Item2160: JHotDrawPlugin incompatible with 1.0.7 CSRF protection of attachments

Priority: Urgent
Current State: Closed
Released In:
Target Release: n/a
Applies To: Extension
Component: JHotDrawPlugin
Reported By: KennethLavrsen
Waiting For:
Last Change By: KennethLavrsen
JHotDrawPlugin incompatible with 1.0.7 CSRF protection of attachments

Plugin cannot save unless you disable CSRF protection completely.

We need the plugin to be able to at least work with embedded type protection.

-- KennethLavrsen - 28 Sep 2009

Note that is must be possible to save multiple times from the applet during editing.

You cannot expect people to always save and quit. Saving while drawing is common as the program can crash.

That puts an extra challenge on implementation because it means the plugin must be given a new token after each save and continue.

-- KennethLavrsen - 28 Sep 2009

The reason is we added CSRF protection to upload requests, which JHotDraw uses for saves. There are a couple of possible solutions:
  1. Compute the correct response in Java (should be fairly simple)
  2. Use a REST handler for saving these graphics.

-- CrawfordCurrie - 28 Sep 2009

I checked in my updates, but have only tested against trunk. Kenneth, I could really use some feedback. Already spent far too much time on this frown, sad smile If it works, then we have a general solution for Java applets + strikeone, which I will blog on.

-- CrawfordCurrie - 08 Oct 2009

You will have feedback within 48 hours.

Great that you took on this task.

-- KennethLavrsen - 08 Oct 2009

Tested JHotDrawPlugin in 1.0.7

I cannot save. Java applet hangs during save. Cannot even exit without saving. Have to kill browser.

-- KennethLavrsen - 08 Oct 2009

Found root cause.

File does not exist: /var/www/Release01x00/core/pub/System/JHotDrawPlugin/jhotdraw.js

It seems we have a problem now with pseudo-installed extensions with compressed .js files. The compressed file is built with BuildContrib but you do not run Build when testing.

When I manually just copy the jhotdraw_src.js to jhotdraw.js it works.

There is also some debug printing left that fills log with "JHotDraw saved Testdrawing"

The feedback during save has degraded. It says it is saving and appear to never finish. Before you got feedback "Saved ... OK". It is not until you hover the mouse over some bottons the Saving message changes.

The Exit dialog is a little too smart. If I edit a drawing and want to exit without saving neither "It is OK, I have saved" or "No don't exit yet" matches. It is rather confusing. Just "Yes, exit now", "No don't exit yet" will do.

-- KennethLavrsen - 08 Oct 2009

The lack of the compressed .js is really down to an expectation that a tester will run with FOSWIKI_ASSERT enabled. It will always be there in a release. It's not a big deal to add it to the repository. More importantly, you have highlighted something I knew, which is the Java will blindly continue even if there is no Javascript running. There needs to be a handshake.

The debug printing can be removed.

The feedback during save appears less because it is now only sending a single request to the server, instead of 3. I haven't put any effort into improving this (I was trying to get it working as a first step!)

You can never get the wording of this exit dialog quite right. JHotDraw has no "something has changed" flag, though I'm sure one could be added by someone who has the time - or maybe 1.6 has that, I didn't look. So the dialog is always presented, even if you have nothing to save.

I'll take all these points into account when I next have a chance to work on it (or someone else with checkin rights is welcome to make the suggested changes).

-- CrawfordCurrie - 09 Oct 2009

I took a stab

  • Removed the debug message
  • Changed the "It is OK, I have saved" to "Yes, exit now"
  • Added an additional message so the Saving .... is overwritten by Saved ... when all the saving is done. This way it does not look like anything is hanging. And if it was hanging we would see the Saving... forever.

With these changes I think we can release the new version so I do that.

-- KennethLavrsen - 13 Oct 2009

You missed adding jhotdraw.js to MANIFEST

-- CrawfordCurrie - 27 Oct 2009

Not sure where we stand with this, so marking for Kenneth's feedback, as he was the last one "doing stuff".

-- CrawfordCurrie - 08 Dec 2009

The last status was

  • You fixed the plugin so it works on 1.0.7 and asked me to check it out
  • I did the small additional fixes to the plugin
  • I released the plugin to
  • You found out that you had not added jhotdraw.js to the MANIFEST and blamed me for it wink
  • You fixed the MANIFEST and uploaded the corrected plugin to
  • You forgot to close this bug and blame me for it wink

But it OK. I can take it. smile smile I am thankful for the fix you did to make it work with the CSRF protection. I could not have done that myself.

But all is well and has been since October 27th.

Closing bug.

-- KennethLavrsen - 09 Dec 2009

ItemTemplate edit

Summary JHotDrawPlugin incompatible with 1.0.7 CSRF protection of attachments
ReportedBy KennethLavrsen
SVN Range Foswiki-1.0.7, Sun, 20 Sep 2009, build 5061
AppliesTo Extension
Component JHotDrawPlugin
Priority Urgent
CurrentState Closed
Checkins JHotDrawPlugin:9d1a8749cedc JHotDrawPlugin:f480f87918ab JHotDrawPlugin:39cc4ba8bdf1
TargetRelease n/a
Topic revision: r14 - 09 Dec 2009, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy