ok! you have not used the word "easily" but only saying "There are more hardening options such as encrypting urls" it only seems that encrypting urls the problem is solved and it is not the case! The user has to implement a custom security factory, one different than provided by Wicket (SunJceCrypt), to resolve CSRF.
Erik van Oosten wrote: > > > Arthur Ahiceh wrote: >>>> 4. Yes. See mailing list for earlier answers. There are more hardening >>>> options such as encrypting urls. >>>> >> >> Even encrypting the urls Wicket is vulnerable to CSRF because the key >> used >> to encrypt is shared by all users of application. Wicket is an extensible >> framework where you to add some new functionallity "easily" but it >> doesn't >> provide any secure solution by default to protect you against CSRF >> attacks! > Correct indeed. Also note, I did not use the word 'easily' :) > > Regards, > Erik. > > -- > Erik van Oosten > http://day-to-day-stuff.blogspot.com/ > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Questions-about-wicket-features-tp18857860p18866928.html Sent from the Wicket - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]