[
https://issues.apache.org/jira/browse/WICKET-5326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13759039#comment-13759039
]
Walter B. Rasmann commented on WICKET-5326:
-------------------------------------------
Hello Jesse,
it also seems to me, that the "home page" could have the same behavior as
mounted pages in that it should stay reachable by an unencrypted URL and should
be referenced by that URL in Wicket, when it is constructed using the
PageParameters constructor or the no-args constructor. This should be true only
for the page itself and not for URLs referencing other objects (like Ajax URLs
etc.).
I think it would be nice to find conditions for the page to be referenced and
reachable by an unencrypted URL and not the other way round. This might need
more work, but seems the right approach.
What you wrote under 2. is possibly not completely true for us. We use
CryptoMapper with KeyInSessionSunJceCryptFactory as the "CryptFactory" (this
was the default in Wicket 1.4). That means that the URLs are different in every
session.
> Wicket doesn't encrypt links and Ajax URLs when CryptoMapper is used
> --------------------------------------------------------------------
>
> Key: WICKET-5326
> URL: https://issues.apache.org/jira/browse/WICKET-5326
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 6.10.0
> Environment: Linux
> Reporter: Walter B. Rasmann
> Labels: security
> Attachments: 5326.tar.gz
>
>
> URL encryption does not work in Wicket links and Ajax URLs.
> For links the URL appears unencrypted in the href attribute value and is only
> later forwarded to the encrypted URL using a 302 response.
> I am uploading a quickstart.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
