subject:"wicket git commit\: WICKET\-6245 Open up CsrfPreventionRequestCycleListener for extension"

wicket git commit: WICKET-6245 Open up CsrfPreventionRequestCycleListener for extension

2016-09-20 Thread mgrigorov

Repository: wicket
Updated Branches:
  refs/heads/master c819c6c4c -> 247619ab1


WICKET-6245 Open up CsrfPreventionRequestCycleListener for extension

Wrap a debug logiing in LOG.isDebugEnabled()


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/247619ab
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/247619ab
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/247619ab

Branch: refs/heads/master
Commit: 247619ab176c64acc3d07adcc45725e019e11a62
Parents: c819c6c
Author: Martin Tzvetanov Grigorov 
Authored: Tue Sep 20 22:07:37 2016 +0200
Committer: Martin Tzvetanov Grigorov 
Committed: Tue Sep 20 22:07:37 2016 +0200

--
 .../protocol/http/CsrfPreventionRequestCycleListener.java| 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/247619ab/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
--
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
index ce03862..e6b61dc 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
@@ -27,7 +27,6 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.wicket.RestartResponseException;
 import org.apache.wicket.core.request.handler.IPageRequestHandler;
 import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
-import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.request.IRequestHandler;
 import org.apache.wicket.request.IRequestHandlerDelegate;
 import org.apache.wicket.request.component.IRequestablePage;
@@ -358,8 +357,11 @@ public class CsrfPreventionRequestCycleListener extends 
AbstractRequestCycleList
}
else
{
-   log.debug("Targeted page {} was opted out of 
the CSRF origin checks, allowed",
-   targetedPage.getClass().getName());
+   if (log.isDebugEnabled())
+   {
+   log.debug("Targeted page {} was opted 
out of the CSRF origin checks, allowed",
+   
targetedPage.getClass().getName());
+   }
allowHandler(containerRequest, sourceUri, 
targetedPage);
}
}

wicket git commit: WICKET-6245 Open up CsrfPreventionRequestCycleListener for extension

2016-09-20 Thread mgrigorov

Repository: wicket
Updated Branches:
  refs/heads/wicket-7.x 2c570edf0 -> 6cd10f970


WICKET-6245 Open up CsrfPreventionRequestCycleListener for extension

Wrap a debug logiing in LOG.isDebugEnabled()


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/6cd10f97
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/6cd10f97
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/6cd10f97

Branch: refs/heads/wicket-7.x
Commit: 6cd10f970d49ee1cd275c5038aa3c58c9738efaf
Parents: 2c570ed
Author: Martin Tzvetanov Grigorov 
Authored: Tue Sep 20 22:07:37 2016 +0200
Committer: Martin Tzvetanov Grigorov 
Committed: Tue Sep 20 22:08:42 2016 +0200

--
 .../protocol/http/CsrfPreventionRequestCycleListener.java| 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/6cd10f97/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
--
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
index 4025e7e..72fa4ee 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
@@ -27,7 +27,6 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.wicket.RestartResponseException;
 import org.apache.wicket.core.request.handler.IPageRequestHandler;
 import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
-import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.request.IRequestHandler;
 import org.apache.wicket.request.IRequestHandlerDelegate;
 import org.apache.wicket.request.component.IRequestablePage;
@@ -358,8 +357,11 @@ public class CsrfPreventionRequestCycleListener extends 
AbstractRequestCycleList
}
else
{
-   log.debug("Targeted page {} was opted out of 
the CSRF origin checks, allowed",
-   targetedPage.getClass().getName());
+   if (log.isDebugEnabled())
+   {
+   log.debug("Targeted page {} was opted 
out of the CSRF origin checks, allowed",
+   
targetedPage.getClass().getName());
+   }
allowHandler(containerRequest, sourceUri, 
targetedPage);
}
}

[3/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension

2016-09-19 Thread papegaaij

WICKET-6245: open up CsrfPreventionRequestCycleListener for extension


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/33208213
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/33208213
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/33208213

Branch: refs/heads/wicket-6.x
Commit: 3320821343f7957a4850f2d9b61ab18eec55fa62
Parents: 52f0b8a
Author: Emond Papegaaij 
Authored: Mon Sep 19 15:24:57 2016 +0200
Committer: Emond Papegaaij 
Committed: Mon Sep 19 15:26:57 2016 +0200

