Re: Problem with using wicket as a filter
Hi again, in addition to what I've already said I want to point out what I've found out by profiling two really simply applications serving just a page without any dynamic content, one using a wicket page and one using a JSP. The test was about having a small http client invoking that page with 10 concurrent threads for 1 minute. When using the jsp version the server uses about 1 second of CPU time, all about serving the content, while with wicket the CPU time is about 90 seconds (more than 1 minute because it's multithreaded). 1% of those 90 seconds is spent in actually serving the content, the other 99% it's used in figuring out the mapping (as described in the previous post). -Roberto -- View this message in context: http://www.nabble.com/Problem-with-using-wicket-as-a-filter-tp20171597p20183293.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with using wicket as a filter
Well, I think I could but that's a tomcat internal class, so I should recompile the entire tomcat source tree and then run those tests against that. I'd rather try configuring wicket as a servlet and see if the problem is still there, but I'd like to know that are the drawbacks of doing it in that way. Of course I can also try the terrible kludge of just mapping an empty servlet to the address of the wicket page and see if the situation would improve, but I wouldn't really like to bring that orrible kludge to any production system. If you think it would help I can provide you both the test wars I've used. Thanks, -Roberto Serkan Camurcuoglu wrote: can you put a breakpoint in ProxyDirContext and check what name is being looked up? -- View this message in context: http://www.nabble.com/Problem-with-using-wicket-as-a-filter-tp20171597p20183861.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with using wicket as a filter
As expected, the name that is looked up is the part of the page URL that is after the context root (for example for a page located at http://localhost:8080/wickettest/page/Page1k it's /page/Page1k). Serkan Camurcuoglu wrote: can you put a breakpoint in ProxyDirContext and check what name is being looked up? -- View this message in context: http://www.nabble.com/Problem-with-using-wicket-as-a-filter-tp20171597p20189464.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Strange thing in Application constructor
I'm talking about acceptance tests executed using selenium against the real application (we don't use WicketTester at all). What kind of patch do you have? -Roberto Mr Mean wrote: Are you talking about test behavior or real life app behavior? Maurice -- View this message in context: http://www.nabble.com/Strange-thing-in-Application-constructor-tp15786017p16001746.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Strange thing in Application constructor
I finally found some time for getting back to this... The tests are modeled on real user behaviours, so they are not invalidating the session because the user has never logged in (we have failing test scenarios for login, registration, forget password and so on). I've tried setting statelessHint to true in my login page's constructor (and in the same constructor printing out the result of isStateless(), seeing that it returns true), but still I can see my app's session object created and stored in HttpSession (I've tried also with a completely empty login page, same result). Am I doing something wrong now? -Roberto igor.vaynberg wrote: no, its not like that. yes, wicket will create a new session object, but if the page is stateless that session object is never actually saved into httpsession... you have 20 session active after your tests...do your test cases always cleanup/invalidate the session? if not then servlet container will keep the session around until it times out... -igor On Mon, Mar 3, 2008 at 9:29 AM, Roberto Fasciolo [EMAIL PROTECTED] wrote: I think Session has also the responsibility of verifying if a component can be instantiated. But anyway, I'm asking all these questions because I'm hunting a memory leak in my application and I've found that after running a 120+ tests selenium test suite I've 20+ sessions still in memory retained by Jetty (e.g. active sessions in the web container) and I'm wondering if that's a problem or not. I've understood now that I have no way to control that, everytime a user opens a page in a wicket app a new Session is created just for checking if that user can instantiate components, regardless of wether the page is stateless or stateful and also if the user has never signed in the site. Is it like that? -Roberto igor.vaynberg wrote: session represents a user's session, while application represents the application that users access. -igor -- View this message in context: http://www.nabble.com/Strange-thing-in-Application-constructor-tp15786017p15808987.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Strange-thing-in-Application-constructor-tp15786017p15975715.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Strange thing in Application constructor
Hi,
while trying profiling and debugging our application (which seems to have
some memory leak problems) I've found a strange thing in the constructor of
org.apache.wicket.Application.
When the object is constructed a new component instantiation listener is
created with this code:
// Install default component instantiation listener that uses
// authorization strategy to check component instantiations.
addComponentInstantiationListener(new
IComponentInstantiationListener()
{
/**
* @see
org.apache.wicket.application.IComponentInstantiationListener#onInstantiation(org.apache.wicket.Component)
*/
public void onInstantiation(final Component component)
{
// If component instantiation is not authorized
if
(!Session.get().getAuthorizationStrategy().isInstantiationAuthorized(
component.getClass()))
{
// then call any unauthorized component
instantiation
// listener
getSecuritySettings().getUnauthorizedComponentInstantiationListener()
.onUnauthorizedInstantiation(component);
}
}
});
But while having a look at the Session object I've found out that
getAuthorizationStrategy() is calling back Application:
/**
* @return The authorization strategy for this session
*/
public IAuthorizationStrategy getAuthorizationStrategy()
{
return
getApplication().getSecuritySettings().getAuthorizationStrategy();
}
I wonder why it has been implemented in that way. Could this statement:
if
(!Session.get().getAuthorizationStrategy().isInstantiationAuthorized(component.getClass()))
be rewritten as:
if
(!getSecuritySettings().getAuthorizationStrategy().isInstantiationAuthorized(component.getClass()))
??
