigorov
>Assignee: Martin Grigorov
>
> Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz
> Currently [1] uses a volatile boolean "signedIn" to control the state.
> org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
> tries to make use of it.
> IMO this implementation is a bit weak. There are big windows this state to
> change in the meantime.
> Usually this shouldn't be a big problem, the application will authenticate
> the same user twice.
> But if the application does something in ISessionListener#onBind() then it
> becomes a problem [2].
> 1.
> https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
> 2. https://issues.apache.org/jira/browse/ISIS-1481



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WICKET-6242) Weak concurrency management in AuthenticatedWebSession#signedIn

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15504419#comment-15504419
 ] 

ASF subversion and git services commented on WICKET-6242:
-

Commit 56f947ee52e3b42e69481bac78838e6ec8325573 in wicket's branch 
refs/heads/wicket-7.x from Pedro Henrique Oliveira dos Santos
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=56f947e ]

WICKET-6242 testing signIn method atomicity


> Weak concurrency management in AuthenticatedWebSession#signedIn
> ---
>
> Key: WICKET-6242
> URL: https://issues.apache.org/jira/browse/WICKET-6242
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket-auth-roles
>Affects Versions: 8.0.0-M1, 7.4.0
>Reporter: Martin Grigorov
>Assignee: Martin Grigorov
>
> Discussion at dev@: http://markmail.org/message/syo3m6hrf2ix55rz
> Currently [1] uses a volatile boolean "signedIn" to control the state.
> org.apache.wicket.authroles.authentication.panel.SignInPanel#onConfigure()
> tries to make use of it.
> IMO this implementation is a bit weak. There are big windows this state to
> change in the meantime.
> Usually this shouldn't be a big problem, the application will authenticate
> the same user twice.
> But if the application does something in ISessionListener#onBind() then it
> becomes a problem [2].
> 1.
> https://github.com/apache/wicket/blob/master/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
> 2. https://issues.apache.org/jira/browse/ISIS-1481



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[2/5] wicket git commit: WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn

[mgrigorov]

WICKET-6242 Weak concurrency management in AuthenticatedWebSession#signedIn

Unset signedIn to 'false' only if the authenticated has failed.


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/d5425534
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/d5425534
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/d5425534

Branch: refs/heads/wicket-7.x
Commit: d5425534a568d0cc0d4c6749a8965af69f107b8e
Parents: a384c6f
Author: Martin Tzvetanov Grigorov 
Authored: Sat Sep 10 13:24:00 2016 +0200
Committer: Martin Tzvetanov Grigorov 
Committed: Sat Sep 10 13:24:00 2016 +0200

--
 .../authroles/authentication/AuthenticatedWebSession.java   | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/d5425534/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
--
diff --git 
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
 
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
index c8058f5..f0b450c 100644
--- 
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
+++ 
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
@@ -70,7 +70,10 @@ public abstract class AuthenticatedWebSession extends 
AbstractAuthenticatedWebSe
{
bind();
}
-   signedIn.set(authenticated);
+   else
+   {
+   signedIn.set(false);
+   }
}
return signedIn.get();
}

[4/5] wicket git commit: WICKET-6242 Improved synchronization for signIn. Added missing header license.

[mgrigorov]

WICKET-6242 Improved synchronization for signIn. Added missing header license.


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/263e8c14
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/263e8c14
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/263e8c14

Branch: refs/heads/wicket-7.x
Commit: 263e8c14476f9970d2ccfd8476f371149f2e2cb4
Parents: 56f947e
Author: Andrea Del Bene 
Authored: Tue Sep 13 12:37:59 2016 +0200
Committer: Andrea Del Bene 
Committed: Tue Sep 13 14:53:50 2016 +0200

--
 .../authentication/AuthenticatedWebSession.java | 14 --
 .../authentication/AuthenticatedWebSessionTest.java | 16 
 2 files changed, 20 insertions(+), 10 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/263e8c14/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
--
diff --git 
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
 
