For now I just removed BookmarkableMapper. Everything works. But it seems to me that some cases might go wrong... And as side effect: hrefs just empty to pages without mounts. Probably I would expect some other behavior if url can't be resolved for a page.
Thanks, Ilia On May 4, 2016 6:54 AM, "Martin Grigorov" <mgrigo...@apache.org> wrote: > On Wed, May 4, 2016 at 3:27 PM, Sven Meier <s...@meiers.net> wrote: > > > Hi, > > > > well, it seems I wasn't completely out of my mind when I pushed for > > WICKET-5094: > > - I've checked 1.4 and the logic of #enforceMounts was exactly like it is > > now > > - the javadoc for #setEnforceMounts() matches the current behavior: > > > > "Sets whether mounts should be enforced. If true, requests for mounted > > targets have to done through the mounted paths. If, for instance, a > > bookmarkable page is mounted to a path, a request to that same page via > the > > bookmarkablePage parameter will be denied." > > > > For those trying to prevent any requests to non-mounted pages: Couldn't > > you just remove the BookmarkableMapper? > > > > ICompoundRequestMapper mappers = > getRootRequestMapperAsCompound(); > > mappers.forEach((mapper) -> {if (mapper instanceof > > BookmarkableMapper) mappers.remove(mapper); }); > > > > Personally I wouldn't mind to change/remove/rename this setting for > Wicket > > 8.x, so it is more useful. > > > > +1 to change the behavior to what it was after WICKET-3849 and before > WICKET-5094 > > > > > > Have fun > > Sven > > > > > > > > On 04.05.2016 08:23, Martin Grigorov wrote: > > > >> Hi, > >> > >> I also think the current behavior is not correct. See my question at > >> http://markmail.org/message/xmo74m3tbc5v4nwp. > >> I read the name of the method "enforceMounts" as "do not allow urls to > >> page > >> which are not explicitly mounted". I believe also this is the reason > this > >> method is in SecuritySettings, and not in PageSettings. > >> And its javadoc also says the same. That's why I've -reintroduced this > >> behavior with https://issues.apache.org/jira/browse/WICKET-3849. > >> > >> According to Sven the behavior in Wicket 1.4.x was different and he > >> changed > >> it with https://issues.apache.org/jira/browse/WICKET-5094. > >> IMO Wicket 1.4.x must had a bug but there is no one to confirm :-/ > >> > >> Martin Grigorov > >> Wicket Training and Consulting > >> https://twitter.com/mtgrigorov > >> > >> On Wed, May 4, 2016 at 7:57 AM, Илья Нарыжный <phan...@ydn.ru> wrote: > >> > >> Martin, > >>> > >>> Checked this issue: https://issues.apache.org/jira/browse/WICKET-5094 > >>> Absolutely disagree with discussed behavior. It's meaningless to > >>> prevent accessing /wicket/bookmarkable/<CLASS> only if there is mount > >>> point for that page. > >>> Please help to find consensus. In mine case it's real security hole. > >>> > >>> Thanks, > >>> > >>> Ilia > >>> > >>> 2016-05-03 22:50 GMT-07:00 Илья Нарыжный <phan...@ydn.ru>: > >>> > >>>> Martin, > >>>> > >>>> Just checked: it doesn't work as expected. It seems that this code > >>>> doesn't work as it was assumed: > >>>> > >>>> BookmarkableMapper.java > >>>> if (application.getSecuritySettings().getEnforceMounts()) > >>>> { > >>>> // we make an exception if the homepage itself was mounted, see > >>>> > >>> WICKET-1898 > >>> > >>>> if (!pageClass.equals(application.getHomePage())) > >>>> { > >>>> // WICKET-5094 only enforce mount if page is mounted > >>>> if (isPageMounted(pageClass, > >>>> application.getRootRequestMapperAsCompound())) // HERE!!! > >>>> { > >>>> return null; > >>>> } > >>>> } > >>>> } > >>>> > >>>> Imho condition at line marked by HERE!!! should be opposite. > >>>> Please check. > >>>> > >>>> In my case getSecuritySettings().setEnforceMounts(true); doesn't have > >>>> any effect. > >>>> > >>>> Thanks, > >>>> > >>>> Ilia > >>>> > >>>> 2016-05-03 10:59 GMT-07:00 Илья Нарыжный <phan...@ydn.ru>: > >>>> > >>>>> Thank you Martin! I did know that there should be easier way to do > >>>>> that, but could not be able to find it:) > >>>>> > >>>>> Regards, > >>>>> > >>>>> Ilia > >>>>> > >>>>> 2016-05-03 0:06 GMT-07:00 Martin Grigorov <mgrigo...@apache.org>: > >>>>> > >>>>>> Hi, > >>>>>> > >>>>>> I always thought > >>>>>> that org.apache.wicket.settings.SecuritySettings#getEnforceMounts() > is > >>>>>> > >>>>> for > >>> > >>>> this. Also its javadoc seems to say that. > >>>>>> But there were some changes to its behavior after which I am no more > >>>>>> > >>>>> sure > >>> > >>>> what exactly it does :-/ > >>>>>> > >>>>>> Martin Grigorov > >>>>>> Wicket Training and Consulting > >>>>>> https://twitter.com/mtgrigorov > >>>>>> > >>>>>> On Tue, May 3, 2016 at 8:53 AM, Илья Нарыжный <phan...@ydn.ru> > wrote: > >>>>>> > >>>>>> Yea - that's possible. Even instrumentation is possible, but > probably > >>>>>>> this problem somehow solved already in wicket. I would briefly > >>>>>>> summarize the problem like: > >>>>>>> > >>>>>>> Wicket allow to directly address bookmarkable pages from 3rd party > >>>>>>> libraries without good way to manage accessibility. > >>>>>>> Potentially it means that with having control over some 3rd partly > >>>>>>> lib > >>>>>>> it's possible to include "backdoor page" > >>>>>>> Thanks, > >>>>>>> > >>>>>>> Ilia > >>>>>>> > >>>>>>> > --------------------------------------------------------------------- > >>>>>>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >>>>>>> For additional commands, e-mail: users-h...@wicket.apache.org > >>>>>>> > >>>>>>> > >>>>>>> > --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > >>> For additional commands, e-mail: users-h...@wicket.apache.org > >>> > >>> > >>> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > >