Re: bypass the FormComponent # validateRequired()
Hi Martin, Thanks, I did not see #onValidateModelObjects() which is perfect. François > Le 14 nov. 2016 à 21:01, Martin Grigorova écrit : > > Hi François, > > > On Thu, Nov 10, 2016 at 6:34 PM, Francois Meillet < > francois.meil...@gmail.com> wrote: > >> Hi, >> >> I have a main form which may contain one to multiple subforms. >> Subform's models have validations constraints annotations and I can't >> modify the models source code. (then I can’t remove the constraints >> annotations) >> >> Each subform has 1 button. >> When clicked, complete validation is done, which is fine. >> >> The main form has 1 button. >> When clicked, the main form must validate the data, but in the >> FormComponent # validate() teh use case is to bypass the FormComponent # >> validateRequired(); >> >> I thought I could override >> form # process(IFormSubmitter submittingComponent) in order to make all >> the formcomponents not required before the validation occurs but >> internalOnValidateModelObjects() is private. >> >> Do you have an idea on how to do it ? >> > > Why do you need to use #internalOnValidateModelObjects() ? > It immediately > calls org.apache.wicket.markup.html.form.Form#onValidateModelObjects() > which is OK for extension. > > >> >> François >> >> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org >> >> - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Pluggable architecture for wicket application
I know a Dutch company (or two) that use OSGi, I'm certain that one uses Wicket + OSGi: educator.eu. The other, luminis.eu, does a lot of work with OSGi, but might not use it in combination with Wicket. I only have second hand knowledge about the combination, and it's probably outdated. Maybe someone from those companies is listening here and cares to comment. Martijn On Mon, Nov 14, 2016 at 8:13 PM, Martin Grigorovwrote: > Hi, > > On Mon, Nov 14, 2016 at 3:58 AM, Илья Нарыжный wrote: > >> Hello, >> >> We really need advise from Apache Wicket experts. Please let me know if you >> have any ideas how to realize the following: >> >> We are working on Orienteer (http://orienteer.org) - open source Business >> Application Platform for rapid development. >> Orienteer already has pluggable architecture which allow to >> start/stop/restart modules and etc. Every module can bring different >> things: new webpages, REST, wicket components and etc. For example: >> https://github.com/OrienteerBAP/Orienteer/tree/master/orienteer-pivottable >> >> But there is plans to allow dynamically upload required new module (without >> recompiling whole WAR with new module). To upload person can literally >> upload JAR or enter URL with the module or specify Maven's >> groupId:artifactId:version. >> >> There is no problem with downloading of module: there is a problem with >> runtime running it. Questions: >> >> 1) Is there good way for substitution of your own ClassLoader for more >> dynamic management? >> > > Wicket doesn't manage class loaders. The web container (like Tomcat) deals > with this. > The only hook provided by Wicket is org.apache.wicket.protocol. > http.WicketFilter#getClassLoader(). See org.apache.wicket.protocol.http. > ReloadingWicketFilter#reloadingClassLoader. > > >> 2) Is there a way for restarting of wicket app without restarting a >> web-container? >> > > You may use WebApplication#initApplication() and #internalDestroy(). Also > see what ReloadingWicketFilter does. > > >> 3) Related to p.1: any good experience with using this: >> https://github.com/kamranzafar/JCL ? >> > > IMO this should work to load extra jars dynamically. I didn't see anything > about unloading though. > > >> 4) Any other suggetions how to make dynamically pluggable modules in >> wicket? >> > > Some people use OSGi (with PAX). I don't have much experience to be able to > comment. > > >> >> Thanks, >> >> Ilya >> >> - >> Orienteer(http://orienteer.org) - open source Business Application >> Platform >> -- Become a Wicket expert, learn from the best: http://wicketinaction.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: bypass the FormComponent # validateRequired()
Hi François, On Thu, Nov 10, 2016 at 6:34 PM, Francois Meillet < francois.meil...@gmail.com> wrote: > Hi, > > I have a main form which may contain one to multiple subforms. > Subform's models have validations constraints annotations and I can't > modify the models source code. (then I can’t remove the constraints > annotations) > > Each subform has 1 button. > When clicked, complete validation is done, which is fine. > > The main form has 1 button. > When clicked, the main form must validate the data, but in the > FormComponent # validate() teh use case is to bypass the FormComponent # > validateRequired(); > > I thought I could override > form # process(IFormSubmitter submittingComponent) in order to make all > the formcomponents not required before the validation occurs but > internalOnValidateModelObjects() is private. > > Do you have an idea on how to do it ? > Why do you need to use #internalOnValidateModelObjects() ? It immediately calls org.apache.wicket.markup.html.form.Form#onValidateModelObjects() which is OK for extension. > > François > > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Re: Pluggable architecture for wicket application