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
index f0b450c..f11d718 100644
--- 
a/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
+++ 
b/wicket-auth-roles/src/main/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSession.java
@@ -63,17 +63,11 @@ public abstract class AuthenticatedWebSession extends 
AbstractAuthenticatedWebSe
 */
public final boolean signIn(final String username, final String 
password)
{
-   if (signedIn.compareAndSet(false, true))
+   boolean authenticated = authenticate(username, password);
+
+   if (authenticated && signedIn.compareAndSet(false, true))
{
-   boolean authenticated = authenticate(username, 
password);
-   if (authenticated)
-   {
-   bind();
-   }
-   else
-   {
-   signedIn.set(false);
-   }
+   bind();
}
return signedIn.get();
}

http://git-wip-us.apache.org/repos/asf/wicket/blob/263e8c14/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
--
diff --git 
a/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
 
b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
index c444d81..d91dd9d 100644
--- 
a/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
+++ 
b/wicket-auth-roles/src/test/java/org/apache/wicket/authroles/authentication/AuthenticatedWebSessionTest.java
@@ -1,3 +1,19 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.wicket.authroles.authentication;
 
 import static java.util.Locale.getDefault;

[5/5] wicket git commit: Merge branch 'WICKET-6242-authenticate-once' into wicket-7.x

[mgrigorov]

Merge branch 'WICKET-6242-authenticate-once' into wicket-7.x


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/87fa7489
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/87fa7489
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/87fa7489

Branch: refs/heads/wicket-7.x
Commit: 87fa748998a5c8e54df37d7ee119ede6b98db740
Parents: f2c165c 263e8c1
Author: Martin Tzvetanov Grigorov 
Authored: Mon Sep 19 21:31:24 2016 +0200
Committer: Martin Tzvetanov Grigorov 
Committed: Mon Sep 19 21:31:24 2016 +0200

--
 .../authentication/AuthenticatedWebSession.java |  16 +--
 .../AuthenticatedWebSessionTest.java| 106 +++
 2 files changed, 115 insertions(+), 7 deletions(-)
--

[jira] [Updated] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension

[Martijn Dashorst (JIRA)]

 [ 
https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Martijn Dashorst updated WICKET-6245:
-
 Assignee: Martijn Dashorst
Affects Version/s: 6.20.0
   7.0.0
   6.21.0
   7.1.0
   7.2.0
   7.3.0
   8.0.0-M1
   6.22.0
   6.23.0
   7.4.0
   6.24.0
Fix Version/s: 7.5.0
   6.25.0
   8.0.0-M2
  Component/s: wicket

> Open up CsrfPreventionRequestCycleListener for extension
> 
>
> Key: WICKET-6245
> URL: https://issues.apache.org/jira/browse/WICKET-6245
> Project: Wicket
>  Issue Type: Bug
>  Components: wicket
>Affects Versions: 6.20.0, 7.0.0, 6.21.0, 7.1.0, 7.2.0, 7.3.0, 8.0.0-M1, 
> 6.22.0, 6.23.0, 7.4.0, 6.24.0
>Reporter: Martijn Dashorst
>Assignee: Martijn Dashorst
>Priority: Minor
> Fix For: 8.0.0-M2, 6.25.0, 7.5.0
>
>
> The design of the CsrfPreventionRequestCycleListener is such that it is open 
> for extension, but fails to provide the right hooks for implementors. We 
> should allow private methods to be called from event handlers, and allow 
> overriding of  several checkpoints in the API.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

buildbot success in on wicket-master

[buildbot]

The Buildbot has detected a restored build on builder wicket-master while 
building wicket. Full details are available at:
https://ci.apache.org/builders/wicket-master/builds/499

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: hemera_ubuntu

Build Reason: The SingleBranchScheduler scheduler named 
'on-wicket-master-commit' triggered this build
Build Source Stamp: [branch master] dbfe3461e5caa4c6d9f2d65b248a1a3e42946d0b
Blamelist: Emond Papegaaij 

Build succeeded!

