Though afaik the URL encryption will be even better with 1.3.5, where the encryption key is session-based, that is, per user, instead of one default key for everything (current 1.3.4 behaviour).
Once that is released, you get unique-per-user URLs which provide perfect protection against CSRF without ever getting into the way of the application developer. Haven't seen that anywhere else! Jörn On Thu, Sep 18, 2008 at 7:15 PM, Jonathan Locke <[EMAIL PROTECTED]> wrote: > > > to be totally explicit, the third sentence should probably say "explicit > steps must be taken *by the programmer*" ;-) > > the last sentence is outdated as wicket provides URL encryption if you want > it > > > Johan Compagner wrote: >> >> Why is that sentence ambiguous? >> >> On 9/18/08, cj91 <[EMAIL PROTECTED]> wrote: >>> >>> My company is planning an extremely large web project and Wicket is a >>> candidate for use. My manager pointed out some unsettling words on the >>> Wicket FAQ, which are ambiguous unfortunately. >>> http://wicket.apache.org/features.html >>> >>>>>>Wicket is secure by default. URLs do not expose sensitive information > and >>> all component paths are >>>>>>session-relative. Explicit steps must be taken to share information >>> between sessions. There are plans >>>>>>for the next version of Wicket to add URL encryption to support highly >>> secure web sites. >>> >>> >>> Can someone please elaborate on what is meant by "Explicit steps must be >>> taken to share information between sessions." >>> >>> Thank you, >>> -Jonathan >>> -- >>> View this message in context: >>> http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html >>> Sent from the Wicket - User mailing list archive at Nabble.com. >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > -- > View this message in context: > http://www.nabble.com/Wicket-not-secure--tp19556259p19557667.html > Sent from the Wicket - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
