You're taking the statement "Wicket is Secure by default" out of its context. The full statement is "Wicket is secure by default. URLs do not expose sensitive information and all component paths are session-relative. Explicit steps must be taken to share information between sessions. Furthermore URL encryption allows highly secure web sites."
The statement has nothing to do with authorisation and authentication, but with common security pitfalls when designing web-applications which may result in exposing sensitive information, e.g. javascript related security holes in your pages. Authorisation & authentication are in a completely different ballpark. The features of wicket auth & annotation based security can be used to integrate Wicket with either Spring Security or Apache Shiro, they are certainly not a replacement for those frameworks (although those frameworks offer alternative ways to declare authorisation requirements). So use Spring Security or Apache Shiro if you want to integrate authorisation and authentication into your web-app, and don't want to reinvent the wheel yourself. Wicket doesn't know what LDAP is, or SSO, or how to control access to resources other than wicket components. On Monday, September 19, 2011 1:53 AM, "Zilvinas Vilutis" <cika...@gmail.com> wrote: > Hi all Wicket users. > > While I was trying to design a wicket app in my mind - the first thing > I thought of was authentication and ( spring ) security. > > I know that "wicket is secure" by default ( a quote from wicket > features? :), we can use wicket auth & annotation based security. > Wicket will automatically redirect to original page after login. > > So...did anyone think of it - what is the real reason to use spring or > other security framework ( shiro? ) for authentication? what benefits > does it bring apart from some standards & overhead for the app? is it > integration with other auth systems ( OpenID, Facebook login or > whatever )? or what? > > Just pennies for thought... > > Žilvinas Vilutis > > Mobile: (+1) 623 330 6048 > E-mail: cika...@gmail.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org