Sincerely,
 -The Buildbot

[jira] [Commented] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15503523#comment-15503523
 ] 

ASF subversion and git services commented on WICKET-6245:
-

Commit f2c165cf994f60753016459ce0d94b3787f6727c in wicket's branch 
refs/heads/wicket-7.x from [~papegaaij]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=f2c165c ]

WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked


> Open up CsrfPreventionRequestCycleListener for extension
> 
>
> Key: WICKET-6245
> URL: https://issues.apache.org/jira/browse/WICKET-6245
> Project: Wicket
>  Issue Type: Bug
>Reporter: Martijn Dashorst
>Priority: Minor
>
> The design of the CsrfPreventionRequestCycleListener is such that it is open 
> for extension, but fails to provide the right hooks for implementors. We 
> should allow private methods to be called from event handlers, and allow 
> overriding of  several checkpoints in the API.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15503522#comment-15503522
 ] 

ASF subversion and git services commented on WICKET-6245:
-

Commit 89a2aac8c6851ee03ada2ab0c71e8675d31e39d9 in wicket's branch 
refs/heads/wicket-6.x from [~papegaaij]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=89a2aac ]

WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked


> Open up CsrfPreventionRequestCycleListener for extension
> 
>
> Key: WICKET-6245
> URL: https://issues.apache.org/jira/browse/WICKET-6245
> Project: Wicket
>  Issue Type: Bug
>Reporter: Martijn Dashorst
>Priority: Minor
>
> The design of the CsrfPreventionRequestCycleListener is such that it is open 
> for extension, but fails to provide the right hooks for implementors. We 
> should allow private methods to be called from event handlers, and allow 
> overriding of  several checkpoints in the API.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[3/3] wicket git commit: WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked

[papegaaij]

WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/89a2aac8
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/89a2aac8
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/89a2aac8

Branch: refs/heads/wicket-6.x
Commit: 89a2aac8c6851ee03ada2ab0c71e8675d31e39d9
Parents: 3320821
Author: Emond Papegaaij 
Authored: Mon Sep 19 15:38:32 2016 +0200
Committer: Emond Papegaaij 
Committed: Mon Sep 19 15:38:49 2016 +0200

--
 .../protocol/http/CsrfPreventionRequestCycleListenerTest.java   | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/89a2aac8/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
--
diff --git 
a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
 
b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
index 4dca4b8..4448175 100644
--- 
a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
+++ 
b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
@@ -78,13 +78,12 @@ public class CsrfPreventionRequestCycleListenerTest extends 
WicketTestCase
tester.assertRenderedPage(SecondPage.class);
}
 
-   /** Tests the default setting of allowing a missing Origin. */
+   /** Tests the default setting of aborting a missing Origin. */
@Test
public void withoutOriginAllowed()
{
tester.clickLink("link");
-   assertConflictingOriginsRequestAllowed();
-   tester.assertRenderedPage(SecondPage.class);
+   assertConflictingOriginsRequestAborted();
}
 
/** Tests the alternative action of suppressing a request without 
Origin header */

[1/3] wicket git commit: WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked

[papegaaij]

Repository: wicket
Updated Branches:
  refs/heads/master 6c40c919f -> dbfe3461e
  refs/heads/wicket-6.x 332082134 -> 89a2aac8c
  refs/heads/wicket-7.x 5c345567c -> f2c165cf9


WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/f2c165cf
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/f2c165cf
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/f2c165cf

Branch: refs/heads/wicket-7.x
Commit: f2c165cf994f60753016459ce0d94b3787f6727c
Parents: 5c34556
Author: Emond Papegaaij 
Authored: Mon Sep 19 15:38:32 2016 +0200
Committer: Emond Papegaaij 
Committed: Mon Sep 19 15:38:32 2016 +0200

--
 .../protocol/http/CsrfPreventionRequestCycleListenerTest.java   | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/f2c165cf/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
--
diff --git 
a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
 
b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
index beef761..3db62ab 100644
--- 
a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
+++ 
b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
@@ -78,13 +78,12 @@ public class CsrfPreventionRequestCycleListenerTest extends 
WicketTestCase
tester.assertRenderedPage(SecondPage.class);
}
 
