Hi Andrea,
+1 to release.
CSP does not work if header decorators are replaced. I've added a hint to:
https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+9.0#MigrationtoWicket9.0-DeprecateAppliation#setHeaderResponseDecorator()ASFJIRAkey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution5aa69414-a9e9-3523-82ec-879b028fb15bWICKET-6729
Thanks
Sven
On 11.10.20 11:57, Andrea Del Bene wrote:
So if this is +1 I will proceed finalizing the release ;-)
On 09/10/20 16:01, Thomas Heigl wrote:
Hi Sven,
IMHO filtering/decorating of header resources is an advanced topic,
so I
doubt many people are affect by these changes.
I'll take a look at migration guide.
I agree.
After fixing the issue, all my CI tests pass and I did some exploratory
testing in my main application.
So if we can "document this issue away", +1 for releasing.
Thomas
On Fri, Oct 9, 2020 at 3:38 PM Sven Meier <s...@meiers.net> wrote:
Thanks!
We could argue whether your tests were valid then anyways :P
IMHO filtering/decorating of header resources is an advanced topic,
so I
doubt many people are affect by these changes.
I'll take a look at migration guide.
Have fun
Sven
On 09.10.20 15:18, Thomas Heigl wrote:
Hi Sven,
My unit test application was still applying a custom response
decorator
like this:
@Override
protected void init() {
....
setHeaderResponseDecorator(new
JavaScriptFilteredIntoFooterResponseDecorator());
}
setHeaderResponseDecorator now disables resource aggregation and
initialization of the application fails if CSP is enabled.
Thomas
On Fri, Oct 9, 2020 at 3:04 PM Andrea Del Bene <an.delb...@gmail.com>
wrote:
Hi Thomas
On Fri, Oct 9, 2020 at 2:30 PM Thomas Heigl <tho...@umschalt.com>
wrote:
All my unit tests failed with the new release:
java.lang.IllegalStateException: no resource aggregation
at
org.apache.wicket.markup.html.HeaderResponseDecoratorCollection.addPreResourceAggregationDecorator(HeaderResponseDecoratorCollection.java:84)
at
org.apache.wicket.csp.ContentSecurityPolicySettings.enforce(ContentSecurityPolicySettings.java:209)
at
org.apache.wicket.protocol.http.WebApplication.validateInit(WebApplication.java:784)
at
org.apache.wicket.Application.initApplication(Application.java:765)
at
org.apache.wicket.util.tester.BaseWicketTester.<init>(BaseWicketTester.java:326)
at
org.apache.wicket.util.tester.BaseWicketTester.<init>(BaseWicketTester.java:255)
at
org.apache.wicket.util.tester.BaseWicketTester.<init>(BaseWicketTester.java:228)
at
org.apache.wicket.util.tester.WicketTester.<init>(WicketTester.java:199)
My unit test application was still using the deprecated
`Application.setHeaderResponseDecorator()`. I replaced it with
`Application.getHeaderResponseDecorators().add()` and it now
works as
expected.
I'm not sure how we should address this issue. Should the deprecated
method
simply delegate to `getHeaderResponseDecorators().add()` instead of
replacing all decorators?
This possible migration issue is part in the migration guide,
although
it
has been added after the release of Wicket 9.0.0 when
a user on StackOverflow reported a problem related to this API change
(*).
I agree with you when you say we should do something to avoid
possible
migration pitfalls, but instead of changing the current API
behavior I'd
prefer
to simply add a warning message to setHeaderResponseDecorator in
order
to
make users aware of this change.
(*)
https://stackoverflow.com/questions/63158243/wicket-9-usage-of-javascriptfilteredintofooterheaderresponse-seems-to-cause-tro/63161063
Thomas
On Fri, Oct 9, 2020 at 10:59 AM Andrea Del Bene
<an.delb...@gmail.com>
wrote:
+1 to release. Tested my main app
On Thu, Oct 8, 2020 at 10:59 AM Maxim Solodovnik <
solomax...@gmail.com
wrote:
+1
all my tests are passed :)
On Thu, 8 Oct 2020 at 00:46, Andrea Del Bene
<an.delb...@gmail.com>
wrote:
This is a vote to release Apache Wicket 9.1.0
Please download the source distributions found in our staging
area
linked below.
I have included the signatures for both the source archives. This
vote
lasts for 72 hours minimum.
[ ] Yes, release Apache Wicket 9.1.0
[ ] No, don't release Apache Wicket 9.1.0, because ...
Distributions, changelog, keys and signatures can be found at:
https://dist.apache.org/repos/dist/dev/wicket/9.1.0
Staging repository:
https://repository.apache.org/content/repositories/orgapachewicket-1155/
The binaries are available in the above link, as are a staging
repository for Maven. Typically the vote is on the source, but
should
you find a problem with one of the binaries, please let me
know, I
can
re-roll them some way or the other.
