Hello, I have read Wicket CSRF related posts on wicket forum before posting this question. I could not find one with detail I am looking for. If I have missed any, please redirect me to the link.
I am looking into CSRF and Wicket 7 default settings. Everything seems fine with use of CryptoMapper (which by default uses KeyInSessionSunJceCryptFactory) to handle CSRF attack. But I am not sure if Wicket still prevents against CSRF if CryptoMapper is not used. Does default mapper inherently uses KeyInSessionSunJceCryptFactory? The documentation says KeyInSessionSunJceCryptFactory is default only for ICrypt implementation objects. If not, then should one use CsrfPreventionRequestCycleListener? If default anti-CSRF is already set like CryptoMapper, which Wicket source class I can look into for better understanding? Thanks in advance, -Mihir.