-   /** Tests the default setting of allowing a missing Origin. */
+   /** Tests the default setting of aborting a missing Origin. */
@Test
public void withoutOriginAllowed()
{
tester.clickLink("link");
-   assertConflictingOriginsRequestAllowed();
-   tester.assertRenderedPage(SecondPage.class);
+   assertConflictingOriginsRequestAborted();
}
 
/** Tests the alternative action of suppressing a request without 
Origin header */

[jira] [Commented] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15503521#comment-15503521
 ] 

ASF subversion and git services commented on WICKET-6245:
-

Commit dbfe3461e5caa4c6d9f2d65b248a1a3e42946d0b in wicket's branch 
refs/heads/master from [~papegaaij]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=dbfe346 ]

WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked


> Open up CsrfPreventionRequestCycleListener for extension
> 
>
> Key: WICKET-6245
> URL: https://issues.apache.org/jira/browse/WICKET-6245
> Project: Wicket
>  Issue Type: Bug
>Reporter: Martijn Dashorst
>Priority: Minor
>
> The design of the CsrfPreventionRequestCycleListener is such that it is open 
> for extension, but fails to provide the right hooks for implementors. We 
> should allow private methods to be called from event handlers, and allow 
> overriding of  several checkpoints in the API.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[2/3] wicket git commit: WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked

[papegaaij]

WICKET-6245: fix testcase to reflect change in behavior: no origin is blocked


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/dbfe3461
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/dbfe3461
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/dbfe3461

Branch: refs/heads/master
Commit: dbfe3461e5caa4c6d9f2d65b248a1a3e42946d0b
Parents: 6c40c91
Author: Emond Papegaaij 
Authored: Mon Sep 19 15:38:32 2016 +0200
Committer: Emond Papegaaij 
Committed: Mon Sep 19 15:38:44 2016 +0200

--
 .../protocol/http/CsrfPreventionRequestCycleListenerTest.java   | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/dbfe3461/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
--
diff --git 
a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
 
b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
index beef761..3db62ab 100644
--- 
a/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
+++ 
b/wicket-core/src/test/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListenerTest.java
@@ -78,13 +78,12 @@ public class CsrfPreventionRequestCycleListenerTest extends 
WicketTestCase
tester.assertRenderedPage(SecondPage.class);
}
 
-   /** Tests the default setting of allowing a missing Origin. */
+   /** Tests the default setting of aborting a missing Origin. */
@Test
public void withoutOriginAllowed()
{
tester.clickLink("link");
-   assertConflictingOriginsRequestAllowed();
-   tester.assertRenderedPage(SecondPage.class);
+   assertConflictingOriginsRequestAborted();
}
 
/** Tests the alternative action of suppressing a request without 
Origin header */

buildbot failure in on wicket-branch-7.x

[buildbot]

The Buildbot has detected a new failure on builder wicket-branch-7.x while 
building wicket. Full details are available at:
https://ci.apache.org/builders/wicket-branch-7.x/builds/276

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: hemera_ubuntu

Build Reason: The SingleBranchScheduler scheduler named 
'on-wicket-branch-7.x-commit' triggered this build
Build Source Stamp: [branch wicket-7.x] 5c345567c75b3cc1f7e4cce6dcf3e692870b4823
Blamelist: Emond Papegaaij 

BUILD FAILED: failed compile

Sincerely,
 -The Buildbot

buildbot failure in on wicket-branch-6.x

[buildbot]

The Buildbot has detected a new failure on builder wicket-branch-6.x while 
building wicket. Full details are available at:
https://ci.apache.org/builders/wicket-branch-6.x/builds/166

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: hemera_ubuntu

Build Reason: The SingleBranchScheduler scheduler named 
'on-wicket-branch-6.x-commit' triggered this build
Build Source Stamp: [branch wicket-6.x] 3320821343f7957a4850f2d9b61ab18eec55fa62
Blamelist: Emond Papegaaij 

BUILD FAILED: failed compile

Sincerely,
 -The Buildbot

buildbot failure in on wicket-master

[buildbot]

