Sure, but why bother when its already implemented? Security-related stuff isn't exactly the right place to "roll your own".
Jörn On Fri, Sep 19, 2008 at 4:34 PM, Igor Vaynberg <[EMAIL PROTECTED]> wrote: > that is trivial to implement with 1.3.4 also > > -igor > > On Fri, Sep 19, 2008 at 12:51 AM, Jörn Zaefferer > <[EMAIL PROTECTED]> wrote: >> Though afaik the URL encryption will be even better with 1.3.5, where >> the encryption key is session-based, that is, per user, instead of one >> default key for everything (current 1.3.4 behaviour). >> >> Once that is released, you get unique-per-user URLs which provide >> perfect protection against CSRF without ever getting into the way of >> the application developer. Haven't seen that anywhere else! >> >> Jörn >> >> On Thu, Sep 18, 2008 at 7:15 PM, Jonathan Locke >> <[EMAIL PROTECTED]> wrote: >>> >>> >>> to be totally explicit, the third sentence should probably say "explicit >>> steps must be taken *by the programmer*" ;-) >>> >>> the last sentence is outdated as wicket provides URL encryption if you want >>> it >>> >>> >>> Johan Compagner wrote: >>>> >>>> Why is that sentence ambiguous? >>>> >>>> On 9/18/08, cj91 <[EMAIL PROTECTED]> wrote: >>>>> >>>>> My company is planning an extremely large web project and Wicket is a >>>>> candidate for use. My manager pointed out some unsettling words on the >>>>> Wicket FAQ, which are ambiguous unfortunately. >>>>> http://wicket.apache.org/features.html >>>>> >>>>>>>>Wicket is secure by default. URLs do not expose sensitive information >>> and >>>>> all component paths are >>>>>>>>session-relative. Explicit steps must be taken to share information >>>>> between sessions. There are plans >>>>>>>>for the next version of Wicket to add URL encryption to support highly >>>>> secure web sites. >>>>> >>>>> >>>>> Can someone please elaborate on what is meant by "Explicit steps must be >>>>> taken to share information between sessions." >>>>> >>>>> Thank you, >>>>> -Jonathan >>>>> -- >>>>> View this message in context: >>>>> http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html >>>>> Sent from the Wicket - User mailing list archive at Nabble.com. >>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>>> >>>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>>> >>>> >>> >>> -- >>> View this message in context: >>> http://www.nabble.com/Wicket-not-secure--tp19556259p19557667.html >>> Sent from the Wicket - User mailing list archive at Nabble.com. >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
