Wicket
  1. Wicket
  2. WICKET-4841

Return error code 400 when an Ajax request has no base url set in header/request parameters.

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.8
    • Fix Version/s: 1.5.9, 6.3.0
    • Component/s: wicket
    • Labels:
      None

      Description

      Hello,

      currently we've got a problem with faked ajax requests. these ajax
      requests misses some parameters, but the wicket-ajax header flag is set.
      So ServletWebRequest throws an exception:

      java.lang.IllegalStateException: Current ajax request is missing the base url header or parameter
      at org.apache.wicket.util.lang.Checks.notNull(Checks.java:38)
      at org.apache.wicket.protocol.http.servlet.ServletWebRequest.getClientUrl(ServletWebRequest.java:171)
      at org.apache.wicket.request.UrlRenderer.<init>(UrlRenderer.java:59)

      These faked requests are so massive, that our application is no longer
      monitorable. Our workaround rejects these requests via apache config.

      Instead of logging an exception, in deployment mode wicket should log a warning and reject the request

        Activity

        Jan Riehn created issue -
        Jan Riehn made changes -
        Field Original Value New Value
        Description Hello,

        currently we've got a problem with faked ajax requests. these ajax
        requests misses some parameters, but the wicket-ajax header flag is set.
        So ServletWebRequest throws an exception:

        java.lang.IllegalStateException: Current ajax request is missing the base url header or parameter
                 at org.apache.wicket.util.lang.Checks.notNull(Checks.java:38)
                 at org.apache.wicket.protocol.http.servlet.ServletWebRequest.getClientUrl(ServletWebRequest.java:171)
                 at org.apache.wicket.request.UrlRenderer.<init>(UrlRenderer.java:59)


        These faked requests are so massive, that our application is no longer
        monitorable. Our workaround rejects these requests via apache config.

        Instead of logging an exception, in deployment mode wicket should log a warning a reject the request
        Hello,

        currently we've got a problem with faked ajax requests. these ajax
        requests misses some parameters, but the wicket-ajax header flag is set.
        So ServletWebRequest throws an exception:

        java.lang.IllegalStateException: Current ajax request is missing the base url header or parameter
                 at org.apache.wicket.util.lang.Checks.notNull(Checks.java:38)
                 at org.apache.wicket.protocol.http.servlet.ServletWebRequest.getClientUrl(ServletWebRequest.java:171)
                 at org.apache.wicket.request.UrlRenderer.<init>(UrlRenderer.java:59)


        These faked requests are so massive, that our application is no longer
        monitorable. Our workaround rejects these requests via apache config.

        Instead of logging an exception, in deployment mode wicket should log a warning and reject the request
        Jan Riehn made changes -
        Summary Frequent faked AJAX requests prevent monitoring Frequently faked AJAX requests prevent monitoring
        Martin Grigorov made changes -
        Summary Frequently faked AJAX requests prevent monitoring Return error code 400 when an Ajax request has no base url set in header/request parameters.
        Martin Grigorov made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Assignee Martin Grigorov [ mgrigorov ]
        Fix Version/s 6.3.0 [ 12323327 ]
        Fix Version/s 1.5.9 [ 12322962 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Martin Grigorov
            Reporter:
            Jan Riehn
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development