The Buildbot has detected a new failure on builder wicket-master while building 
wicket. Full details are available at:
https://ci.apache.org/builders/wicket-master/builds/498

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: hemera_ubuntu

Build Reason: The SingleBranchScheduler scheduler named 
'on-wicket-master-commit' triggered this build
Build Source Stamp: [branch master] 6c40c919f54fce610c584b9e4ec7925c14a5a19b
Blamelist: Emond Papegaaij 

BUILD FAILED: failed compile

Sincerely,
 -The Buildbot

[jira] [Commented] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15503494#comment-15503494
 ] 

ASF subversion and git services commented on WICKET-6245:
-

Commit 3320821343f7957a4850f2d9b61ab18eec55fa62 in wicket's branch 
refs/heads/wicket-6.x from [~papegaaij]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=3320821 ]

WICKET-6245: open up CsrfPreventionRequestCycleListener for extension


> Open up CsrfPreventionRequestCycleListener for extension
> 
>
> Key: WICKET-6245
> URL: https://issues.apache.org/jira/browse/WICKET-6245
> Project: Wicket
>  Issue Type: Bug
>Reporter: Martijn Dashorst
>Priority: Minor
>
> The design of the CsrfPreventionRequestCycleListener is such that it is open 
> for extension, but fails to provide the right hooks for implementors. We 
> should allow private methods to be called from event handlers, and allow 
> overriding of  several checkpoints in the API.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[3/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension

[papegaaij]

WICKET-6245: open up CsrfPreventionRequestCycleListener for extension


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/33208213
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/33208213
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/33208213

Branch: refs/heads/wicket-6.x
Commit: 3320821343f7957a4850f2d9b61ab18eec55fa62
Parents: 52f0b8a
Author: Emond Papegaaij 
Authored: Mon Sep 19 15:24:57 2016 +0200
Committer: Emond Papegaaij 
Committed: Mon Sep 19 15:26:57 2016 +0200

--
 .../CsrfPreventionRequestCycleListener.java | 188 +++
 1 file changed, 114 insertions(+), 74 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/33208213/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
--
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
index 3e81252..a3f8320 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
@@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.wicket.RestartResponseException;
 import org.apache.wicket.core.request.handler.IPageRequestHandler;
 import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
 import org.apache.wicket.request.component.IRequestablePage;
 import org.apache.wicket.request.cycle.AbstractRequestCycleListener;
 import org.apache.wicket.request.cycle.IRequestCycleListener;
@@ -39,9 +41,9 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
HTTP header for cross
- * domain requests. By default only checks requests that try to perform an 
action on a component,
- * such as a form submit, or link click.
+ * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
and {@code Referer}
+ * HTTP headers for cross domain requests. By default only checks requests 
that try to perform an
+ * action on a component, such as a form submit, or link click.
  * 
  * Installation
  * 
@@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory;
  * 
  * Configuration
  * 
- * A missing {@code Origin} HTTP header is (by default) handled as if it were 
a good request and
- * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
- * different value, suppressing or aborting the request when the {@code 
Origin} HTTP header is
- * missing.
+ * When the {@code Origin} or {@code Referer} HTTP header is present but 
doesn't match the requested
+ * URL this listener will by default throw a HTTP error ( {@code 400 BAD 
REQUEST}) and abort the
+ * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} 
this specific action.
  * 
- * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
- * be from a "privacy-sensitive" context and will trigger the conflicting 
origin action. You can
- * customize what happens in those actions by overriding the respective {@code 
on} methods.
+ * A missing {@code Origin} and {@code Referer} HTTP header is handled as if 
it were a bad request
+ * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
+ * different value, suppressing or allowing the request when the HTTP headers 
are missing.
  * 
- * When the {@code Origin} HTTP header is present but doesn't match the 
requested URL this listener
- * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the 
request. You can
- * {@link #setConflictingOriginAction(CsrfAction) configure} this specific 
action.
+ * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
+ * be from a "privacy-sensitive" context and will trigger the no origin 
action. You can customize
+ * what happens in those actions by overriding the respective {@code on} 
methods.
  * 
  * When you want to accept certain cross domain request from a range of hosts, 
you can
  * {@link #addAcceptedOrigin(String) whitelist those domains}.
@@ -96,7 +97,7 @@ import org.slf4j.LoggerFactory;
  * {@link #isChecked(IRequestHandler)} to customize this behavior.
  * 
  * 
- * You can override the 