--
 .../CsrfPreventionRequestCycleListener.java | 188 +++
 1 file changed, 114 insertions(+), 74 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/33208213/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
--
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
index 3e81252..a3f8320 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
@@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.wicket.RestartResponseException;
 import org.apache.wicket.core.request.handler.IPageRequestHandler;
 import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
 import org.apache.wicket.request.component.IRequestablePage;
 import org.apache.wicket.request.cycle.AbstractRequestCycleListener;
 import org.apache.wicket.request.cycle.IRequestCycleListener;
@@ -39,9 +41,9 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
HTTP header for cross
- * domain requests. By default only checks requests that try to perform an 
action on a component,
- * such as a form submit, or link click.
+ * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
and {@code Referer}
+ * HTTP headers for cross domain requests. By default only checks requests 
that try to perform an
+ * action on a component, such as a form submit, or link click.
  * 
  * Installation
  * 
@@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory;
  * 
  * Configuration
  * 
- * A missing {@code Origin} HTTP header is (by default) handled as if it were 
a good request and
- * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
- * different value, suppressing or aborting the request when the {@code 
Origin} HTTP header is
- * missing.
+ * When the {@code Origin} or {@code Referer} HTTP header is present but 
doesn't match the requested
+ * URL this listener will by default throw a HTTP error ( {@code 400 BAD 
REQUEST}) and abort the
+ * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} 
this specific action.
  * 
- * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
- * be from a "privacy-sensitive" context and will trigger the conflicting 
origin action. You can
- * customize what happens in those actions by overriding the respective {@code 
on} methods.
+ * A missing {@code Origin} and {@code Referer} HTTP header is handled as if 
it were a bad request
+ * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
+ * different value, suppressing or allowing the request when the HTTP headers 
are missing.
  * 
- * When the {@code Origin} HTTP header is present but doesn't match the 
requested URL this listener
- * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the 
request. You can
- * {@link #setConflictingOriginAction(CsrfAction) configure} this specific 
action.
+ * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
+ * be from a "privacy-sensitive" context and will trigger the no origin 
action. You can customize
+ * what happens in those actions by overriding the respective {@code on} 
methods.
  * 
  * When you want to accept certain cross domain request from a range of hosts, 
you can
  * {@link #addAcceptedOrigin(String) whitelist those domains}.
@@ -96,7 +97,7 @@ import org.slf4j.LoggerFactory;
  * {@link #isChecked(IRequestHandler)} to customize this behavior.
  * 
  * 
- * You can override the

[2/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension

2016-09-19 Thread papegaaij

WICKET-6245: open up CsrfPreventionRequestCycleListener for extension


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/6c40c919
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/6c40c919
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/6c40c919

Branch: refs/heads/master
Commit: 6c40c919f54fce610c584b9e4ec7925c14a5a19b
Parents: c04f2b0
Author: Emond Papegaaij 
Authored: Mon Sep 19 15:24:57 2016 +0200
Committer: Emond Papegaaij 
Committed: Mon Sep 19 15:25:21 2016 +0200

--
 .../CsrfPreventionRequestCycleListener.java | 182 +++
 1 file changed, 111 insertions(+), 71 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/6c40c919/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
--
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
index a2bf124..ce03862 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
@@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.wicket.RestartResponseException;
 import org.apache.wicket.core.request.handler.IPageRequestHandler;
 import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
 import org.apache.wicket.request.component.IRequestablePage;
 import org.apache.wicket.request.cycle.AbstractRequestCycleListener;
 import org.apache.wicket.request.cycle.IRequestCycleListener;
@@ -39,9 +41,9 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
HTTP header for cross
- * domain requests. By default only checks requests that try to perform an 
action on a component,
- * such as a form submit, or link click.
+ * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
and {@code Referer}
+ * HTTP headers for cross domain requests. By default only checks requests 
that try to perform an
+ * action on a component, such as a form submit, or link click.
  * 
  * Installation
  * 
@@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory;
  * 
  * Configuration
  * 
- * A missing {@code Origin} HTTP header is (by default) handled as if it were 
a good request and
- * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
- * different value, suppressing or aborting the request when the {@code 
Origin} HTTP header is
- * missing.
+ * When the {@code Origin} or {@code Referer} HTTP header is present but 
doesn't match the requested
+ * URL this listener will by default throw a HTTP error ( {@code 400 BAD 
REQUEST}) and abort the
+ * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} 
this specific action.
  * 
- * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
- * be from a "privacy-sensitive" context and will trigger the conflicting 
origin action. You can
- * customize what happens in those actions by overriding the respective {@code 
on} methods.
+ * A missing {@code Origin} and {@code Referer} HTTP header is handled as if 
it were a bad request
+ * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
+ * different value, suppressing or allowing the request when the HTTP headers 
are missing.
  * 
- * When the {@code Origin} HTTP header is present but doesn't match the 
requested URL this listener
- * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the 
request. You can
- * {@link #setConflictingOriginAction(CsrfAction) configure} this specific 
action.
+ * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
+ * be from a "privacy-sensitive" context and will trigger the no origin 
action. You can customize
+ * what happens in those actions by overriding the respective {@code on} 
methods.
  * 
  * When you want to accept certain cross domain request from a range of hosts, 
you can
  * {@link #addAcceptedOrigin(String) whitelist those domains}.
@@ -96,7 +97,7 @@ import org.slf4j.LoggerFactory;
  * {@link #isChecked(IRequestHandler)} to customize this behavior.
  * 
  * 
- * You can override the default

