Switch from CsrfPreventionRequestCycleListener to FetchMetadataResourceIsolationPolicy

[reckart]

The auto configuration for CSRF protection configures the deprecated CsrfPreventionRequestCycleListener (to be removed in Wicket 10)

The replacement ResourceIsolationRequestCycleListener / FetchMetadataResourceIsolationPolicy seems not to be supported by Wicket Spring Boot yet.

[reckart]

When trying to run the current version against Wicket 10 / Spring 3, it produces an error like this:

java.lang.NoClassDefFoundError: org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener$CsrfAction
    at java.lang.Class.getDeclaredFields0(Native Method) ~[?:?]
    at java.lang.Class.privateGetDeclaredFields(Class.java:3297) ~[?:?]
    at java.lang.Class.getDeclaredField(Class.java:2608) ~[?:?]
    at org.springframework.boot.context.properties.bind.DefaultBindConstructorProvider$Constructors.isInnerClass(DefaultBindConstructorProvider.java:113) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.boot.context.properties.bind.DefaultBindConstructorProvider$Constructors.getCandidateConstructors(DefaultBindConstructorProvider.java:104) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.boot.context.properties.bind.DefaultBindConstructorProvider$Constructors.getConstructors(DefaultBindConstructorProvider.java:82) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.boot.context.properties.bind.DefaultBindConstructorProvider.getBindConstructor(DefaultBindConstructorProvider.java:50) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.boot.context.properties.ConfigurationPropertiesBean$BindMethod.get(ConfigurationPropertiesBean.java:327) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.boot.context.properties.ConfigurationPropertiesBeanRegistrar.createBeanDefinition(ConfigurationPropertiesBeanRegistrar.java:92) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.boot.context.properties.ConfigurationPropertiesBeanRegistrar.registerBeanDefinition(ConfigurationPropertiesBeanRegistrar.java:88) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.boot.context.properties.ConfigurationPropertiesBeanRegistrar.register(ConfigurationPropertiesBeanRegistrar.java:60) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.boot.context.properties.ConfigurationPropertiesBeanRegistrar.register(ConfigurationPropertiesBeanRegistrar.java:54) ~[spring-boot-3.0.0.jar:3.0.0]
    at java.lang.Iterable.forEach(Iterable.java:75) ~[?:?]
    at org.springframework.boot.context.properties.EnableConfigurationPropertiesRegistrar.registerBeanDefinitions(EnableConfigurationPropertiesRegistrar.java:49) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.context.annotation.ImportBeanDefinitionRegistrar.registerBeanDefinitions(ImportBeanDefinitionRegistrar.java:86) ~[spring-context-6.0.2.jar:6.0.2]
    at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.lambda$loadBeanDefinitionsFromRegistrars$1(ConfigurationClassBeanDefinitionReader.java:373) ~[spring-context-6.0.2.jar:6.0.2]
    at java.util.LinkedHashMap.forEach(LinkedHashMap.java:721) ~[?:?]
    at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsFromRegistrars(ConfigurationClassBeanDefinitionReader.java:372) ~[spring-context-6.0.2.jar:6.0.2]
    at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForConfigurationClass(ConfigurationClassBeanDefinitionReader.java:148) ~[spring-context-6.0.2.jar:6.0.2]
    at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitions(ConfigurationClassBeanDefinitionReader.java:120) ~[spring-context-6.0.2.jar:6.0.2]
    at org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:409) ~[spring-context-6.0.2.jar:6.0.2]
    at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:283) ~[spring-context-6.0.2.jar:6.0.2]
    at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanDefinitionRegistryPostProcessors(PostProcessorRegistrationDelegate.java:344) ~[spring-context-6.0.2.jar:6.0.2]
    at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:115) ~[spring-context-6.0.2.jar:6.0.2]
    at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:745) ~[spring-context-6.0.2.jar:6.0.2]
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:565) ~[spring-context-6.0.2.jar:6.0.2]
    at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:730) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:432) ~[spring-boot-3.0.0.jar:3.0.0]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:308) ~[spring-boot-3.0.0.jar:3.0.0]
        ...
Caused by: java.lang.ClassNotFoundException: org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener$CsrfAction
    at jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641) ~[?:?]
    at jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) ~[?:?]
    at java.lang.ClassLoader.loadClass(ClassLoader.java:520) ~[?:?]
    ... 111 more

[reckart]

@MarcGiffing considering the changes coming in Wicket 10 it may be sensible to schedule this fix for a 4.0.0 version along with further changes related to Wicket 10 and the move to Jakarta.