Re: Restrict wicket/bookmarkable

Martin, Done: https://issues.apache.org/jira/browse/WICKET-6161 Thank you! 2016-05-04 23:38 GMT-07:00 Martin Grigorov : > Hi Ilia, > > Please create a ticket so we don't forget it! > Thanks! > > Martin Grigorov > Wicket Training and Consulting >

Re: Restrict wicket/bookmarkable

Hi Ilia, Please create a ticket so we don't forget it! Thanks! Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, May 4, 2016 at 7:32 PM, Илья Нарыжный wrote: > For now I just removed BookmarkableMapper. Everything works. But it seems > to me

Re: Restrict wicket/bookmarkable

For now I just removed BookmarkableMapper. Everything works. But it seems to me that some cases might go wrong... And as side effect: hrefs just empty to pages without mounts. Probably I would expect some other behavior if url can't be resolved for a page. Thanks, Ilia On May 4, 2016 6:54 AM,

Re: Restrict wicket/bookmarkable

On Wed, May 4, 2016 at 3:27 PM, Sven Meier wrote: > Hi, > > well, it seems I wasn't completely out of my mind when I pushed for > WICKET-5094: > - I've checked 1.4 and the logic of #enforceMounts was exactly like it is > now > - the javadoc for #setEnforceMounts() matches the

Re: Restrict wicket/bookmarkable

Hi, well, it seems I wasn't completely out of my mind when I pushed for WICKET-5094: - I've checked 1.4 and the logic of #enforceMounts was exactly like it is now - the javadoc for #setEnforceMounts() matches the current behavior: "Sets whether mounts should be enforced. If true, requests

Re: Restrict wicket/bookmarkable

Hi, I also think the current behavior is not correct. See my question at http://markmail.org/message/xmo74m3tbc5v4nwp. I read the name of the method "enforceMounts" as "do not allow urls to page which are not explicitly mounted". I believe also this is the reason this method is in

Re: Restrict wicket/bookmarkable

Martin, Checked this issue: https://issues.apache.org/jira/browse/WICKET-5094 Absolutely disagree with discussed behavior. It's meaningless to prevent accessing /wicket/bookmarkable/ only if there is mount point for that page. Please help to find consensus. In mine case it's real security hole.

Re: Restrict wicket/bookmarkable

Martin, Just checked: it doesn't work as expected. It seems that this code doesn't work as it was assumed: BookmarkableMapper.java if (application.getSecuritySettings().getEnforceMounts()) { // we make an exception if the homepage itself was mounted, see WICKET-1898 if

Re: Restrict wicket/bookmarkable

Thank you Martin! I did know that there should be easier way to do that, but could not be able to find it:) Regards, Ilia 2016-05-03 0:06 GMT-07:00 Martin Grigorov : > Hi, > > I always thought > that org.apache.wicket.settings.SecuritySettings#getEnforceMounts() is for >

Re: Restrict wicket/bookmarkable

Hi, I always thought that org.apache.wicket.settings.SecuritySettings#getEnforceMounts() is for this. Also its javadoc seems to say that. But there were some changes to its behavior after which I am no more sure what exactly it does :-/ Martin Grigorov Wicket Training and Consulting

Re: Restrict wicket/bookmarkable

Yea - that's possible. Even instrumentation is possible, but probably this problem somehow solved already in wicket. I would briefly summarize the problem like: Wicket allow to directly address bookmarkable pages from 3rd party libraries without good way to manage accessibility. Potentially it

Re: Restrict wicket/bookmarkable

Use component instantiation listener? On Tue, May 3, 2016 at 3:17 AM, Илья Нарыжный wrote: > Hello, > > Is there good way to restrict accessing bookmarkable pages through > /wicket/bookmarkable URL? > > Use case: there is ability in our software (http://orienteer.org) >

Restrict wicket/bookmarkable

Hello, Is there good way to restrict accessing bookmarkable pages through /wicket/bookmarkable URL? Use case: there is ability in our software (http://orienteer.org) dynamically enable or disable module with Development utils. This module of cource use wicket-devutils, but neverheless fact that