[1/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension

2016-09-19 Thread papegaaij

Repository: wicket
Updated Branches:
  refs/heads/master c04f2b00b -> 6c40c919f
  refs/heads/wicket-6.x 52f0b8afa -> 332082134
  refs/heads/wicket-7.x 47bc8a8d7 -> 5c345567c


WICKET-6245: open up CsrfPreventionRequestCycleListener for extension


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/5c345567
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/5c345567
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/5c345567

Branch: refs/heads/wicket-7.x
Commit: 5c345567c75b3cc1f7e4cce6dcf3e692870b4823
Parents: 47bc8a8
Author: Emond Papegaaij 
Authored: Mon Sep 19 15:24:57 2016 +0200
Committer: Emond Papegaaij 
Committed: Mon Sep 19 15:24:57 2016 +0200

--
 .../CsrfPreventionRequestCycleListener.java | 182 +++
 1 file changed, 111 insertions(+), 71 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/wicket/blob/5c345567/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
--
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
index 73cebee..4025e7e 100644
--- 
a/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.java
@@ -27,7 +27,9 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.wicket.RestartResponseException;
 import org.apache.wicket.core.request.handler.IPageRequestHandler;
 import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
+import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.request.IRequestHandler;
+import org.apache.wicket.request.IRequestHandlerDelegate;
 import org.apache.wicket.request.component.IRequestablePage;
 import org.apache.wicket.request.cycle.AbstractRequestCycleListener;
 import org.apache.wicket.request.cycle.IRequestCycleListener;
@@ -39,9 +41,9 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
HTTP header for cross
- * domain requests. By default only checks requests that try to perform an 
action on a component,
- * such as a form submit, or link click.
+ * Prevents CSRF attacks on Wicket components by checking the {@code Origin} 
and {@code Referer}
+ * HTTP headers for cross domain requests. By default only checks requests 
that try to perform an
+ * action on a component, such as a form submit, or link click.
  * 
  * Installation
  * 
@@ -60,18 +62,17 @@ import org.slf4j.LoggerFactory;
  * 
  * Configuration
  * 
- * A missing {@code Origin} HTTP header is (by default) handled as if it were 
a good request and
- * accepted. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
- * different value, suppressing or aborting the request when the {@code 
Origin} HTTP header is
- * missing.
+ * When the {@code Origin} or {@code Referer} HTTP header is present but 
doesn't match the requested
+ * URL this listener will by default throw a HTTP error ( {@code 400 BAD 
REQUEST}) and abort the
+ * request. You can {@link #setConflictingOriginAction(CsrfAction) configure} 
this specific action.
  * 
- * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
- * be from a "privacy-sensitive" context and will trigger the conflicting 
origin action. You can
- * customize what happens in those actions by overriding the respective {@code 
on} methods.
+ * A missing {@code Origin} and {@code Referer} HTTP header is handled as if 
it were a bad request
+ * and rejected. You can {@link #setNoOriginAction(CsrfAction) configure the 
specific action} to a
+ * different value, suppressing or allowing the request when the HTTP headers 
are missing.
  * 
- * When the {@code Origin} HTTP header is present but doesn't match the 
requested URL this listener
- * will by default throw a HTTP error ( {@code 400 BAD REQUEST}) and abort the 
request. You can
- * {@link #setConflictingOriginAction(CsrfAction) configure} this specific 
action.
+ * When the {@code Origin} HTTP header is present and has the value {@code 
null} it is considered to
+ * be from a "privacy-sensitive" context and will trigger the no origin 
action. You can customize
+ * what happens in those actions by overriding the respective {@code on} 
methods.
  * 
  * When you want to accept certain cross domain request from a range of hosts, 
you can
  * {@link #addAcceptedOrigin(String)

wicket git commit: WICKET-6245 Open up CsrfPreventionRequestCycleListener for extension

wicket git commit: WICKET-6245 Open up CsrfPreventionRequestCycleListener for extension

[3/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension

[2/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension

[1/3] wicket git commit: WICKET-6245: open up CsrfPreventionRequestCycleListener for extension

5 matches

Site Navigation

Mail list logo

Footer information