Re: WebSocket close is being called if AjaxDownloader is used

2016-11-08 Thread Maxim Solodovnik 
Hello Martin,

sorry for the delay

here is the repo: https://github.com/solomax/wicket-ajax-download
here is the commit with the ajax-download-via-iframe implementation:
https://github.com/solomax/wicket-ajax-download/commit/407936d6f506aa047d9a12a3ecb7aa6c866eb052

Looking forward for your comments :)

On Wed, Nov 9, 2016 at 5:02 AM, Martin Grigorov  wrote:
> Hi Maxim,
>
> Do you have progress on this ?
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Thu, Nov 3, 2016 at 9:46 AM, Maxim Solodovnik 
> wrote:
>
>> I was hoping to get answer like: in 7.x you should use .xxx :)))
>> Going to create example on github and will send it for review :)
>>
>> On Thu, Nov 3, 2016 at 3:43 PM, Martin Grigorov 
>> wrote:
>>
>> > On Thu, Nov 3, 2016 at 9:40 AM, Maxim Solodovnik 
>> > wrote:
>> >
>> > > It seems iframe is the only option :(((
>> > >
>> >
>> > Why so sad ?
>> > iframe is a good option
>> >
>> >
>> > > here is the JS plugin wrapping this idea:
>> > > http://johnculviner.com/jquery-file-download-plugin-
>> > > for-ajax-like-feature-rich-file-downloads/
>> > > going to perform additional search
>> > >
>> > > Thanks for the idea!
>> > >
>> > > On Thu, Nov 3, 2016 at 3:36 PM, Ernesto Reinaldo Barreiro <
>> > > reier...@gmail.com> wrote:
>> > >
>> > > > or maybe use a hidden iframe to trigger download...
>> > > >
>> > > > On Thu, Nov 3, 2016 at 9:28 AM, Ernesto Reinaldo Barreiro <
>> > > > reier...@gmail.com> wrote:
>> > > >
>> > > > > I do not know if this is possible but
>> > > > >
>> > > > > 1- Open a new tab
>> > > > > 2- Set location to download URL
>> > > > > 3- Close the new tab
>> > > > >
>> > > > > That way (maybe) page does not close WebSocket connection. It would
>> > > still
>> > > > > be "AJAX"...
>> > > > >
>> > > > >
>> > > > > On Thu, Nov 3, 2016 at 9:04 AM, Maxim Solodovnik <
>> > solomax...@gmail.com
>> > > >
>> > > > > wrote:
>> > > > >
>> > > > >> I'm afraid It would be not really Ajax .
>> > > > >>
>> > > > >> On Thu, Nov 3, 2016 at 3:03 PM, Ernesto Reinaldo Barreiro <
>> > > > >> reier...@gmail.com> wrote:
>> > > > >>
>> > > > >> > maybe open a second browser tab and do the download there...
>> > > > >> >
>> > > > >> > On Thu, Nov 3, 2016 at 8:51 AM, Maxim Solodovnik <
>> > > > solomax...@gmail.com>
>> > > > >> > wrote:
>> > > > >> >
>> > > > >> > > I'll try to create quick-start ASAP
>> > > > >> > >
>> > > > >> > > On Thu, Nov 3, 2016 at 2:51 PM, Maxim Solodovnik <
>> > > > >> solomax...@gmail.com>
>> > > > >> > > wrote:
>> > > > >> > >
>> > > > >> > > > AjaxDownload was for wicket 1.5.x (or maybe 6.x)
>> > > > >> > > > maybe it can be enhanced to work without unload?
>> > > > >> > > >
>> > > > >> > > > On Thu, Nov 3, 2016 at 2:46 PM, Sven Meier > >
>> > > > wrote:
>> > > > >> > > >
>> > > > >> > > >> AjaxDownload changes the window location - the browser
>> > probably
>> > > > >> > prepares
>> > > > >> > > >> unloading of the page, before opening the attached download
>> > in
>> > > a
>> > > > >> > > separate
>> > > > >> > > >> window.
>> > > > >> > > >>
>> > > > >> > > >> Sven
>> > > > >> > > >>
>> > > > >> > > >>
>> > > > >> > > >>
>> > > > >> > > >> Am 03.11.2016 um 08:33 schrieb Martin Grigorov:
>> > > > >> > > >>
>> > > > >> > > >>> Hi Maxim,
>> > > > >> > > >>>
>> > > > >> > > >>> I don't see any relation between those.
>> > > > >> > > >>> If it is easy to reproduce please create a quickstart.
>> > > > >> > > >>>
>> > > > >> > > >>> Martin Grigorov
>> > > > >> > > >>> Wicket Training and Consulting
>> > > > >> > > >>> https://twitter.com/mtgrigorov
>> > > > >> > > >>>
>> > > > >> > > >>> On Thu, Nov 3, 2016 at 4:16 AM, Maxim Solodovnik <
>> > > > >> > solomax...@gmail.com
>> > > > >> > > >
>> > > > >> > > >>> wrote:
>> > > > >> > > >>>
>> > > > >> > > >>> Hello,
>> > > > >> > > 
>> > > > >> > >  Recently we found weird behavior of AjaxDownloader
>> (similar
>> > > to
>> > > > >> this
>> > > > >> > > [1]
>> > > > >> > >  one)
>> > > > >> > >  For some reason at the moment download is initiated
>> > > > >> > >  WebSocketBehavior::onClose is being called 
>> > > > >> > >  What is the reason for this?
>> > > > >> > > 
>> > > > >> > > 
>> > > > >> > >  https://cwiki.apache.org/confluence/display/WICKET/
>> > > > >> > >  AJAX+update+and+file+download+in+one+blow
>> > > > >> > > 
>> > > > >> > >  --
>> > > > >> > >  WBR
>> > > > >> > >  Maxim aka solomax
>> > > > >> > > 
>> > > > >> > > 
>> > > > >> > > >>
>> > > > >> > > >> --
>> --
>> > > > >> -
>> > > > >> > > >> To unsubscribe, e-mail: users-unsubscribe@wicket.
>> apache.org
>> > > > >> > > >> For additional commands, e-mail:
>> > users-h...@wicket.apache.org
>> > > > >> > > >>
>> > > > >> > > >>
>> > > > >> > > >
>> > > > >> > > >
>> > > > >> > > >