-Roberto
--
View this message in context:
http://www.nabble.com/Strange-thing-in-Application-constructor-tp15786017p15786017.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Strange thing in Application constructor
So, what are the responsibilities of the class org.apache.wicket.Session and
what's the contract between Session and org.apache.wicket.Application?
I'm asking because to me both them are a bit unclear (and the javadocs can't
help me in understand them at all).
-Roberto
igor.vaynberg wrote:
it is that way so you can have a different auth strategy per session
by overriding sesssion.getauthstrat()
-igor
On Sun, Mar 2, 2008 at 1:57 AM, Roberto Fasciolo
[EMAIL PROTECTED] wrote:
Hi,
while trying profiling and debugging our application (which seems to
have
some memory leak problems) I've found a strange thing in the constructor
of
org.apache.wicket.Application.
When the object is constructed a new component instantiation listener is
created with this code:
// Install default component instantiation listener that
uses
// authorization strategy to check component
instantiations.
addComponentInstantiationListener(new
IComponentInstantiationListener()
{
/**
* @see
org.apache.wicket.application.IComponentInstantiationListener#onInstantiation(org.apache.wicket.Component)
*/
public void onInstantiation(final Component
component)
{
// If component instantiation is not
authorized
if
(!Session.get().getAuthorizationStrategy().isInstantiationAuthorized(
component.getClass()))
{
// then call any unauthorized
component instantiation
// listener
getSecuritySettings().getUnauthorizedComponentInstantiationListener()
.onUnauthorizedInstantiation(component);
}
}
});
But while having a look at the Session object I've found out that
getAuthorizationStrategy() is calling back Application:
/**
* @return The authorization strategy for this session
*/
public IAuthorizationStrategy getAuthorizationStrategy()
{
return
getApplication().getSecuritySettings().getAuthorizationStrategy();
}
I wonder why it has been implemented in that way. Could this statement:
if
(!Session.get().getAuthorizationStrategy().isInstantiationAuthorized(component.getClass()))
be rewritten as:
if
(!getSecuritySettings().getAuthorizationStrategy().isInstantiationAuthorized(component.getClass()))
??
-Roberto
--
View this message in context:
http://www.nabble.com/Strange-thing-in-Application-constructor-tp15786017p15786017.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/Strange-thing-in-Application-constructor-tp15786017p15798693.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Wicket creating a session for authorization even if no user signed in
Our application is totally hidden behind authentication, so in our case the
session (I'm talking about an object extending AuthenticatedWebSession) is
created without any page navigation, just by opening the sign in page.
Anyway, how can you deal with DoS attacks? I mean, it'll be really easy to
write a small script continuously opening pages on a wicket site (or
creating new sessions) until the site would die by OutOfMemoryError.
But back in track, I don't see anything bad in, instead creating a new
session just for calling getRoles() and getting null, returning directly
null (= user not in any role) if the user never signed in before.
igor.vaynberg wrote:
wicket uses session to store pages, so creating a session is
orthogonal to authorizing/authenticating a user
-igor
On Wed, Feb 27, 2008 at 9:04 AM, Roberto Fasciolo
[EMAIL PROTECTED] wrote:
Hi,
I noticed some strange behavior on my webapplication that has
authorization
in place (by using Roles).
It seems that Wicket creates a session for checking the role of the user
even the user has not logged in. I'd guess the preferred behavior would
be
that wicket would in this occasion first check if there is a session and
if
not, then just let the authorization fail instead of creating session
and
then checking if role is there.
I did simple trace to find what is calling MySession constructor:
public MySession(final AuthenticatedWebApplication application,
final Request request) {
super(application, request);
this.logger.error(Created session, new Throwable());
}
18:56:16,634 (btpool0-5) ERROR [MySession] - Created session
java.lang.Throwable
at MySession.init(MySession.java:39)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at
java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at
org.apache.wicket.authentication.AuthenticatedWebApplication.newSession(AuthenticatedWebApplication.java:114)
at org.apache.wicket.Session.findOrCreate(Session.java:225)
at org.apache.wicket.Session.findOrCreate(Session.java:208)
--
View this message in context:
http://www.nabble.com/Wicket-creating-a-session-for-authorization-even-if-no-user-signed-in-tp15717761p15717761.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/Wicket-creating-a-session-for-authorization-even-if-no-user-signed-in-tp15717761p15720619.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Wicket creating a session for authorization even if no user signed in
Based on this page in wiki:
http://cwiki.apache.org/WICKET/stateless-pages.html a page is stateless if
all the components in it are stateless.
My sign in page contains a SignInPanel (from wicket-auth-roles) and 2 links.
I can change the links to StatelessLink, but how can I make SignInPanel
(that contains a Form, not a StatelessForm) stateless? Is writing my own
version of it the only solution?
