Hi,
On Sat, Oct 18, 2025 at 1:05 AM Jonathan Babie <[email protected]>
wrote:
> Hello,
>
> We're running in to a situation where we are using Spring Security in
> conjunction with CryptoMapper, as a result of this, all of the Wicket
> resource URLs ('/wicket/resource') are being encrypted and I have no
> consistent path to use to prevent Spring from securing those endpoints.
>
> This causes two issues:
>
> 1.
> Once I successfully authenticate, my security context is re-fetched for
> resource endpoints
> 2.
> Mounted bookmarkable pages which don't require authentication (i.e. access
> denied, internal error) cannot pull resources
>
> Is there a recommended way to deal with this? The only solution we have at
> this point is to configure a custom CryptoMapper will not encrypt requests
> which are instances of ResourceReferenceRequestHandler or
> ResourceStreamRequestHandler.
>
Or, you could wrap the CryptoMapper with a mapper that adds/removes a
segment in the Url that could be used by the Spring Security config to
recognize such resource urls.
E.g. it could prepend a segment, like
"/res/TheHashedSegmentsFromCryptoMapper". Now "/res" could be used by the
Spring Security config to treat them as you like.
>
> Does this sound like a good approach or is there something we're missing?
> Any information would be appreciated and thank you for your time.
>
> Thank you,
>
> Jonathan Babie
>
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if you
> have received this communication in error and delete this email from your
> system. If you are not the intended recipient, you are requested not to
> disclose, copy, distribute or take any action in reliance on the contents
> of this information.
>
