Hi, I also think the current behavior is not correct. See my question at http://markmail.org/message/xmo74m3tbc5v4nwp. I read the name of the method "enforceMounts" as "do not allow urls to page which are not explicitly mounted". I believe also this is the reason this method is in SecuritySettings, and not in PageSettings. And its javadoc also says the same. That's why I've -reintroduced this behavior with https://issues.apache.org/jira/browse/WICKET-3849.
According to Sven the behavior in Wicket 1.4.x was different and he changed it with https://issues.apache.org/jira/browse/WICKET-5094. IMO Wicket 1.4.x must had a bug but there is no one to confirm :-/ Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, May 4, 2016 at 7:57 AM, Илья Нарыжный <phan...@ydn.ru> wrote: > Martin, > > Checked this issue: https://issues.apache.org/jira/browse/WICKET-5094 > Absolutely disagree with discussed behavior. It's meaningless to > prevent accessing /wicket/bookmarkable/<CLASS> only if there is mount > point for that page. > Please help to find consensus. In mine case it's real security hole. > > Thanks, > > Ilia > > 2016-05-03 22:50 GMT-07:00 Илья Нарыжный <phan...@ydn.ru>: > > Martin, > > > > Just checked: it doesn't work as expected. It seems that this code > > doesn't work as it was assumed: > > > > BookmarkableMapper.java > > if (application.getSecuritySettings().getEnforceMounts()) > > { > > // we make an exception if the homepage itself was mounted, see > WICKET-1898 > > if (!pageClass.equals(application.getHomePage())) > > { > > // WICKET-5094 only enforce mount if page is mounted > > if (isPageMounted(pageClass, > > application.getRootRequestMapperAsCompound())) // HERE!!! > > { > > return null; > > } > > } > > } > > > > Imho condition at line marked by HERE!!! should be opposite. > > Please check. > > > > In my case getSecuritySettings().setEnforceMounts(true); doesn't have > > any effect. > > > > Thanks, > > > > Ilia > > > > 2016-05-03 10:59 GMT-07:00 Илья Нарыжный <phan...@ydn.ru>: > >> Thank you Martin! I did know that there should be easier way to do > >> that, but could not be able to find it:) > >> > >> Regards, > >> > >> Ilia > >> > >> 2016-05-03 0:06 GMT-07:00 Martin Grigorov <mgrigo...@apache.org>: > >>> Hi, > >>> > >>> I always thought > >>> that org.apache.wicket.settings.SecuritySettings#getEnforceMounts() is > for > >>> this. Also its javadoc seems to say that. > >>> But there were some changes to its behavior after which I am no more > sure > >>> what exactly it does :-/ > >>> > >>> Martin Grigorov > >>> Wicket Training and Consulting > >>> https://twitter.com/mtgrigorov > >>> > >>> On Tue, May 3, 2016 at 8:53 AM, Илья Нарыжный <phan...@ydn.ru> wrote: > >>> > >>>> Yea - that's possible. Even instrumentation is possible, but probably > >>>> this problem somehow solved already in wicket. I would briefly > >>>> summarize the problem like: > >>>> > >>>> Wicket allow to directly address bookmarkable pages from 3rd party > >>>> libraries without good way to manage accessibility. > >>>> Potentially it means that with having control over some 3rd partly lib > >>>> it's possible to include "backdoor page" > >>>> Thanks, > >>>> > >>>> Ilia > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >>>> For additional commands, e-mail: users-h...@wicket.apache.org > >>>> > >>>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