-Roberto
igor.vaynberg wrote:
is your sign in page stateless? if its not it will need to be stored in
session.
re ddos attacks, its really the job of the application server to
prevent an exorbitant amount of sessions opened from what looks like
the same ip or however it decides to do that. ie there are plenty of
jsp/struts applications that create a session on the first hit.
what wicket does is provide a page eviction strategy so once created
an attacker cannot grow the session infinitely
-igor
On Wed, Feb 27, 2008 at 11:10 AM, Roberto Fasciolo
[EMAIL PROTECTED] wrote:
Our application is totally hidden behind authentication, so in our case
the
session (I'm talking about an object extending AuthenticatedWebSession)
is
created without any page navigation, just by opening the sign in page.
Anyway, how can you deal with DoS attacks? I mean, it'll be really easy
to
write a small script continuously opening pages on a wicket site (or
creating new sessions) until the site would die by OutOfMemoryError.
But back in track, I don't see anything bad in, instead creating a new
session just for calling getRoles() and getting null, returning directly
null (= user not in any role) if the user never signed in before.
igor.vaynberg wrote:
wicket uses session to store pages, so creating a session is
orthogonal to authorizing/authenticating a user
-igor
On Wed, Feb 27, 2008 at 9:04 AM, Roberto Fasciolo
[EMAIL PROTECTED] wrote:
Hi,
I noticed some strange behavior on my webapplication that has
authorization
in place (by using Roles).
It seems that Wicket creates a session for checking the role of the
user
even the user has not logged in. I'd guess the preferred behavior
would
be
that wicket would in this occasion first check if there is a session
and
if
not, then just let the authorization fail instead of creating
session
and
then checking if role is there.
I did simple trace to find what is calling MySession constructor:
public MySession(final AuthenticatedWebApplication application,
final Request request) {
super(application, request);
this.logger.error(Created session, new Throwable());
}
18:56:16,634 (btpool0-5) ERROR [MySession] - Created session
java.lang.Throwable
at MySession.init(MySession.java:39)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at
java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at
org.apache.wicket.authentication.AuthenticatedWebApplication.newSession(AuthenticatedWebApplication.java:114)
at org.apache.wicket.Session.findOrCreate(Session.java:225)
at org.apache.wicket.Session.findOrCreate(Session.java:208)
--
View this message in context:
http://www.nabble.com/Wicket-creating-a-session-for-authorization-even-if-no-user-signed-in-tp15717761p15717761.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/Wicket-creating-a-session-for-authorization-even-if-no-user-signed-in-tp15717761p15720619.html
Sent from the Wicket - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/Wicket-creating-a-session-for-authorization-even-if-no-user-signed-in-tp15717761p15730372.html
Sent from the Wicket - User mailing list archive at Nabble.com
Testing ModalWindows with Selenium
Hi all, I'm trying testing an application using modal windows with selenium but it seems I can't find a good way. Has someone ever done something like that? Basically, my problem is that I can access the ModalWindow using: selenium.selectWindow(modal-dialog-pagemap); but I can't verify if the window has been fully loaded or not, I've tried with: selenium.waitForPopUp(modal-dialog-pagemap, 3); but it fails all the time with exception message Window not found. Thanks in advance, -Roberto -- View this message in context: http://www.nabble.com/Testing-ModalWindows-with-Selenium-tp15166572p15166572.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Changing content of a page from a modal window
Hello, I'm trying to find a way for doing this: - in page A there's a table with many elements, all having a link - that link opens a modal window with details of the selected element - in the modal window there's a link that should close the window itself and make the browser showing page B. The only thing I've achieved is to have page B shown in the modal window and not in browser main page. Is there a way for doing what I need? Thanks in advance, Roberto -- View this message in context: http://www.nabble.com/Changing-content-of-a-page-from-a-modal-window-tp14775374p14775374.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing content of a page from a modal window
I've tried that and it works, the problem is that the modal window can be closed in 2 different ways: 1. clicking on the window's close button, in this case nothing should happen 2. clicking on a link inside the window, in this case the page should change I haven't found a way for knowing if the callback is called when the window has been closed with the close button or with the custom link. Any ideas? -Roberto Matej Knopp-2 wrote: You need to call setResponsePage from within WindowClosedCallback. (see ModalWindow#setWindowClosedCallback()); -Matej On Jan 12, 2008 5:26 PM, Roberto Fasciolo [EMAIL PROTECTED] wrote: Hello, I'm trying to find a way for doing this: - in page A there's a table with many elements, all having a link - that link opens a modal window with details of the selected element - in the modal window there's a link that should close the window itself and make the browser showing page B. The only thing I've achieved is to have page B shown in the modal window and not in browser main page. Is there a way for doing what I need? Thanks in advance, Roberto -- View this message in context: http://www.nabble.com/Changing-content-of-a-page-from-a-modal-window-tp14775374p14775374.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Resizable and reorderable grid components. http://www.inmethod.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Changing-content-of-a-page-from-a-modal-window-tp14775374p14776675.html Sent from the Wicket - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
