[Geoserver-devel] Intermediate report for upgrading to apache wicket 1.5

Hi all

I am currently working on the security issues prohibiting upgrading to wicket 1.5.x

I checked out the “feature-upgrade-wicket” branch and did the following steps.

  1. Fix all compile errors

  2. merge with master branch

  3. Fix all compile errors introduced by the merge

  4. Investigate in test failures.

There are some failing tests not related to security code. I had a look at those but fixing looks not easy, so I focused on the security stuff.

The blocker at the moment is a different behaviour of the wicket tester. All tests testing removal from security objects (using the admin GUI) are failing.

Code snippet

tester.assertComponent(“form:11:table:listContainer:selectAllContainer:selectAll”, CheckBox.class);

tester.executeAjaxEvent"form:11:table:listContainer:selectAllContainer:selectAll",“onclick”);

The first line works fine, the second line throws a ComponentNofFoundException !!!

Until now, I have not found a solution.

How to proceed ?.

Should I disable those tests ?.

Should I push back the current status hoping that another dev finds a solution ?

Should I push my changes to the my private git repo for review

Thanks

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

I think it’s reasonable to disable the tests that are broken by changes to the test framework. Clearly WicketTester did not detect the Chrome form submission problems that were discussed recently, so I guess it’s not a substitute for manual testing anyway.

When I was working on the Wicket 1.5 upgrade, I noticed that some of the component addresses have changed - some containers (I noticed this mostly with border panels) now have a visible inner component which was previously hidden, so some form addresses that were previously border:field are now border:innerPanel:field or similar. I don’t know of a good way to address this apart from using the printComponentTrees method in WicketTester and manually tracing the components.

I also noted that some Ajax emulation in WicketTester is simply broken. I attempted to contact the Wicket team about this, but only in IRC and I didn’t get very far. A bug report might be a better way forward on that front.

···

On Mon, Apr 22, 2013 at 8:08 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi all

I am currently working on the security issues prohibiting upgrading to wicket 1.5.x

I checked out the “feature-upgrade-wicket” branch and did the following steps.

  1. Fix all compile errors

  2. merge with master branch

  3. Fix all compile errors introduced by the merge

  4. Investigate in test failures.

There are some failing tests not related to security code. I had a look at those but fixing looks not easy, so I focused on the security stuff.

The blocker at the moment is a different behaviour of the wicket tester. All tests testing removal from security objects (using the admin GUI) are failing.

Code snippet

tester.assertComponent(“form:11:table:listContainer:selectAllContainer:selectAll”, CheckBox.class);

tester.executeAjaxEvent"form:11:table:listContainer:selectAllContainer:selectAll",“onclick”);

The first line works fine, the second line throws a ComponentNofFoundException !!!

Until now, I have not found a solution.

How to proceed ?.

Should I disable those tests ?.

Should I push back the current status hoping that another dev finds a solution ?

Should I push my changes to the my private git repo for review

Thanks

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Hi David

It looks as if was hit by the Ajax emulation problems. Next steps from my side

  1. Disable these problematic tests

  2. Make assure that the security related tests pass

  3. Merge again with master

  4. Push changes

About 4), should I push to the official geoserver repo or to my personal repo for review ?

Christian

···

2013/4/22 David Winslow <dwinslow@anonymised.com>

I think it’s reasonable to disable the tests that are broken by changes to the test framework. Clearly WicketTester did not detect the Chrome form submission problems that were discussed recently, so I guess it’s not a substitute for manual testing anyway.

When I was working on the Wicket 1.5 upgrade, I noticed that some of the component addresses have changed - some containers (I noticed this mostly with border panels) now have a visible inner component which was previously hidden, so some form addresses that were previously border:field are now border:innerPanel:field or similar. I don’t know of a good way to address this apart from using the printComponentTrees method in WicketTester and manually tracing the components.

I also noted that some Ajax emulation in WicketTester is simply broken. I attempted to contact the Wicket team about this, but only in IRC and I didn’t get very far. A bug report might be a better way forward on that front.


David Winslow
OpenGeo - http://opengeo.org/

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Mon, Apr 22, 2013 at 8:08 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi all

I am currently working on the security issues prohibiting upgrading to wicket 1.5.x

I checked out the “feature-upgrade-wicket” branch and did the following steps.

  1. Fix all compile errors

  2. merge with master branch

  3. Fix all compile errors introduced by the merge

  4. Investigate in test failures.

There are some failing tests not related to security code. I had a look at those but fixing looks not easy, so I focused on the security stuff.

The blocker at the moment is a different behaviour of the wicket tester. All tests testing removal from security objects (using the admin GUI) are failing.

Code snippet

tester.assertComponent(“form:11:table:listContainer:selectAllContainer:selectAll”, CheckBox.class);

tester.executeAjaxEvent"form:11:table:listContainer:selectAllContainer:selectAll",“onclick”);

The first line works fine, the second line throws a ComponentNofFoundException !!!

Until now, I have not found a solution.

How to proceed ?.

Should I disable those tests ?.

Should I push back the current status hoping that another dev finds a solution ?

Should I push my changes to the my private git repo for review

Thanks

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Please push to the official repo - I put the branch there originally so that others would be able to push any fixes to the same branch I was working from.

···

On Mon, Apr 22, 2013 at 10:09 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi David

It looks as if was hit by the Ajax emulation problems. Next steps from my side

  1. Disable these problematic tests

  2. Make assure that the security related tests pass

  3. Merge again with master

  4. Push changes

About 4), should I push to the official geoserver repo or to my personal repo for review ?