[jira] [Commented] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/WICKET-6245?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15503495#comment-15503495
 ] 

ASF subversion and git services commented on WICKET-6245:
-

Commit 5c345567c75b3cc1f7e4cce6dcf3e692870b4823 in wicket's branch 
refs/heads/wicket-7.x from [~papegaaij]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=5c34556 ]

WICKET-6245: open up CsrfPreventionRequestCycleListener for extension


> Open up CsrfPreventionRequestCycleListener for extension
> 
>
> Key: WICKET-6245
> URL: https://issues.apache.org/jira/browse/WICKET-6245
> Project: Wicket
>  Issue Type: Bug
>Reporter: Martijn Dashorst
>Priority: Minor
>
> The design of the CsrfPreventionRequestCycleListener is such that it is open 
> for extension, but fails to provide the right hooks for implementors. We 
> should allow private methods to be called from event handlers, and allow 
> overriding of  several checkpoints in the API.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[2/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension

[papegaaij]

WICKET-6245: open up CsrfPreventionRequestCycleListener for extension


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/6c40c919
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/6c40c919
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/6c40c919

Branch: refs/heads/master
Commit: 6c40c919f54fce610c584b9e4ec7925c14a5a19b
Parents: c04f2b0
Author: Emond Papegaaij 
Authored: Mon Sep 19 15:24:57 2016 +0200
Committer: Emond Papegaaij 
Committed: Mon Sep 19 15:25:21 2016 +0200

--
 .../CsrfPreventionRequestCycleListener.java | 182 +++
 1 file changed, 111 insertions(+), 71 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/6c40c919/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
--
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
index a2bf124..ce03862 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
@@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.wicket.RestartResponseException;
 import org.apache.wicket.core.request.handler.IPageRequestHandler;
 import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
 import org.apache.wicket.request.component.IRequestablePage;
 import org.apache.wicket.request.cycle.AbstractRequestCycleListener;
 import org.apache.wicket.request.cycle.IRequestCycleListener;
@@ -39,9 +41,9 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
HTTP header for cross
- * domain requests. By default only checks requests that try to perform an 
action on a component,
- * such as a form submit, or link click.
+ * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
and {@code Referer}
+ * HTTP headers for cross domain requests. By default only checks requests 
that try to perform an
+ * action on a component, such as a form submit, or link click.
  * 
  * Installation
  * 
@@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory;
  * 
  * Configuration
  * 
- * A missing {@code Origin} HTTP header is (by default) handled as if it were 
a good request and
- * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
- * different value, suppressing or aborting the request when the {@code 
Origin} HTTP header is
- * missing.
+ * When the {@code Origin} or {@code Referer} HTTP header is present but 
doesn't match the requested
+ * URL this listener will by default throw a HTTP error ( {@code 400 BAD 
REQUEST}) and abort the
+ * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} 
this specific action.
  * 
- * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
- * be from a "privacy-sensitive" context and will trigger the conflicting 
origin action. You can
- * customize what happens in those actions by overriding the respective {@code 
on} methods.
+ * A missing {@code Origin} and {@code Referer} HTTP header is handled as if 
it were a bad request
+ * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
+ * different value, suppressing or allowing the request when the HTTP headers 
are missing.
  * 
- * When the {@code Origin} HTTP header is present but doesn't match the 
requested URL this listener
- * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the 
request. You can
- * {@link #setConflictingOriginAction(CsrfAction) configure} this specific 
action.
+ * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
+ * be from a "privacy-sensitive" context and will trigger the no origin 
action. You can customize
+ * what happens in those actions by overriding the respective {@code on} 
methods.
  * 
  * When you want to accept certain cross domain request from a range of hosts, 
you can
  * {@link #addAcceptedOrigin(String) whitelist those domains}.
@@ -96,7 +97,7 @@ import org.slf4j.LoggerFactory;
  * {@link #isChecked(IRequestHandler)} to customize this behavior.
  * 
  * 
- * You can override the default 

