Re: bypass the FormComponent # validateRequired()

2016-11-14 Thread Francois Meillet 
Hi Martin,

Thanks, I did not see #onValidateModelObjects() which is perfect.

François



> Le 14 nov. 2016 à 21:01, Martin Grigorov  a écrit :
> 
> Hi François,
> 
> 
> On Thu, Nov 10, 2016 at 6:34 PM, Francois Meillet <
> francois.meil...@gmail.com> wrote:
> 
>> Hi,
>> 
>> I have a main form which may contain one to multiple subforms.
>> Subform's models have validations constraints annotations and I can't
>> modify the models source code. (then I can’t remove the constraints
>> annotations)
>> 
>> Each subform has 1 button.
>> When clicked, complete validation is done, which is fine.
>> 
>> The main form has 1 button.
>> When clicked, the main form must validate the data, but in the
>> FormComponent # validate() teh use case is to bypass the FormComponent #
>> validateRequired();
>> 
>> I thought I could override
>> form # process(IFormSubmitter submittingComponent) in order to make all
>> the formcomponents not required before the validation occurs but
>> internalOnValidateModelObjects() is private.
>> 
>> Do you have an idea on how to do it ?
>> 
> 
> Why do you need to use #internalOnValidateModelObjects() ?
> It immediately
> calls org.apache.wicket.markup.html.form.Form#onValidateModelObjects()
> which is OK for extension.
> 
> 
>> 
>> François
>> 
>> 
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> For additional commands, e-mail: users-h...@wicket.apache.org
>> 
>> 


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: Pluggable architecture for wicket application

2016-11-14 Thread Martijn Dashorst 
I know a Dutch company (or two) that use OSGi, I'm certain that one
uses Wicket + OSGi: educator.eu. The other, luminis.eu, does a lot of
work with OSGi, but might not use it in combination with Wicket. I
only have second hand knowledge about the combination, and it's
probably outdated.

Maybe someone from those companies is listening here and cares to comment.

Martijn

On Mon, Nov 14, 2016 at 8:13 PM, Martin Grigorov  wrote:
> Hi,
>
> On Mon, Nov 14, 2016 at 3:58 AM, Илья Нарыжный  wrote:
>
>> Hello,
>>
>> We really need advise from Apache Wicket experts. Please let me know if you
>> have any ideas how to realize the following:
>>
>> We are working on Orienteer (http://orienteer.org) - open source Business
>> Application Platform for rapid development.
>> Orienteer already has pluggable architecture which allow to
>> start/stop/restart modules and etc. Every module can bring different
>> things: new webpages, REST, wicket components and etc. For example:
>> https://github.com/OrienteerBAP/Orienteer/tree/master/orienteer-pivottable
>>
>> But there is plans to allow dynamically upload required new module (without
>> recompiling whole WAR with new module).  To upload person can literally
>> upload JAR or enter URL with the module or specify Maven's
>> groupId:artifactId:version.
>>
>> There is no problem with downloading of module: there is a problem with
>> runtime running it.  Questions:
>>
>> 1) Is there good way for substitution of your own ClassLoader for more
>> dynamic management?
>>
>
> Wicket doesn't manage class loaders. The web container (like Tomcat) deals
> with this.
> The only hook provided by Wicket is org.apache.wicket.protocol.
> http.WicketFilter#getClassLoader(). See org.apache.wicket.protocol.http.
> ReloadingWicketFilter#reloadingClassLoader.
>
>
>> 2) Is there a way for restarting of wicket app without restarting a
>> web-container?
>>
>
> You may use WebApplication#initApplication() and #internalDestroy(). Also
> see what ReloadingWicketFilter does.
>
>
>> 3) Related to p.1: any good experience with using this:
>> https://github.com/kamranzafar/JCL ?
>>
>
> IMO this should work to load extra jars dynamically. I didn't see anything
> about unloading though.
>
>
>> 4) Any other suggetions how to make dynamically pluggable modules in
>> wicket?
>>
>
> Some people use OSGi (with PAX). I don't have much experience to be able to
> comment.
>
>
>>
>> Thanks,
>>
>> Ilya
>>
>> -
>> Orienteer(http://orienteer.org) - open source Business Application
>> Platform
>>



