Re: [VOTE] Release Apache Wicket 9.1.0 TAKE 2

[Sven Meier]

Hi Andrea,

+1 to release.

CSP does not work if header decorators are replaced. I've added a hint to:

https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+9.0#MigrationtoWicket9.0-DeprecateAppliation#setHeaderResponseDecorator()ASFJIRAkey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution5aa69414-a9e9-3523-82ec-879b028fb15bWICKET-6729

Thanks

Sven


On 11.10.20 11:57, Andrea Del Bene wrote:

So if this is +1 I will proceed finalizing the release ;-)

On 09/10/20 16:01, Thomas Heigl wrote:

Hi Sven,

IMHO filtering/decorating of header resources is an advanced topic, so I

doubt many people are affect by these changes.
I'll take a look at migration guide.

I agree.

After fixing the issue, all my CI tests pass and I did some exploratory
testing in my main application.

So if we can "document this issue away", +1 for releasing.

Thomas



On Fri, Oct 9, 2020 at 3:38 PM Sven Meier <s...@meiers.net> wrote:

Thanks!

We could argue whether your tests were valid then anyways :P

IMHO filtering/decorating of header resources is an advanced topic, so I

doubt many people are affect by these changes.
I'll take a look at migration guide.

Have fun
Sven


On 09.10.20 15:18, Thomas Heigl wrote:

Hi Sven,

My unit test application was still applying a custom response decorator

like this:

@Override

protected void init() {

      ....

      setHeaderResponseDecorator(new

JavaScriptFilteredIntoFooterResponseDecorator());

}


setHeaderResponseDecorator now disables resource aggregation and
initialization of the application fails if CSP is enabled.

Thomas

On Fri, Oct 9, 2020 at 3:04 PM Andrea Del Bene <an.delb...@gmail.com>

wrote:

Hi Thomas

On Fri, Oct 9, 2020 at 2:30 PM Thomas Heigl <tho...@umschalt.com>

wrote:

All my unit tests failed with the new release:

java.lang.IllegalStateException: no resource aggregation

at

org.apache.wicket.markup.html.HeaderResponseDecoratorCollection.addPreResourceAggregationDecorator(HeaderResponseDecoratorCollection.java:84)

at

org.apache.wicket.csp.ContentSecurityPolicySettings.enforce(ContentSecurityPolicySettings.java:209)

at

org.apache.wicket.protocol.http.WebApplication.validateInit(WebApplication.java:784)

at org.apache.wicket.Application.initApplication(Application.java:765)

at

org.apache.wicket.util.tester.BaseWicketTester.<init>(BaseWicketTester.java:326)

at

org.apache.wicket.util.tester.BaseWicketTester.<init>(BaseWicketTester.java:255)

at

org.apache.wicket.util.tester.BaseWicketTester.<init>(BaseWicketTester.java:228)

at

org.apache.wicket.util.tester.WicketTester.<init>(WicketTester.java:199)

My unit test application was still using the deprecated
`Application.setHeaderResponseDecorator()`. I replaced it with

`Application.getHeaderResponseDecorators().add()` and it now works as

expected.

I'm not sure how we should address this issue. Should the deprecated

method

simply delegate to `getHeaderResponseDecorators().add()` instead of
replacing all decorators?

This possible migration issue is part in the migration guide, although

it

has been added after the release of Wicket 9.0.0 when
a user on StackOverflow reported a problem related to this API change

(*).

I agree with you when you say we should do something to avoid possible migration pitfalls, but instead of changing the current API behavior I'd

prefer

to simply add a warning message to setHeaderResponseDecorator in order

to

make users aware of this change.

(*)

https://stackoverflow.com/questions/63158243/wicket-9-usage-of-javascriptfilteredintofooterheaderresponse-seems-to-cause-tro/63161063

Thomas

On Fri, Oct 9, 2020 at 10:59 AM Andrea Del Bene <an.delb...@gmail.com>

wrote:

+1 to release. Tested my main app

On Thu, Oct 8, 2020 at 10:59 AM Maxim Solodovnik <

solomax...@gmail.com

wrote:

+1

all my tests are passed :)

On Thu, 8 Oct 2020 at 00:46, Andrea Del Bene <an.delb...@gmail.com>

wrote:

This is a vote to release Apache Wicket 9.1.0

Please download the source distributions found in our staging area

linked below.

I have included the signatures for both the source archives. This

vote

lasts for 72 hours minimum.

[ ] Yes, release Apache Wicket 9.1.0
[ ] No, don't release Apache Wicket 9.1.0, because ...

Distributions, changelog, keys and signatures can be found at:

https://dist.apache.org/repos/dist/dev/wicket/9.1.0

Staging repository:

https://repository.apache.org/content/repositories/orgapachewicket-1155/

The binaries are available in the above link, as are a staging
repository for Maven. Typically the vote is on the source, but

should

you find a problem with one of the binaries, please let me know, I

can

re-roll them some way or the other.

