On Wed, Nov 3, 2010 at 7:39 PM, Peter Ertl <pe...@gmx.org> wrote: > Also, if the userID is the id of the currently logged in user why not just > store it in your wicket session when logging on to make it inaccessible for > the client and prevent spoof altogether?
Obviously this is more secure. And also not even necessary - the ID can be directly in the link's model, so you can have dozens of links on the page, all to edit different users, rather than having a single ID in the session. That's the whole premise Wicket is built around. But, you missed this part of the thread apparently: On Mon, Nov 1, 2010 at 5:09 PM, James Carman <ja...@carmanconsulting.com> wrote: > You could pass the "id" of the object (if possible) as a > PageParameter. You can then use a bookmarkable URL for your page. > You'll have to lookup the object from the db, though. Again, this is > only possible if the object is an "entity." That part of the thread is what I was replying to - that it was then insecure because the DB ID is in the URL. This is not a standard way of doing most links in Wicket - because of the security leak.... -- Jeremy Thomerson http://wickettraining.com *Need a CMS for Wicket? Use Brix! http://brixcms.org*