Staging git repository data:
Repository: g...@github.com:bitstorm/wicket.git
Branch: build/wicket-9.1.0
Release tag: rel/wicket-9.1.0
========================================================================
The signatures for the source release artefacts:
Signature for apache-wicket-9.1.0.zip:
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl99/FsACgkQh48B+qjT
VuE0kQ//TmQc53B9FrAgSWV8BKFAtxzjAhQiFilWp1/5vLyLZFUYAraQ6DMoH2GR
s2JMcbZJGmjplwG2Yy6LGXEksFV9wBTnEA4RGREV06K6ihx7Qm2zjgunZZSswZIr
MuLQYMnrXmAM2Qs071b17a5k2Gkw1+CST51KwOUD7u5l7UZOvUcXRL1xTBemOZ9s
RMbcbnjesxct3W2ASkGvULE7oHpBXrrDRHbv4mRFjWsSOjoasXJNtKJoUcoVtBnz
xwMlN/dZTEJLlj7uG2jW5mqFj+vfWP01UE+XR2HlJmW54puErcGE4+/haAJdvlwe
+rP2XNwAAD5rp3jIcpHerBOt7pruWEDhOwaydm0jJvsPh82SibKCmhnlJlxpdJE3
udvMKvU/zcASLHOHZ33wF/JSvO9kCI4LHCEJfYICcNpTktpzNUrhMQkXOVTj3pGS
vcFB6/rFWWHxaxtUZKJTCb2tcCN5LMIr1Thcyb5BUCC2ZN8PqNSjI9L6EtzG7Jyd
PnkJiJayn6VUVr6WTP+UEVlqPvDTqg/yuhquQmYjz1uYPQS8lL5WpHUvQnmtiJ2S
yAeHNJm+pJRxDgs9CIAhAToTM38y09Y/aM2T5R+iOI6u/tLovFWBS8YxUYkUdPHP
/9YOBXan7Q1XqBz8W6nfsvrvtbZYhYfU0FOsxcgHK9pGbkxPWnA=
=0JCC
-----END PGP SIGNATURE-----
Signature for apache-wicket-9.1.0.tar.gz:
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl99/FsACgkQh48B+qjT
VuE4vQ//ZAhCOuedc/LCKKTQU/uE/nF+i9PcCS/SsFVJbvoCzyVSoSQwQCYbM+E4
kd8YYr8CG1PNpKMyxsNuBEG9ttR8ZCDfEKIVD727y2vLk9L5SefY6/dRanLO/cc0
1rGYwtMfJby//P/pXdjeG6Qta3FHb2AcZtIyzPTFFciIuebccUsM48UDU6HT3weN
aKwgr5uUQVInVRV7pEGC0ziRMRkyYRStBLZNioR2BjCV7IxnWdeWTjapD9kAiY5H
2d1J0ItW/4mtohKWiem4JPX1HTf+U2d02qTq2i5ykDKfytoMUvFlIuP0kl7J5K/t
NdfOzgcmMgZa+wjy0z46TEEdq63JdRu3Cpy3wkkTy9GF2+6UJdXQ1z9dbGbmNkTy
0WZWGf85s8rekJVwt66TUih6Mlcl1Fb57zOYndrkb/AHB1ehF90JIf/DqLdplfbS
fFinL9Q7myeM2GM3uivmR6TF2ZvtCbGfiWQ4DKLTIXJYDsqxTDSDrroxk3j/P64h
1havxw/X45FZsMaoMX7xdVO5drK65LSLpea0OpkHPWr9x0OetI4iQssxpUcoAXj0
OPPZ66Luci/Au9rodmP7bW5X5ttlXxSjkvLRgk2GibD3NpcJHrHLF1UWeDwH5XIJ
Bsuw7X2vIgtzu2GCLHoudgGp9yQYXuxI5adnrC9Lyg+BeEQhc+U=
=rzeT
-----END PGP SIGNATURE-----
========================================================================
CHANGELOG for 9.1.0:
** Bug
* [WICKET-6702] - AsynchronousPageStore with
NotDetachedModelChecker - "Not detached model found" exception on
several fast sequential Ajax calls
* [WICKET-6802] - FilePageStore writing to
UserDefinedFileAttributeView might be null
* [WICKET-6803] - wicket-objectsizeof-agent has no valid
automatic
module name
* [WICKET-6806] - CSP header response decorator breaks
JavaScriptFilteredIntoFooterHeaderResponse
* [WICKET-6808] - Cannot add page to AjaxRequestTarget
* [WICKET-6810] - Asynchronous+encrypted pagestore
leads to
WicketRuntimeException
* [WICKET-6813] - Setting child-src does not update
frame-src
after
initial assignment
* [WICKET-6818] - NPE in WicketEndpoint onClose
* [WICKET-6822] - AsynchronousPageStore Potential
Memory Leak
* [WICKET-6825] - wicket-ioc 9.0.0 throws IAE with JDK14,
still
includes outdated ASM 7.1.0 in cglib-nodep
* [WICKET-6837] - Jupiter engine transitively included
in war
file
** New Feature
* [WICKET-6805] - Add Cross-Origin Opener Policy and
Cross-Origin
Embedder Policy support
** Improvement
* [WICKET-6786] - CsrfPreventionRequestCycleListener
should
support
Fetch Metadata Request Headers
* [WICKET-6807] - Fake Submitting Button
* [WICKET-6821] - Completely disable CSP support
* [WICKET-6824] - Use concatenation instead of
String.format
for
frequently called methods
* [WICKET-6826] - Improve performance and reduce
allocations
for
Behaviors
* [WICKET-6827] - Improve performance of Strings.join and
Strings.replaceAll
* [WICKET-6828] - Wrong tree branch icon with hidden
children
* [WICKET-6829] - Use String.isEmpty() instead of
"".equals(...)
* [WICKET-6830] - Convert Behaviors into a static utility
class
to
reduce allocations
* [WICKET-6831] - Try to flush the response before detach
* [WICKET-6833] - Reduce allocations when merging page
parameters
* [WICKET-6835] - Improve performance of
AbstractMapper.getPlaceholder
* [WICKET-6838] - Improve performance of Strings.split
--
Best regards,
Maxim
--
Andrea Del Bene.
Apache Wicket committer.
--
Andrea Del Bene.
Apache Wicket committer.