Thanks very much for the suggestion, we'll go that route! Thank you,
Jonathan Babie ________________________________ From: Martin Grigorov <[email protected]> Sent: Tuesday, October 21, 2025 1:31 AM To: [email protected] <[email protected]> Subject: Re: Spring Security & Encrypted URL Configuration Hi, On Sat, Oct 18, 2025 at 1:05 AM Jonathan Babie <[email protected]> wrote: > Hello, > > We're running in to a situation where we are using Spring Security in > conjunction with CryptoMapper, as a result of this, all of the Wicket > resource URLs ('/wicket/resource') are being encrypted and I have no > consistent path to use to prevent Spring from securing those endpoints. > > This causes two issues: > > 1. > Once I successfully authenticate, my security context is re-fetched for > resource endpoints > 2. > Mounted bookmarkable pages which don't require authentication (i.e. access > denied, internal error) cannot pull resources > > Is there a recommended way to deal with this? The only solution we have at > this point is to configure a custom CryptoMapper will not encrypt requests > which are instances of ResourceReferenceRequestHandler or > ResourceStreamRequestHandler. > Or, you could wrap the CryptoMapper with a mapper that adds/removes a segment in the Url that could be used by the Spring Security config to recognize such resource urls. E.g. it could prepend a segment, like "/res/TheHashedSegmentsFromCryptoMapper". Now "/res" could be used by the Spring Security config to treat them as you like. > > Does this sound like a good approach or is there something we're missing? > Any information would be appreciated and thank you for your time. > > Thank you, > > Jonathan Babie > > Notice: This communication, including any attachments, is intended solely > for the use of the individual or entity to which it is addressed. This > communication may contain information that is protected from disclosure > under State and/or Federal law. Please notify the sender immediately if you > have received this communication in error and delete this email from your > system. If you are not the intended recipient, you are requested not to > disclose, copy, distribute or take any action in reliance on the contents > of this information. > Notice: This communication, including any attachments, is intended solely for the use of the individual or entity to which it is addressed. This communication may contain information that is protected from disclosure under State and/or Federal law. Please notify the sender immediately if you have received this communication in error and delete this email from your system. If you are not the intended recipient, you are requested not to disclose, copy, distribute or take any action in reliance on the contents of this information.
