Arthur Ahiceh wrote: >>> 4. Yes. See mailing list for earlier answers. There are more hardening >>> options such as encrypting urls. >>> > > Even encrypting the urls Wicket is vulnerable to CSRF because the key used > to encrypt is shared by all users of application. Wicket is an extensible > framework where you to add some new functionallity "easily" but it doesn't > provide any secure solution by default to protect you against CSRF attacks! Correct indeed. Also note, I did not use the word 'easily' :)
Regards, Erik. -- Erik van Oosten http://day-to-day-stuff.blogspot.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]