Martin,
Just checked: it doesn't work as expected. It seems that this code
doesn't work as it was assumed:
BookmarkableMapper.java
if (application.getSecuritySettings().getEnforceMounts())
{
// we make an exception if the homepage itself was mounted, see WICKET-1898
if (!pageClass.equals(application.getHomePage()))
{
// WICKET-5094 only enforce mount if page is mounted
if (isPageMounted(pageClass,
application.getRootRequestMapperAsCompound())) // HERE!!!
{
return null;
}
}
}
Imho condition at line marked by HERE!!! should be opposite.
Please check.
In my case getSecuritySettings().setEnforceMounts(true); doesn't have
any effect.
Thanks,
Ilia
2016-05-03 10:59 GMT-07:00 Илья Нарыжный <phan...@ydn.ru>:
> Thank you Martin! I did know that there should be easier way to do
> that, but could not be able to find it:)
>
> Regards,
>
> Ilia
>
> 2016-05-03 0:06 GMT-07:00 Martin Grigorov <mgrigo...@apache.org>:
>> Hi,
>>
>> I always thought
>> that org.apache.wicket.settings.SecuritySettings#getEnforceMounts() is for
>> this. Also its javadoc seems to say that.
>> But there were some changes to its behavior after which I am no more sure
>> what exactly it does :-/
>>
>> Martin Grigorov
>> Wicket Training and Consulting
>> https://twitter.com/mtgrigorov
>>
>> On Tue, May 3, 2016 at 8:53 AM, Илья Нарыжный <phan...@ydn.ru> wrote:
>>
>>> Yea - that's possible. Even instrumentation is possible, but probably
>>> this problem somehow solved already in wicket. I would briefly
>>> summarize the problem like:
>>>
>>> Wicket allow to directly address bookmarkable pages from 3rd party
>>> libraries without good way to manage accessibility.
>>> Potentially it means that with having control over some 3rd partly lib
>>> it's possible to include "backdoor page"
>>> Thanks,
>>>
>>> Ilia
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>>> For additional commands, e-mail: users-h...@wicket.apache.org
>>>
>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