-- 
Become a Wicket expert, learn from the best: http://wicketinaction.com

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: bypass the FormComponent # validateRequired()

2016-11-14 Thread Martin Grigorov 
Hi François,


On Thu, Nov 10, 2016 at 6:34 PM, Francois Meillet <
francois.meil...@gmail.com> wrote:

> Hi,
>
> I have a main form which may contain one to multiple subforms.
> Subform's models have validations constraints annotations and I can't
> modify the models source code. (then I can’t remove the constraints
> annotations)
>
> Each subform has 1 button.
> When clicked, complete validation is done, which is fine.
>
> The main form has 1 button.
> When clicked, the main form must validate the data, but in the
> FormComponent # validate() teh use case is to bypass the FormComponent #
> validateRequired();
>
> I thought I could override
> form # process(IFormSubmitter submittingComponent) in order to make all
> the formcomponents not required before the validation occurs but
> internalOnValidateModelObjects() is private.
>
> Do you have an idea on how to do it ?
>

Why do you need to use #internalOnValidateModelObjects() ?
It immediately
calls org.apache.wicket.markup.html.form.Form#onValidateModelObjects()
which is OK for extension.


>
> François
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

Re: Pluggable architecture for wicket application

2016-11-14 Thread Martin Grigorov 
Hi,

On Mon, Nov 14, 2016 at 3:58 AM, Илья Нарыжный  wrote:

> Hello,
>
> We really need advise from Apache Wicket experts. Please let me know if you
> have any ideas how to realize the following:
>
> We are working on Orienteer (http://orienteer.org) - open source Business
> Application Platform for rapid development.
> Orienteer already has pluggable architecture which allow to
> start/stop/restart modules and etc. Every module can bring different
> things: new webpages, REST, wicket components and etc. For example:
> https://github.com/OrienteerBAP/Orienteer/tree/master/orienteer-pivottable
>
> But there is plans to allow dynamically upload required new module (without
> recompiling whole WAR with new module).  To upload person can literally
> upload JAR or enter URL with the module or specify Maven's
> groupId:artifactId:version.
>
> There is no problem with downloading of module: there is a problem with
> runtime running it.  Questions:
>
> 1) Is there good way for substitution of your own ClassLoader for more
> dynamic management?
>

Wicket doesn't manage class loaders. The web container (like Tomcat) deals
with this.
The only hook provided by Wicket is org.apache.wicket.protocol.
http.WicketFilter#getClassLoader(). See org.apache.wicket.protocol.http.
ReloadingWicketFilter#reloadingClassLoader.


> 2) Is there a way for restarting of wicket app without restarting a
> web-container?
>

You may use WebApplication#initApplication() and #internalDestroy(). Also
see what ReloadingWicketFilter does.


> 3) Related to p.1: any good experience with using this:
> https://github.com/kamranzafar/JCL ?
>

IMO this should work to load extra jars dynamically. I didn't see anything
about unloading though.


> 4) Any other suggetions how to make dynamically pluggable modules in
> wicket?
>

Some people use OSGi (with PAX). I don't have much experience to be able to
comment.


>
> Thanks,
>
> Ilya
>
> -
> Orienteer(http://orienteer.org) - open source Business Application
> Platform
>

Re: CsrfPreventionRequestCycleListener Link 400

2016-11-14 Thread Francois Meillet 
Thanks a lot you very detailed information.

