Stateless Ajax
Hi, .. maybe i did not understood the concept of wicket in the whole .. Is there a way to do ajax stuff on a stateless page in a stateless way, so that no session is involved? I want to cache the stateless page in an reverse proxy, but not the ajax response. thanks mm:)
Re: Stateless Ajax
i dont think there is currently a way to have stateless ajax. wicket concentrates on the stateful model. the stateless support is there for the exceptional case... -igor On Thu, Jul 31, 2008 at 7:11 AM, Michael Mosmann [EMAIL PROTECTED] wrote: Hi, .. maybe i did not understood the concept of wicket in the whole .. Is there a way to do ajax stuff on a stateless page in a stateless way, so that no session is involved? I want to cache the stateless page in an reverse proxy, but not the ajax response. thanks mm:)
Re: security article on TSS (partly covering wicket)
Hi, its *not* my opinion - I just read the article and thought you might want to know about it. I mean, beside that, it seems as wicket is very secure in comparision to the other frameworks mentioned there - Honestly, I dont know why this harsh reactions (other mails) came. Best, Korbinian Martijn Dashorst schrieb: How is HiddenField insecure in your opinion? Martijn On Wed, Jul 30, 2008 at 10:59 PM, Korbinian Bachl - privat [EMAIL PROTECTED] wrote: HI, under http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure is an article covering java WebApps security; On part 2 it also looks at webframeworks for java including wicket 1.3.x - it mentions Wicket has only one component (HiddenField) vulnerable to integrity attacks. maybe this gap could be closed? Also the rest seems aso quite interesting. Best, Korbinian
Re: security article on TSS (partly covering wicket)
its *not* my opinion - I just read the article and thought you might want to know about it. I mean, beside that, it seems as wicket is very secure in comparision to the other frameworks mentioned there - Honestly, I dont know why this harsh reactions (other mails) came. Thanks for sharing. I didn't get the impression that people were harsh towards you, but if they were, I guess that's the danger of being the messenger ;-) Eelco
Re: security article on TSS (partly covering wicket)
Hi Eelco, towards you, but if they were, I guess that's the danger of being the messenger ;-) yeah the messenger... damn job :P I mean, I also dont think the rection on theserverside was a good choice. Honestly, even the writers didnt know wicket well enough to things like crypted URLs they still picked it as nearly the most secure one... *that* was quite impressive to me! (sounds to me: well, I dont know about its special security features but even the basics seems more secure than the rest) Best, Korbinian Eelco Hillenius schrieb: its *not* my opinion - I just read the article and thought you might want to know about it. I mean, beside that, it seems as wicket is very secure in comparision to the other frameworks mentioned there - Honestly, I dont know why this harsh reactions (other mails) came. Thanks for sharing. I didn't get the impression that people were harsh towards you, but if they were, I guess that's the danger of being the messenger ;-) Eelco
Re: security article on TSS (partly covering wicket)
I could be wrong, but it looked to me as if they were saying that if you used hidden fields, then there was a potential insecurity as they could be changed by the user. I guess you trap that by automatically generating an additional hidden field containing a hash of the other hidden fields along with a randomly initialised salt value, then check they when they get received... /Gwyn On Thu, Jul 31, 2008 at 7:09 PM, Korbinian Bachl - privat [EMAIL PROTECTED] wrote: Hi, its *not* my opinion - I just read the article and thought you might want to know about it. I mean, beside that, it seems as wicket is very secure in comparision to the other frameworks mentioned there - Honestly, I dont know why this harsh reactions (other mails) came. Best, Korbinian Martijn Dashorst schrieb: How is HiddenField insecure in your opinion? Martijn On Wed, Jul 30, 2008 at 10:59 PM, Korbinian Bachl - privat [EMAIL PROTECTED] wrote: HI, under http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure is an article covering java WebApps security; On part 2 it also looks at webframeworks for java including wicket 1.3.x - it mentions Wicket has only one component (HiddenField) vulnerable to integrity attacks. maybe this gap could be closed? Also the rest seems aso quite interesting. Best, Korbinian
wicketstuff-push update
Hey guys, I was talking in irc about updating wicketstuff-push to support the more recent versions of the bayeux protocol and cometd servlets. So I endeded up with access to the wicketstuff svn and have just uploaded a new preliminary version of wicketstuff-push. there are still some issues and alot of ironing out, but the project now works with the latest stable versions of jetty, wicket, cometd, there is a new feature available where you can listen for a clients disconnect from a web page (actually cometd session).. the new version is 1.3.4-SNAPSHOT if anyone is interested in cheking it out, or helping me continue the cleanup... Thanks, Rodolfo Hansen.
A Questions about the guts of Wicket
Hello Wicket Developers, Thanks for a great framework. I am studying the source code for Wicket and have some questions about some parts of the code that are not obvious to me. I have spent many hours stepping through the code and have not found a good answer/reason. 1) in the WicketFilter init() and doGet() method wicket is getting the current class loader twice and checking if the previousClassLoader is the same as the current class loader. Why is this code needed and what does it really do? Are you fixing some bug in some app server with this code? final ClassLoader previousClassLoader = Thread.currentThread().getContextClassLoader(); final ClassLoader newClassLoader = getClassLoader(); try { if (previousClassLoader != newClassLoader) { Thread.currentThread().setContextClassLoader(newClassLoader); } protected ClassLoader getClassLoader() { return Thread.currentThread().getContextClassLoader(); } Thanks Adib
RequestParamters vs. PageParameters
Hi, What is the key distinction between RequestParameters and PageParamters why are two classes needed? Thakns Adib
IRequesTarget Stack
Hi, The IRequestTarget javadoc seems to indicate that there is only one IRequestTarget per RequestCycle, yet the RequestCycle has a stack of IRequestTargets? Why is that? Thanks Adib