Re: WebSocket close is being called if AjaxDownloader is used

2016-11-08 Thread Martin Grigorov 
Hi Maxim,

Do you have progress on this ?

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Thu, Nov 3, 2016 at 9:46 AM, Maxim Solodovnik 
wrote:

> I was hoping to get answer like: in 7.x you should use .xxx :)))
> Going to create example on github and will send it for review :)
>
> On Thu, Nov 3, 2016 at 3:43 PM, Martin Grigorov 
> wrote:
>
> > On Thu, Nov 3, 2016 at 9:40 AM, Maxim Solodovnik 
> > wrote:
> >
> > > It seems iframe is the only option :(((
> > >
> >
> > Why so sad ?
> > iframe is a good option
> >
> >
> > > here is the JS plugin wrapping this idea:
> > > http://johnculviner.com/jquery-file-download-plugin-
> > > for-ajax-like-feature-rich-file-downloads/
> > > going to perform additional search
> > >
> > > Thanks for the idea!
> > >
> > > On Thu, Nov 3, 2016 at 3:36 PM, Ernesto Reinaldo Barreiro <
> > > reier...@gmail.com> wrote:
> > >
> > > > or maybe use a hidden iframe to trigger download...
> > > >
> > > > On Thu, Nov 3, 2016 at 9:28 AM, Ernesto Reinaldo Barreiro <
> > > > reier...@gmail.com> wrote:
> > > >
> > > > > I do not know if this is possible but
> > > > >
> > > > > 1- Open a new tab
> > > > > 2- Set location to download URL
> > > > > 3- Close the new tab
> > > > >
> > > > > That way (maybe) page does not close WebSocket connection. It would
> > > still
> > > > > be "AJAX"...
> > > > >
> > > > >
> > > > > On Thu, Nov 3, 2016 at 9:04 AM, Maxim Solodovnik <
> > solomax...@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > >> I'm afraid It would be not really Ajax .
> > > > >>
> > > > >> On Thu, Nov 3, 2016 at 3:03 PM, Ernesto Reinaldo Barreiro <
> > > > >> reier...@gmail.com> wrote:
> > > > >>
> > > > >> > maybe open a second browser tab and do the download there...
> > > > >> >
> > > > >> > On Thu, Nov 3, 2016 at 8:51 AM, Maxim Solodovnik <
> > > > solomax...@gmail.com>
> > > > >> > wrote:
> > > > >> >
> > > > >> > > I'll try to create quick-start ASAP
> > > > >> > >
> > > > >> > > On Thu, Nov 3, 2016 at 2:51 PM, Maxim Solodovnik <
> > > > >> solomax...@gmail.com>
> > > > >> > > wrote:
> > > > >> > >
> > > > >> > > > AjaxDownload was for wicket 1.5.x (or maybe 6.x)
> > > > >> > > > maybe it can be enhanced to work without unload?
> > > > >> > > >
> > > > >> > > > On Thu, Nov 3, 2016 at 2:46 PM, Sven Meier  >
> > > > wrote:
> > > > >> > > >
> > > > >> > > >> AjaxDownload changes the window location - the browser
> > probably
> > > > >> > prepares
> > > > >> > > >> unloading of the page, before opening the attached download
> > in
> > > a
> > > > >> > > separate
> > > > >> > > >> window.
> > > > >> > > >>
> > > > >> > > >> Sven
> > > > >> > > >>
> > > > >> > > >>
> > > > >> > > >>
> > > > >> > > >> Am 03.11.2016 um 08:33 schrieb Martin Grigorov:
> > > > >> > > >>
> > > > >> > > >>> Hi Maxim,
> > > > >> > > >>>
> > > > >> > > >>> I don't see any relation between those.
> > > > >> > > >>> If it is easy to reproduce please create a quickstart.
> > > > >> > > >>>
> > > > >> > > >>> Martin Grigorov
> > > > >> > > >>> Wicket Training and Consulting
> > > > >> > > >>> https://twitter.com/mtgrigorov
> > > > >> > > >>>
> > > > >> > > >>> On Thu, Nov 3, 2016 at 4:16 AM, Maxim Solodovnik <
