[jira] Resolved: (WICKET-1898) WebRequestCycleProcessor.resolveHomePageTarget for empty path with enforceMounts=true provokes 403 - "Direct access not allowed for mounted targets"

Thu, 06 Nov 2008 00:10:37 -0800 

     [ 
https://issues.apache.org/jira/browse/WICKET-1898?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Igor Vaynberg resolved WICKET-1898.
-----------------------------------

       Resolution: Fixed
    Fix Version/s: 1.4-RC2
         Assignee: Igor Vaynberg

i added a check that excludes a bookmarkablepagerequesttarget if it points to 
the same page class as the homepage.

> WebRequestCycleProcessor.resolveHomePageTarget for empty path with 
> enforceMounts=true provokes 403 - "Direct access not allowed for mounted 
> targets"
> ----------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WICKET-1898
>                 URL: https://issues.apache.org/jira/browse/WICKET-1898
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 1.4-M3
>         Environment: Wicket 1.4-m3
>            Reporter: Oliver Matz
>            Assignee: Igor Vaynberg
>             Fix For: 1.4-RC2
>
>
> Scenario: WebApplication.getHomePage() returns a page that is also mounted to 
> a non-empty path by WebApplication.mountBookmarkablePage(). Besides, we have 
> getSecuritySettings().setEnforceMounts(true).  Upon a request for the 
> servlet's root URL (i.e., with requestParameters.getPath()==""), the method
> WebRequestCycleProcessor.resolve will throw a 
> AbortWithWebErrorCodeException(403) with error message "Direct access not 
> allowed for mounted targets".
> This is because WebRequestCycleProcessor.resolveHomePageTarget correctly 
> returns a non-null target, so that the else-branch starting in line 190 of 
> file WebRequestCycleProcessor.java is reached.  
> The comment says "a target was found, but not by looking up a mount", which 
> is misleading, because the szenario should desirably work even though 
> property enforceMounts has been set to true.
> The only (terrible) workaound I have found is to override 
> WebRequestCycleProcessor.resolveHomePageTarget() to return null and establish 
> a home-page-like thing by overriding 
> WebRequestCodingStrategy.urlCodingStrategyForPath() for the empty path.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to