Hi, https://issues.apache.org/jira/browse/WICKET-5012 explains a problem that there is no authorization for requests to IResource.
A possible solution for this problem can be found in branch '5012-authorize-resources'. The diff can be seen at: https://git-wip-us.apache.org/repos/asf/wicket/repo?p=wicket.git;a=commitdiff;h=88b5d5cb482bc7bb22e2ceb9503e5056b0e89572 It tries to follow the logic for authorizing components. By default a request that is not authorized will lead to a response with error code 403 (Forbidden). Please take a look and give feedback. Thanks!