For now I just removed BookmarkableMapper. Everything works. But it seems
to me that some cases might go wrong... And as side effect: hrefs just
empty to pages without mounts. Probably I would expect some other behavior
if url can't be resolved for a page.
Thanks,
Ilia
On May 4, 2016 6:54 AM, "Martin Grigorov" <mgrigo...@apache.org> wrote:
> On Wed, May 4, 2016 at 3:27 PM, Sven Meier <s...@meiers.net> wrote:
>
> > Hi,
> >
> > well, it seems I wasn't completely out of my mind when I pushed for
> > WICKET-5094:
> > - I've checked 1.4 and the logic of #enforceMounts was exactly like it is
> > now
> > - the javadoc for #setEnforceMounts() matches the current behavior:
> >
> > "Sets whether mounts should be enforced. If true, requests for mounted
> > targets have to done through the mounted paths. If, for instance, a
> > bookmarkable page is mounted to a path, a request to that same page via
> the
> > bookmarkablePage parameter will be denied."
> >
> > For those trying to prevent any requests to non-mounted pages: Couldn't
> > you just remove the BookmarkableMapper?
> >
> > ICompoundRequestMapper mappers =
> getRootRequestMapperAsCompound();
> > mappers.forEach((mapper) -> {if (mapper instanceof
> > BookmarkableMapper) mappers.remove(mapper); });
> >
> > Personally I wouldn't mind to change/remove/rename this setting for
> Wicket
> > 8.x, so it is more useful.
> >
>
> +1 to change the behavior to what it was after WICKET-3849 and before
> WICKET-5094
>
>
> >
> > Have fun
> > Sven
> >
> >
> >
> > On 04.05.2016 08:23, Martin Grigorov wrote:
> >
> >> Hi,
> >>
> >> I also think the current behavior is not correct. See my question at
> >> http://markmail.org/message/xmo74m3tbc5v4nwp.
> >> I read the name of the method "enforceMounts" as "do not allow urls to
> >> page
> >> which are not explicitly mounted". I believe also this is the reason
> this
> >> method is in SecuritySettings, and not in PageSettings.
> >> And its javadoc also says the same. That's why I've -reintroduced this
> >> behavior with https://issues.apache.org/jira/browse/WICKET-3849.
> >>
> >> According to Sven the behavior in Wicket 1.4.x was different and he
> >> changed
> >> it with https://issues.apache.org/jira/browse/WICKET-5094.
> >> IMO Wicket 1.4.x must had a bug but there is no one to confirm :-/
> >>
> >> Martin Grigorov
> >> Wicket Training and Consulting
> >> https://twitter.com/mtgrigorov
> >>
> >> On Wed, May 4, 2016 at 7:57 AM, Илья Нарыжный <phan...@ydn.ru> wrote:
> >>
> >> Martin,
> >>>
> >>> Checked this issue: https://issues.apache.org/jira/browse/WICKET-5094
> >>> Absolutely disagree with discussed behavior. It's meaningless to
> >>> prevent accessing /wicket/bookmarkable/<CLASS> only if there is mount
> >>> point for that page.
> >>> Please help to find consensus. In mine case it's real security hole.
> >>>
> >>> Thanks,
> >>>
> >>> Ilia
> >>>
> >>> 2016-05-03 22:50 GMT-07:00 Илья Нарыжный <phan...@ydn.ru>:
> >>>
> >>>> Martin,
> >>>>
> >>>> Just checked: it doesn't work as expected. It seems that this code
> >>>> doesn't work as it was assumed:
> >>>>
> >>>> BookmarkableMapper.java
> >>>> if (application.getSecuritySettings().getEnforceMounts())
> >>>> {
> >>>> // we make an exception if the homepage itself was mounted, see
> >>>>
> >>> WICKET-1898
> >>>
> >>>> if (!pageClass.equals(application.getHomePage()))
> >>>> {
> >>>> // WICKET-5094 only enforce mount if page is mounted
> >>>> if (isPageMounted(pageClass,
> >>>> application.getRootRequestMapperAsCompound())) // HERE!!!
> >>>> {
> >>>> return null;
> >>>> }
> >>>> }
> >>>> }
> >>>>
> >>>> Imho condition at line marked by HERE!!! should be opposite.
> >>>> Please check.
> >>>>
> >>>> In my case getSecuritySettings().setEnforceMounts(true); doesn't have
> >>>> any effect.
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Ilia
> >>>>
> >>>> 2016-05-03 10:59 GMT-07:00 Илья Нарыжный <phan...@ydn.ru>:
> >>>>
> >>>>> Thank you Martin! I did know that there should be easier way to do
> >>>>> that, but could not be able to find it:)
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> Ilia
> >>>>>
> >>>>> 2016-05-03 0:06 GMT-07:00 Martin Grigorov <mgrigo...@apache.org>:
> >>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> I always thought
> >>>>>> that org.apache.wicket.settings.SecuritySettings#getEnforceMounts()
> is
> >>>>>>
> >>>>> for
> >>>
> >>>> this. Also its javadoc seems to say that.
> >>>>>> But there were some changes to its behavior after which I am no more
> >>>>>>
> >>>>> sure
> >>>
> >>>> what exactly it does :-/
> >>>>>>
> >>>>>> Martin Grigorov
> >>>>>> Wicket Training and Consulting
> >>>>>> https://twitter.com/mtgrigorov
> >>>>>>
> >>>>>> On Tue, May 3, 2016 at 8:53 AM, Илья Нарыжный <phan...@ydn.ru>
> wrote:
> >>>>>>
> >>>>>> Yea - that's possible. Even instrumentation is possible, but
> probably
> >>>>>>> this problem somehow solved already in wicket. I would briefly
> >>>>>>> summarize the problem like:
> >>>>>>>
> >>>>>>> Wicket allow to directly address bookmarkable pages from 3rd party
> >>>>>>> libraries without good way to manage accessibility.
> >>>>>>> Potentially it means that with having control over some 3rd partly
> >>>>>>> lib
> >>>>>>> it's possible to include "backdoor page"
> >>>>>>> Thanks,
> >>>>>>>
> >>>>>>> Ilia
> >>>>>>>
> >>>>>>>
> ---------------------------------------------------------------------
> >>>>>>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> >>>>>>> For additional commands, e-mail: users-h...@wicket.apache.org
> >>>>>>>
> >>>>>>>
> >>>>>>>
> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> >>> For additional commands, e-mail: users-h...@wicket.apache.org
> >>>
> >>>
> >>>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > For additional commands, e-mail: users-h...@wicket.apache.org
> >
> >
>