Christian

2013/4/22 David Winslow <dwinslow@anonymised.com>

I think it’s reasonable to disable the tests that are broken by changes to the test framework. Clearly WicketTester did not detect the Chrome form submission problems that were discussed recently, so I guess it’s not a substitute for manual testing anyway.

When I was working on the Wicket 1.5 upgrade, I noticed that some of the component addresses have changed - some containers (I noticed this mostly with border panels) now have a visible inner component which was previously hidden, so some form addresses that were previously border:field are now border:innerPanel:field or similar. I don’t know of a good way to address this apart from using the printComponentTrees method in WicketTester and manually tracing the components.

I also noted that some Ajax emulation in WicketTester is simply broken. I attempted to contact the Wicket team about this, but only in IRC and I didn’t get very far. A bug report might be a better way forward on that front.


David Winslow
OpenGeo - http://opengeo.org/

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Mon, Apr 22, 2013 at 8:08 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi all

I am currently working on the security issues prohibiting upgrading to wicket 1.5.x

I checked out the “feature-upgrade-wicket” branch and did the following steps.

  1. Fix all compile errors

  2. merge with master branch

  3. Fix all compile errors introduced by the merge

  4. Investigate in test failures.

There are some failing tests not related to security code. I had a look at those but fixing looks not easy, so I focused on the security stuff.

The blocker at the moment is a different behaviour of the wicket tester. All tests testing removal from security objects (using the admin GUI) are failing.

Code snippet

tester.assertComponent(“form:11:table:listContainer:selectAllContainer:selectAll”, CheckBox.class);

tester.executeAjaxEvent"form:11:table:listContainer:selectAllContainer:selectAll",“onclick”);

The first line works fine, the second line throws a ComponentNofFoundException !!!

Until now, I have not found a solution.

How to proceed ?.

Should I disable those tests ?.

Should I push back the current status hoping that another dev finds a solution ?

Should I push my changes to the my private git repo for review

Thanks

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Hi David

I committed my changes after a final merge with master. I had to disable some tests producing some dead test code (Commenting the @Test annotation) . Maybe I can reactivate this code later.

The security tests are passing.

One question:

Due to compile errors I had to remove org.geoserver.web.GeoServerHTMLValidatorResponseFilter. I did an eclipse file search and this class is not referenced. But I am unsure here. Any ideas ?

Christian

···

2013/4/22 David Winslow <dwinslow@anonymised.com>

Please push to the official repo - I put the branch there originally so that others would be able to push any fixes to the same branch I was working from.


David Winslow
OpenGeo - http://opengeo.org/

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Mon, Apr 22, 2013 at 10:09 AM, Christian Mueller <christian.mueller@anonymised.com.> wrote:

Hi David

It looks as if was hit by the Ajax emulation problems. Next steps from my side

  1. Disable these problematic tests

  2. Make assure that the security related tests pass

  3. Merge again with master

  4. Push changes

About 4), should I push to the official geoserver repo or to my personal repo for review ?

Christian

2013/4/22 David Winslow <dwinslow@anonymised.com>

I think it’s reasonable to disable the tests that are broken by changes to the test framework. Clearly WicketTester did not detect the Chrome form submission problems that were discussed recently, so I guess it’s not a substitute for manual testing anyway.

When I was working on the Wicket 1.5 upgrade, I noticed that some of the component addresses have changed - some containers (I noticed this mostly with border panels) now have a visible inner component which was previously hidden, so some form addresses that were previously border:field are now border:innerPanel:field or similar. I don’t know of a good way to address this apart from using the printComponentTrees method in WicketTester and manually tracing the components.

I also noted that some Ajax emulation in WicketTester is simply broken. I attempted to contact the Wicket team about this, but only in IRC and I didn’t get very far. A bug report might be a better way forward on that front.


David Winslow
OpenGeo - http://opengeo.org/

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Mon, Apr 22, 2013 at 8:08 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi all

I am currently working on the security issues prohibiting upgrading to wicket 1.5.x

I checked out the “feature-upgrade-wicket” branch and did the following steps.

  1. Fix all compile errors

  2. merge with master branch

  3. Fix all compile errors introduced by the merge

  4. Investigate in test failures.

There are some failing tests not related to security code. I had a look at those but fixing looks not easy, so I focused on the security stuff.

The blocker at the moment is a different behaviour of the wicket tester. All tests testing removal from security objects (using the admin GUI) are failing.

Code snippet

tester.assertComponent(“form:11:table:listContainer:selectAllContainer:selectAll”, CheckBox.class);

tester.executeAjaxEvent"form:11:table:listContainer:selectAllContainer:selectAll",“onclick”);

The first line works fine, the second line throws a ComponentNofFoundException !!!

Until now, I have not found a solution.

How to proceed ?.

Should I disable those tests ?.

Should I push back the current status hoping that another dev finds a solution ?

Should I push my changes to the my private git repo for review

Thanks

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

On Tue, Apr 23, 2013 at 9:42 AM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

Hi David

I committed my changes after a final merge with master. I had to disable
some tests producing some dead test code (Commenting the @Test annotation)
. Maybe I can reactivate this code later.

The security tests are passing.

One question:

Due to compile errors I had to
remove org.geoserver.web.GeoServerHTMLValidatorResponseFilter. I did an
eclipse file search and this class is not referenced. But I am unsure here.
Any ideas ?

As far as I know that class was needed to support the "validate html" links
that you get only when setting up the
GeoServer wicket interface in developer mode
(-Dwicket.configuration=development).
The backing library is not available for Wicket 1.5 though, so we should
just drop it (there are browser extensions
that can do the same HTML validation job)

Cheers
Andrea

--

GeoServer training in Milan, 6th & 7th June 2013! Visit
http://geoserver.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------