François


> Le 14 nov. 2016 à 09:25, Emond Papegaaij  a écrit 
> :
> 
> Hi François,
> 
> Since 8.0.0-M2 (and 7.5.0) the CsrfPreventionRequestCycleListener will block 
> requests without an Origin and Referer header. The reason for this is that is 
> possible for an attacker to prevent a browser from sending a referer header 
> (for example with rel="noreferrer"). When you open a link in a new tab, your 
> browser probably does not send these headers and Wicket blocks the action-
> request.
> 
> You can configure this behavior in CsrfPreventionRequestCycleListener with 
> setNoOriginAction. As said, the default is 'ABORT'. If you set it to 
> 'SUPPRESS', Wicket will render the page, but not execute Link.onClick. This 
> will open the new tab with the page containing the link. If you set it to 
> 'ALLOW', Wicket will allow the request, but this may undermine the protection 
> offered by CsrfPreventionRequestCycleListener.
> 
> If your link simply points to a different page, I'd recommend to use a 
> BookmarkablePageLink. A request to simply render a page will never be blocked 
> by CsrfPreventionRequestCycleListener, so a BookmarkablePageLink will always 
> work. Naturaly for this to work, your target page needs to be bookmarkable.
> 
> You can also subclass CsrfPreventionRequestCycleListener and override 
> 'protected boolean isChecked(IRequestHandler handler)' to whitelist specific 
> requests. Perhaps you can tag safe links and skip checking those. This 
> solution offers you the most flexibility, but requires more work and you need 
> to be very precise in what requests to allow.
> 
> Best regards,
> Emond
> 
> 
> On zondag 13 november 2016 18:33:52 CET Francois Meillet wrote:
>> Hi,
>> 
>> When I use a CsrfPreventionRequestCycleListener, clicking a Link<> while
>> holding the command key does not open link in new tab. (Wicket 8.0.0-M2 /
>> OSX)
>> 
>> I get this error :
>> 
>> HTTP ERROR 400
>> Problem accessing /. Reason: Origin does not correspond to request
>> 
>> 
>> Clicking a BookmarkablePageLink is ok.
>> 
>> 
>> François
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> For additional commands, e-mail: users-h...@wicket.apache.org
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Re: CsrfPreventionRequestCycleListener Link 400

2016-11-14 Thread Emond Papegaaij 
Hi François,

Since 8.0.0-M2 (and 7.5.0) the CsrfPreventionRequestCycleListener will block 
requests without an Origin and Referer header. The reason for this is that is 
possible for an attacker to prevent a browser from sending a referer header 
(for example with rel="noreferrer"). When you open a link in a new tab, your 
browser probably does not send these headers and Wicket blocks the action-
request.

You can configure this behavior in CsrfPreventionRequestCycleListener with 
setNoOriginAction. As said, the default is 'ABORT'. If you set it to 
'SUPPRESS', Wicket will render the page, but not execute Link.onClick. This 
will open the new tab with the page containing the link. If you set it to 
'ALLOW', Wicket will allow the request, but this may undermine the protection 
offered by CsrfPreventionRequestCycleListener.

If your link simply points to a different page, I'd recommend to use a 
BookmarkablePageLink. A request to simply render a page will never be blocked 
by CsrfPreventionRequestCycleListener, so a BookmarkablePageLink will always 
work. Naturaly for this to work, your target page needs to be bookmarkable.

You can also subclass CsrfPreventionRequestCycleListener and override 
'protected boolean isChecked(IRequestHandler handler)' to whitelist specific 
requests. Perhaps you can tag safe links and skip checking those. This 
solution offers you the most flexibility, but requires more work and you need 
to be very precise in what requests to allow.

Best regards,
Emond


On zondag 13 november 2016 18:33:52 CET Francois Meillet wrote:
> Hi,
> 
> When I use a CsrfPreventionRequestCycleListener, clicking a Link<> while
> holding the command key does not open link in new tab. (Wicket 8.0.0-M2 /
> OSX)
> 
> I get this error :
> 
> HTTP ERROR 400
> Problem accessing /. Reason: Origin does not correspond to request
> 
> 
> Clicking a BookmarkablePageLink is ok.
> 
> 
> François
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org