[1/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension

[papegaaij]

Repository: wicket
Updated Branches:
  refs/heads/master c04f2b00b -> 6c40c919f
  refs/heads/wicket-6.x 52f0b8afa -> 332082134
  refs/heads/wicket-7.x 47bc8a8d7 -> 5c345567c


WICKET-6245: open up CsrfPreventionRequestCycleListener for extension


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/5c345567
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/5c345567
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/5c345567

Branch: refs/heads/wicket-7.x
Commit: 5c345567c75b3cc1f7e4cce6dcf3e692870b4823
Parents: 47bc8a8
Author: Emond Papegaaij 
Authored: Mon Sep 19 15:24:57 2016 +0200
Committer: Emond Papegaaij 
Committed: Mon Sep 19 15:24:57 2016 +0200

--
 .../CsrfPreventionRequestCycleListener.java | 182 +++
 1 file changed, 111 insertions(+), 71 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/5c345567/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
--
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
index 73cebee..4025e7e 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
@@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.wicket.RestartResponseException;
 import org.apache.wicket.core.request.handler.IPageRequestHandler;
 import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
 import org.apache.wicket.request.component.IRequestablePage;
 import org.apache.wicket.request.cycle.AbstractRequestCycleListener;
 import org.apache.wicket.request.cycle.IRequestCycleListener;
@@ -39,9 +41,9 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
HTTP header for cross
- * domain requests. By default only checks requests that try to perform an 
action on a component,
- * such as a form submit, or link click.
+ * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
and {@code Referer}
+ * HTTP headers for cross domain requests. By default only checks requests 
that try to perform an
+ * action on a component, such as a form submit, or link click.
  * 
  * Installation
  * 
@@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory;
  * 
  * Configuration
  * 
- * A missing {@code Origin} HTTP header is (by default) handled as if it were 
a good request and
- * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
- * different value, suppressing or aborting the request when the {@code 
Origin} HTTP header is
- * missing.
+ * When the {@code Origin} or {@code Referer} HTTP header is present but 
doesn't match the requested
+ * URL this listener will by default throw a HTTP error ( {@code 400 BAD 
REQUEST}) and abort the
+ * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} 
this specific action.
  * 
- * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
- * be from a "privacy-sensitive" context and will trigger the conflicting 
origin action. You can
- * customize what happens in those actions by overriding the respective {@code 
on} methods.
+ * A missing {@code Origin} and {@code Referer} HTTP header is handled as if 
it were a bad request
+ * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
+ * different value, suppressing or allowing the request when the HTTP headers 
are missing.
  * 
- * When the {@code Origin} HTTP header is present but doesn't match the 
requested URL this listener
- * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the 
request. You can
- * {@link #setConflictingOriginAction(CsrfAction) configure} this specific 
action.
+ * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
+ * be from a "privacy-sensitive" context and will trigger the no origin 
action. You can customize
+ * what happens in those actions by overriding the respective {@code on} 
methods.
  * 
  * When you want to accept certain cross domain request from a range of hosts, 
you can
  * {@link #addAcceptedOrigin(String) 

[jira] [Created] (WICKET-6245) Open up CsrfPreventionRequestCycleListener for extension

[Martijn Dashorst (JIRA)]

Martijn Dashorst created WICKET-6245:


 Summary: Open up CsrfPreventionRequestCycleListener for extension
 Key: WICKET-6245
 URL: https://issues.apache.org/jira/browse/WICKET-6245
 Project: Wicket
  Issue Type: Bug
Reporter: Martijn Dashorst
Priority: Minor


The design of the CsrfPreventionRequestCycleListener is such that it is open 
for extension, but fails to provide the right hooks for implementors. We should 
allow private methods to be called from event handlers, and allow overriding of 
 several checkpoints in the API.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)