Hi, On Mon, Nov 14, 2016 at 3:58 AM, Илья Нарыжныйwrote: > Hello, > > We really need advise from Apache Wicket experts. Please let me know if you > have any ideas how to realize the following: > > We are working on Orienteer (http://orienteer.org) - open source Business > Application Platform for rapid development. > Orienteer already has pluggable architecture which allow to > start/stop/restart modules and etc. Every module can bring different > things: new webpages, REST, wicket components and etc. For example: > https://github.com/OrienteerBAP/Orienteer/tree/master/orienteer-pivottable > > But there is plans to allow dynamically upload required new module (without > recompiling whole WAR with new module). To upload person can literally > upload JAR or enter URL with the module or specify Maven's > groupId:artifactId:version. > > There is no problem with downloading of module: there is a problem with > runtime running it. Questions: > > 1) Is there good way for substitution of your own ClassLoader for more > dynamic management? > Wicket doesn't manage class loaders. The web container (like Tomcat) deals with this. The only hook provided by Wicket is org.apache.wicket.protocol. http.WicketFilter#getClassLoader(). See org.apache.wicket.protocol.http. ReloadingWicketFilter#reloadingClassLoader. > 2) Is there a way for restarting of wicket app without restarting a > web-container? > You may use WebApplication#initApplication() and #internalDestroy(). Also see what ReloadingWicketFilter does. > 3) Related to p.1: any good experience with using this: > https://github.com/kamranzafar/JCL ? > IMO this should work to load extra jars dynamically. I didn't see anything about unloading though. > 4) Any other suggetions how to make dynamically pluggable modules in > wicket? > Some people use OSGi (with PAX). I don't have much experience to be able to comment. > > Thanks, > > Ilya > > - > Orienteer(http://orienteer.org) - open source Business Application > Platform >
Re: CsrfPreventionRequestCycleListener Link 400
Thanks a lot you very detailed information. François > Le 14 nov. 2016 à 09:25, Emond Papegaaija écrit > : > > Hi François, > > Since 8.0.0-M2 (and 7.5.0) the CsrfPreventionRequestCycleListener will block > requests without an Origin and Referer header. The reason for this is that is > possible for an attacker to prevent a browser from sending a referer header > (for example with rel="noreferrer"). When you open a link in a new tab, your > browser probably does not send these headers and Wicket blocks the action- > request. > > You can configure this behavior in CsrfPreventionRequestCycleListener with > setNoOriginAction. As said, the default is 'ABORT'. If you set it to > 'SUPPRESS', Wicket will render the page, but not execute Link.onClick. This > will open the new tab with the page containing the link. If you set it to > 'ALLOW', Wicket will allow the request, but this may undermine the protection > offered by CsrfPreventionRequestCycleListener. > > If your link simply points to a different page, I'd recommend to use a > BookmarkablePageLink. A request to simply render a page will never be blocked > by CsrfPreventionRequestCycleListener, so a BookmarkablePageLink will always > work. Naturaly for this to work, your target page needs to be bookmarkable. > > You can also subclass CsrfPreventionRequestCycleListener and override > 'protected boolean isChecked(IRequestHandler handler)' to whitelist specific > requests. Perhaps you can tag safe links and skip checking those. This > solution offers you the most flexibility, but requires more work and you need > to be very precise in what requests to allow. > > Best regards, > Emond > > > On zondag 13 november 2016 18:33:52 CET Francois Meillet wrote: >> Hi, >> >> When I use a CsrfPreventionRequestCycleListener, clicking a Link<> while >> holding the command key does not open link in new tab. (Wicket 8.0.0-M2 / >> OSX) >> >> I get this error : >> >> HTTP ERROR 400 >> Problem accessing /. Reason: Origin does not correspond to request >> >> >> Clicking a BookmarkablePageLink is ok. >> >> >> François >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org >> For additional commands, e-mail: users-h...@wicket.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: CsrfPreventionRequestCycleListener Link 400
Hi François, Since 8.0.0-M2 (and 7.5.0) the CsrfPreventionRequestCycleListener will block requests without an Origin and Referer header. The reason for this is that is possible for an attacker to prevent a browser from sending a referer header (for example with rel="noreferrer"). When you open a link in a new tab, your browser probably does not send these headers and Wicket blocks the action- request. You can configure this behavior in CsrfPreventionRequestCycleListener with setNoOriginAction. As said, the default is 'ABORT'. If you set it to 'SUPPRESS', Wicket will render the page, but not execute Link.onClick. This will open the new tab with the page containing the link. If you set it to 'ALLOW', Wicket will allow the request, but this may undermine the protection offered by CsrfPreventionRequestCycleListener. If your link simply points to a different page, I'd recommend to use a BookmarkablePageLink. A request to simply render a page will never be blocked by CsrfPreventionRequestCycleListener, so a BookmarkablePageLink will always work. Naturaly for this to work, your target page needs to be bookmarkable. You can also subclass CsrfPreventionRequestCycleListener and override 'protected boolean isChecked(IRequestHandler handler)' to whitelist specific requests. Perhaps you can tag safe links and skip checking those. This solution offers you the most flexibility, but requires more work and you need to be very precise in what requests to allow. Best regards, Emond On zondag 13 november 2016 18:33:52 CET Francois Meillet wrote: > Hi, > > When I use a CsrfPreventionRequestCycleListener, clicking a Link<> while > holding the command key does not open link in new tab. (Wicket 8.0.0-M2 / > OSX) > > I get this error : > > HTTP ERROR 400 > Problem accessing /. Reason: Origin does not correspond to request > > > Clicking a BookmarkablePageLink is ok. > > > François > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org