you dont have to roll your own security, just where wicket looks for the key :)
-igor On Fri, Sep 19, 2008 at 7:40 AM, Jörn Zaefferer <[EMAIL PROTECTED]> wrote: > Sure, but why bother when its already implemented? Security-related > stuff isn't exactly the right place to "roll your own". > > Jörn > > On Fri, Sep 19, 2008 at 4:34 PM, Igor Vaynberg <[EMAIL PROTECTED]> wrote: >> that is trivial to implement with 1.3.4 also >> >> -igor >> >> On Fri, Sep 19, 2008 at 12:51 AM, Jörn Zaefferer >> <[EMAIL PROTECTED]> wrote: >>> Though afaik the URL encryption will be even better with 1.3.5, where >>> the encryption key is session-based, that is, per user, instead of one >>> default key for everything (current 1.3.4 behaviour). >>> >>> Once that is released, you get unique-per-user URLs which provide >>> perfect protection against CSRF without ever getting into the way of >>> the application developer. Haven't seen that anywhere else! >>> >>> Jörn >>> >>> On Thu, Sep 18, 2008 at 7:15 PM, Jonathan Locke >>> <[EMAIL PROTECTED]> wrote: >>>> >>>> >>>> to be totally explicit, the third sentence should probably say "explicit >>>> steps must be taken *by the programmer*" ;-) >>>> >>>> the last sentence is outdated as wicket provides URL encryption if you want >>>> it >>>> >>>> >>>> Johan Compagner wrote: >>>>> >>>>> Why is that sentence ambiguous? >>>>> >>>>> On 9/18/08, cj91 <[EMAIL PROTECTED]> wrote: >>>>>> >>>>>> My company is planning an extremely large web project and Wicket is a >>>>>> candidate for use. My manager pointed out some unsettling words on the >>>>>> Wicket FAQ, which are ambiguous unfortunately. >>>>>> http://wicket.apache.org/features.html >>>>>> >>>>>>>>>Wicket is secure by default. URLs do not expose sensitive information >>>> and >>>>>> all component paths are >>>>>>>>>session-relative. Explicit steps must be taken to share information >>>>>> between sessions. There are plans >>>>>>>>>for the next version of Wicket to add URL encryption to support highly >>>>>> secure web sites. >>>>>> >>>>>> >>>>>> Can someone please elaborate on what is meant by "Explicit steps must be >>>>>> taken to share information between sessions." >>>>>> >>>>>> Thank you, >>>>>> -Jonathan >>>>>> -- >>>>>> View this message in context: >>>>>> http://www.nabble.com/Wicket-not-secure--tp19556259p19556259.html >>>>>> Sent from the Wicket - User mailing list archive at Nabble.com. >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>>>> >>>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>>> >>>>> >>>>> >>>> >>>> -- >>>> View this message in context: >>>> http://www.nabble.com/Wicket-not-secure--tp19556259p19557667.html >>>> Sent from the Wicket - User mailing list archive at Nabble.com. >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
