there was already a thread about this: http://www.nabble.com/Security-Features-offered-by-Wicket-td15738864.html#a15738864
also in any framework if you remove hidden fields you HAVE TO HAVE a session, this is coming from the same people who say wicket is too heavy weight because it uses session? once you store that stuff in session you also have the versioning problem due to backbutton, so you have to build a wicket like versioning to deal with session values... so in the end you rebuild wicket :) -igor On Wed, Jul 30, 2008 at 1:59 PM, Korbinian Bachl - privat <[EMAIL PROTECTED]> wrote: > HI, > > under > http://www.theserverside.com/tt/articles/article.tss?l=AreJavaWebApplicationsSecure > is an article covering java WebApps & security; On part 2 it also looks at > webframeworks for java including wicket 1.3.x - it mentions > > "Wicket has only one component (HiddenField) vulnerable to integrity > attacks." > > maybe this gap could be closed? Also the rest seems aso quite interesting. > > Best, > > Korbinian > >
