In the last day I had the pleasure to read a beginners book for Apache Wicket 6 - Instant Apache Wicket 6 http://bit.ly/15w4LEI. The book is good, it takes the reader through the most imported steps to get started with Apache Wicket. Such as creating a new project, how to use the fast jetty web server to view your wicket pages and maybe the most imported thing. How to debug a wicket application with Eclipse IDE. So if you are looking for a beginners book for Apache Wicket 6 I can recommend this book.
But with all beginners book you should always be a little careful when completely copying beginners example code into your production code. Such an example in this book is the login example. Creating safe login code is actually a little tricky and requires extra care. Things that you must take into consideration when creating login code are:
- Login pages must be completely stateless, which means ones submitted from the client, they must be totally forgotten. You do not want sensitive data, such password, be accessible when clicking browse back. Or be kept in server session cache. Apache Wicket is out-of-box almost always stateful.
- Paying extra care of session management is always imported. Use cookie to store client session id and not URL, which are cached in web server log, proxy log, client web browser history, etc.
- Always set session timeout.
- Make cookie not accessible for other sites client script, which you hinder by using http only flag.
- And of course always use SSL, even for login pages.
Above is just a handful of things that you should pay attention to when developing security code.
I'm a great Wicket fan and wicket have a lot of ready to use graphical component, such DatePicket, Paginated List, Sortable List, Multiple File Upload, etc. You can see a lot of them in action on http://www.wicket-library.com/wicket-examples/index.html.
Also if you need more Wicket component, look at the different wicketstuff project. To get an overview on them all search maven central repo at http://search.maven.org/#search|ga|1|org.wicketstuff.
No comments:
Post a Comment