> > > > >> > solomax...@gmail.com
> > > > >> > > >
> > > > >> > > >>> wrote:
> > > > >> > > >>>
> > > > >> > > >>> Hello,
> > > > >> > > 
> > > > >> > >  Recently we found weird behavior of AjaxDownloader
> (similar
> > > to
> > > > >> this
> > > > >> > > [1]
> > > > >> > >  one)
> > > > >> > >  For some reason at the moment download is initiated
> > > > >> > >  WebSocketBehavior::onClose is being called 
> > > > >> > >  What is the reason for this?
> > > > >> > > 
> > > > >> > > 
> > > > >> > >  https://cwiki.apache.org/confluence/display/WICKET/
> > > > >> > >  AJAX+update+and+file+download+in+one+blow
> > > > >> > > 
> > > > >> > >  --
> > > > >> > >  WBR
> > > > >> > >  Maxim aka solomax
> > > > >> > > 
> > > > >> > > 
> > > > >> > > >>
> > > > >> > > >> --
> --
> > > > >> -
> > > > >> > > >> To unsubscribe, e-mail: users-unsubscribe@wicket.
> apache.org
> > > > >> > > >> For additional commands, e-mail:
> > users-h...@wicket.apache.org
> > > > >> > > >>
> > > > >> > > >>
> > > > >> > > >
> > > > >> > > >
> > > > >> > > > --
> > > > >> > > > WBR
> > > > >> > > > Maxim aka solomax
> > > > >> > > >
> > > > >> > >
> > > > >> > >
> > > > >> > >
> > > > >> > > --
> > > > >> > > WBR
> > > > >> > > Maxim aka solomax
> > > > >> > >
> > > > >> >
> > > > >> >
> > > > >> >
> > > > >> > --
> > > > >> > Regards - Ernesto Reinaldo Barreiro
> > > > >> >
> > > > >>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> WBR
> > > > >> Maxim aka solomax
> > > > >>
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Regards - Ernesto Reinaldo Barreiro
> > > > >
> > > >
> >

[ANNOUNCE] CVE-2016-6806: Apache Wicket CSRF detection vulnerability

2016-11-08 Thread Martijn Dashorst 
CVE-2016-6806: Apache Wicket CSRF detection vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 6.20.0, 6.21.0, 6.22.0, 6.23.0, 6.24.0, 7.0.0,
7.1.0, 7.2.0, 7.3.0, 7.4.0 and 8.0.0-M1

Description: Affected versions of Apache Wicket provide a CSRF prevention
measure that fails to discover some cross origin requests. The mitigation is
to not only check the Origin HTTP header, but also take the Referer HTTP
header into account when no Origin was provided. Furthermore, not all
Wicket server side targets were subjected to the CSRF check. This was also
fixed.

Mitigation: 6.x users should upgrade to 6.25.0, 7.x users should upgrade to
7.5.0 and 8.0.0-M1 users should upgrade to 8.0.0-M2.

Credit: This issue was discovered by Gerben Janssen van Doorn

References: https://wicket.apache.org/news

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Wicket at ApacheCon EU 2016 Sevilla: in just 1 week!

2016-11-08 Thread Martijn Dashorst 
All,

If you haven't figured out what to do with your training budget for
this year, you really should consider attending ApacheCon in Sevilla,
Spain.

2 awesome sessions about Apache Wicket, the chance to discuss with
core contributors of your favorite Apache projects, even with Andrea
and myself! It is the best opportunity to work on Wicket, ask Wicket
questions in person, share your experiences and learn from ours!

http://events.linuxfoundation.org/events/apachecon-europe

Don't hesitate and go register now!

Martijn

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org