-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GEOS-11275] Wicket 9 upgrade #7154
base: main
Are you sure you want to change the base?
Conversation
@bradh I was thinking, if most of the remaining work is to interactively test stuff, maybe we could try to involve others as well (e.g., users) just asking to run side-by-side a GeoServer 2.24.x and a binary from this branch? Maybe setup a spreadsheet of pages to test to divide work. Just thinking out loud. |
There is still one part that I need to fix: https://github.com/geoserver/geoserver/pull/7154/files#diff-150ffebe59f506d34ef00088e4dbe5e57cb4372a806a40c249ce7f0b00c3aca1 I am currently thinking something like:
but not sure I understand the base code that well, or how to adequately test this. In terms of user testing, maybe that would be best saved for post- Wicket 9? Otherwise we'll just be going back to ask for more test help pretty soon. For Wicket 9, I think the biggest work is going to be https://github.com/geoserver/geoserver/pull/7154/files#diff-0f799f2da8c62ce7254c4f4c914fd1f0ad5b3968a3bbc73c0fda75e7f458fe68 |
Good idea to wait for wicket 9 as well before involving users (not sure you wanted to do that too given the PR title, but good we're moving there as well). The link you referred me to shows 229 modified files, not sure which is the specific issue. But yeah, happy to help in general, just mind I might take a long time if it's big. |
@@ -45,6 +41,9 @@ | |||
* | |||
* @author Andrea Aime | |||
*/ | |||
// TODO WICKET8 - migrate to https://yauaa.basjes.nl/ per |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aaime This is the codemirror part.
I think I'm well advanced on wicket 9 now. At least it builds and passes CI. A lot of deprecation suppressions for the ModalWindow change (which will block Wicket 10), and haven't tested the runtime impact of the CSP policy yet.
I hoped it would go to a file within that list. The problem is the codemirror editor, which uses functions that are deprecated in wicket 8 and removed in wicket 9, to do sniffing of browser versions. Have added a comment that should take you to that. |
Regarding the diff in AbstractSecurityNamedServicePanelTest, I had a look at the code. I don't remember working on it before, but semantically, the new bits are not doing the same thing. The old code was getting a ListView, was checking its contents, and if the item in it was matching a given reference class, it was extracting the ajax links, and clicking it. |
Wow, this browser detection thing is a real can of work. I get that the old Wicket code might have been imprecise, but Yauaa is really overboard:
We cannot seriously keep a pool of these objects around, each one with a monster "few hundred megabytes"... need to think of some alternative. |
ua-parser seems promising size wise, but appears to have been abandoned months ago... it depends on a version of snakeyaml that has vulnerabilties, and PRs to upgrade Snakeyaml or just remove the dependency have been ignored. |
Perhaps a simpler approach is to just assume that in 2023, no one should be using IE 8, Firefox less than 3, Safari less than 5, or Opera less than 9. Which seems to be a fair assumption based on the browser version stats in these page: https://www.stetic.com/market-share/browser/ |
Or if they are, they won't be upgrading geoserver. Its possible that those browsers will have other issues with wicket 10 features anyway. So the replacement is just removal of the detection code. |
The real "fun" seems to be replacing ModalWindow with ModalDialog ... as far as I can tell, it's more primitive but also more flexible. There is an example of how to rebuild a modal window like experience here: That is going to affect quite a bit of places:
I'm thinking we could rebuild our own ModalWindow on top of ModalDialog, in a way that's mostly API compatible with the old deprecated class, at least for the few parts that we actually use. |
I've reverted this. |
I've just pushed a commit that centralises the use of ModalWindow into a GSModalWindow wrapper. That shows what API we need for direct replacement. Based on that, it might be worth doing a couple of implementations (possibly with a shared base class if we need to share styling). One case is the GeoServerDialog, which is the only place that uses a bunch of the GSModalWindow methods. Then the other implementation is the "everything else" case. A later refinement could be to create a GSModalPopup, since there is a bit of duplicated (probably copy-n-pasted) code spread across multiple packages for that. |
One deprecation suppression to rule them all! 🎉 |
Been trying to work on the dialog switch but it's too big, it's the type of rewrite that requires several hours of uninterrupted work, which I just can't carve out of my spare time now. I'd rebase the branch on top of main and propose a build for manual tests. I should be able to help with the (hopefully) small things that come out of the testing. |
Will do. I have some summer break time coming up soon, and should be able to do that.
Appreciated. |
This is implemented in 801f682 |
Wicket 9 has a strict (perhaps aggressive would be a better term) default policy for Content Security Policy (CSP) - see https://github.com/apache/wicket/blob/master/wicket-user-guide/src/main/asciidoc/security/security_6.adoc That is currently completely disabled by c16c752 I'd like to "do it right", which will be a bit of work and the manual testing should come after that. Mitigating more XSS and data injection attacks is worth it. |
Problems to fix:
|
Is this good for a manual test round, involving users? |
I think its premature, but will need help to bash it into shape. Will follow-up on the mailing list with details. |
.add( | ||
CSPDirective.STYLE_SRC, | ||
CSPDirectiveSrcValue.SELF, | ||
CSPDirectiveSrcValue.UNSAFE_INLINE) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the line to remove to see problems with inline styling.
Much of it moves to geoserver.css, some was duplicating existing classes.
Nasty rebase.... |
@bradh I do not have time to write a blog post; but GeoCat is in position to handle the A/B testing to confirm the pages work (when this is ready for manual testing). |
Work in progress on Wicket 8 migration (https://github.com/geoserver/geoserver/wiki/Jakarta-EE#wicket)
Look for "TODO WICKET8" for remaining work. Mostly this is verification, which should occur at the end. However there are broken modules and broken tests that need to be debugged.
Checklist
main
branch (backports managed later; ignore for branch specific issues).For core and extension modules:
[GEOS-XYZWV] Title of the Jira ticket
.