This is a request coding strategy which encrypts the URL and hence makes it impossible for users to guess what is in the url and rebuild it manually. It uses the CryptFactory registered with the application to encode and decode the URL. Hence, the coding algorithm must be a two-way one (reversible). Because the algorithm is reversible, URLs which were bookmarkable before will remain bookmarkable.
To register the request coding strategy to need to do the following:
protected IRequestCycleProcessor newRequestCycleProcessor() { return new WebRequestCycleProcessor() { protected IRequestCodingStrategy newRequestCodingStrategy() { return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy()); } }; } Note: When trying to hack urls in the browser an exception might be caught while decoding the URL. By default, for safety reasons a very simple WicketRuntimeException is thrown. The original stack trace is only logged.
Note: by default Wicket uses {@link org.apache.wicket.util.crypt.KeyInSessionSunJceCryptFactory} to encrypt the query-string.KeyInSessionSunJceCryptFactory creates a unique encryption key per session and and uses the session as persistence store. Hence stateless pages will create a session as well and are no longer stateless. You may avoid that by implementing your own ICryptFactory which e.g. uses an application wide encryption key and thus doesn't need a session. You can register your own ICryptFactory via Application.getSecuritySettings().setCryptFactory().
@author Juergen Donnerstag