Hello, I'm migrating from wicket 1.4 to 1.5 and I am looking to port the cross site request forgery (CSRF) protection from wicket 1.4.
In 1.4, the recommended way[1] is to use CryptedUrlWebRequestCodingStrategy: // MyWebApplication.java @Override protected IRequestCycleProcessor newRequestCycleProcessor() { return new WebRequestCycleProcessor() { protected IRequestCodingStrategy newRequestCodingStrategy() { return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy()); } }; } In 1.5, this has been removed and we're asked to use org.apache.wicket.request.mapper.CryptoMapper[2] instead: // MyWebApplication.java @Override protected void init() { ... mountPage("login", LoginPage.class); ... // must be last call in init() IRequestMapper cryptoMapper = new CryptoMapper(getRootRequestMapper(), this); setRootRequestMapper(cryptoMapper); } While this solves the CSRF problem, there is a big issue with this: there is no longer a page mapped to "login". If this were a quickstart, http://localhost:8080/login gives a 404. In wicket 1.4, LoginPage would be accessible via http://localhost:8080/login, and any other page similarly mounted would give a friendly URL if you landed on it. The only time anything would be encrypted would be during form posts, which was perfect because that was the only time I'd need it. In wicket 1.5, is there a way to bring this behavior back? Or am I doing something wrong? Or is there another recommended way of protecting against CSRF attacks? Thanks for any help, - Dan [1] >From comments in https://issues.apache.org/jira/browse/WICKET-1885 [2] https://cwiki.apache.org/WICKET/migration-to-wicket-15.html#MigrationtoWicket1.5-Listofrenamedclassesandmethods