Staging git repository data:

       Repository: g...@github.com:bitstorm/wicket.git
       Branch:      build/wicket-9.1.0
       Release tag: rel/wicket-9.1.0

========================================================================

       The signatures for the source release artefacts:


Signature for apache-wicket-9.1.0.zip:

       -----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl99/FsACgkQh48B+qjT
VuE0kQ//TmQc53B9FrAgSWV8BKFAtxzjAhQiFilWp1/5vLyLZFUYAraQ6DMoH2GR
s2JMcbZJGmjplwG2Yy6LGXEksFV9wBTnEA4RGREV06K6ihx7Qm2zjgunZZSswZIr
MuLQYMnrXmAM2Qs071b17a5k2Gkw1+CST51KwOUD7u5l7UZOvUcXRL1xTBemOZ9s
RMbcbnjesxct3W2ASkGvULE7oHpBXrrDRHbv4mRFjWsSOjoasXJNtKJoUcoVtBnz
xwMlN/dZTEJLlj7uG2jW5mqFj+vfWP01UE+XR2HlJmW54puErcGE4+/haAJdvlwe
+rP2XNwAAD5rp3jIcpHerBOt7pruWEDhOwaydm0jJvsPh82SibKCmhnlJlxpdJE3
udvMKvU/zcASLHOHZ33wF/JSvO9kCI4LHCEJfYICcNpTktpzNUrhMQkXOVTj3pGS
vcFB6/rFWWHxaxtUZKJTCb2tcCN5LMIr1Thcyb5BUCC2ZN8PqNSjI9L6EtzG7Jyd
PnkJiJayn6VUVr6WTP+UEVlqPvDTqg/yuhquQmYjz1uYPQS8lL5WpHUvQnmtiJ2S
yAeHNJm+pJRxDgs9CIAhAToTM38y09Y/aM2T5R+iOI6u/tLovFWBS8YxUYkUdPHP
/9YOBXan7Q1XqBz8W6nfsvrvtbZYhYfU0FOsxcgHK9pGbkxPWnA=
=0JCC
-----END PGP SIGNATURE-----

Signature for apache-wicket-9.1.0.tar.gz:

       -----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl99/FsACgkQh48B+qjT
VuE4vQ//ZAhCOuedc/LCKKTQU/uE/nF+i9PcCS/SsFVJbvoCzyVSoSQwQCYbM+E4
kd8YYr8CG1PNpKMyxsNuBEG9ttR8ZCDfEKIVD727y2vLk9L5SefY6/dRanLO/cc0
1rGYwtMfJby//P/pXdjeG6Qta3FHb2AcZtIyzPTFFciIuebccUsM48UDU6HT3weN
aKwgr5uUQVInVRV7pEGC0ziRMRkyYRStBLZNioR2BjCV7IxnWdeWTjapD9kAiY5H
2d1J0ItW/4mtohKWiem4JPX1HTf+U2d02qTq2i5ykDKfytoMUvFlIuP0kl7J5K/t
NdfOzgcmMgZa+wjy0z46TEEdq63JdRu3Cpy3wkkTy9GF2+6UJdXQ1z9dbGbmNkTy
0WZWGf85s8rekJVwt66TUih6Mlcl1Fb57zOYndrkb/AHB1ehF90JIf/DqLdplfbS
fFinL9Q7myeM2GM3uivmR6TF2ZvtCbGfiWQ4DKLTIXJYDsqxTDSDrroxk3j/P64h
1havxw/X45FZsMaoMX7xdVO5drK65LSLpea0OpkHPWr9x0OetI4iQssxpUcoAXj0
OPPZ66Luci/Au9rodmP7bW5X5ttlXxSjkvLRgk2GibD3NpcJHrHLF1UWeDwH5XIJ
Bsuw7X2vIgtzu2GCLHoudgGp9yQYXuxI5adnrC9Lyg+BeEQhc+U=
=rzeT
-----END PGP SIGNATURE-----

========================================================================

       CHANGELOG for 9.1.0:

** Bug

       * [WICKET-6702] - AsynchronousPageStore with
NotDetachedModelChecker - "Not detached model found" exception on
several fast sequential Ajax calls
       * [WICKET-6802] - FilePageStore writing to
UserDefinedFileAttributeView might be null
       * [WICKET-6803] - wicket-objectsizeof-agent has no valid

automatic

module name
       * [WICKET-6806] - CSP header response decorator breaks
JavaScriptFilteredIntoFooterHeaderResponse
       * [WICKET-6808] - Cannot add page to AjaxRequestTarget

       * [WICKET-6810] - Asynchronous+encrypted pagestore leads to

WicketRuntimeException

       * [WICKET-6813] - Setting child-src does not update frame-src

after

initial assignment
       * [WICKET-6818] - NPE in WicketEndpoint onClose

       * [WICKET-6822] - AsynchronousPageStore Potential Memory Leak

       * [WICKET-6825] - wicket-ioc 9.0.0 throws IAE with JDK14,

still

includes outdated ASM 7.1.0 in cglib-nodep

       * [WICKET-6837] - Jupiter engine transitively included in war

file

** New Feature

       * [WICKET-6805] - Add Cross-Origin Opener Policy and

Cross-Origin

Embedder Policy support

** Improvement

       * [WICKET-6786] - CsrfPreventionRequestCycleListener should

support

Fetch Metadata Request Headers
       * [WICKET-6807] - Fake Submitting Button
       * [WICKET-6821] - Completely disable CSP support

       * [WICKET-6824] - Use concatenation instead of String.format

for

frequently called methods

       * [WICKET-6826] - Improve performance and reduce allocations

for

Behaviors
       * [WICKET-6827] - Improve performance of Strings.join and
Strings.replaceAll

       * [WICKET-6828] - Wrong tree branch icon with hidden children

       * [WICKET-6829] - Use String.isEmpty() instead of

"".equals(...)

       * [WICKET-6830] - Convert Behaviors into a static utility

class

to

reduce allocations
       * [WICKET-6831] - Try to flush the response before detach
       * [WICKET-6833] - Reduce allocations when merging page

parameters

       * [WICKET-6835] - Improve performance of

AbstractMapper.getPlaceholder

       * [WICKET-6838] - Improve performance of Strings.split

--
Best regards,
Maxim

--
Andrea Del Bene.
Apache Wicket committer.

--
Andrea Del Bene.
Apache Wicket committer.