Important notes before you start
With version 9 Wicket introduced a content security policy (CSP) active by default which prevents inline JavaScript and CSS code from been executed. If you are not planning to make your web app CSP compliant you can disable this policy using a simple line of code during app initialization:
| Code Block |
|---|
| language | java |
|---|
| title | disable csp |
|---|
|
public void init() {
getCspSettings().blocking().disabled();
} |
For more details see CSP paragraph .
Changes
Component placeholders and form hidden fields
Hidden markup generated by Component placeholders and forms is no longer hidden with style="display:none;" but with HTML5 "hidden" attribute instead:
https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/hidden
Applications must ensure that their CSS do not reveal this markup, e.g. by falsely changing the CSS display:
| Code Block |
|---|
|
/* applied to *all* divs, including hidden */
div {
display: flex;
}
/* fix */
*[hidden] {
display: none;
} |
IPageStore rework
| Jira |
|---|
| server | ASF JIRA |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6563 |
|---|
|
...
The order of siblings' PriorityHeaderItems are now preserved.
Content Security Policy | Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6733 |
|---|
|
A strict content security policy (CSP) is now in effect in Wicket 9. This policy forbids any inline javascript and styling. This includes inline javascript event handlers. This CSP greatly enhances the security of a web application, but it can be difficult to make a large application compliant. See
| Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6687 |
|---|
|
for the changes that were made in Wicket for this change.The documentation on the configuration of the CSP and guidelines for fixing violations can be found in the user guide: https://ci.apache.org/projects/wicket/guide/9.x/single.html#_content_security_policy_csp
While we do not recommend disabling the CSP entirely, this can be done with one line of code in your application's init method:
getCspSettings().blocking().disabled();
Disabling the CSP will not make your application less secure than it was with Wicket 8, but you will miss the extra protection against attacks like XSS.
Flush and detach (and asynchronous page serialization)
Since Wicket 8.x pages were serialized asynchronously by default
| Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6177 |
|---|
|
, i.e. requests are processed, detached and flushed to the client without waiting for the serialization of the touched pages. This feature was introduced to reduce the response time for requests to Wicket pages.However this resulted in possible race conditions, when consecutive requests hit an identical page instance, which is still under process of serialization from a prior request.
| Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6702 |
|---|
|
| Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6831 |
|---|
|
presents a better solution to this problem: Pages are always serialized synchronously now (storing the serialized data in a persistent storage is still done asynchronously though). But the request is now flushed to the client before detaching of the RequestCycle - besides other clean-up of the request this includes serialization of all touched pages IRequestCycleListener#onEndRequest(), RequestCycle#onEndRequest() and Session#endRequest() are called before flush, thus allowing code to create | Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6847 |
|---|
|
or invalidate a session | Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6848 |
|---|
|
.Note: This improvement was backported to WIcket 8.11.0.
API Changes
Deprecate package org.apache.wicket.util.time from wicket-util
| Jira |
|---|
| server | ASF JIRA |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6662 |
|---|
|
Wicket used custom classes from package org.apache.wicket.util.time to handle and manipulate time entities such as "duration" or "current instant".
These classes have been replaced with standard Java 8 classes java.time.Duration and java.time.Instant.
Deprecate src/main/java/org/apache/wicket/util/collections/MicroMap.java from wicket-util
| Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6783 |
|---|
|
Map#of(Object, Object) should be used instead
Deprecate ModalWindow from wicket-extension
| Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6666 |
|---|
|
ModalWindow was deprecated and its usage should be replaced with the new ModalDialog implementation.
| Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6729 |
|---|
|
Applications now support multiple decorators for header responses. This simplifies adding a decorator:
| Code Block |
|---|
| language | java |
|---|
| title | Wicket 9.x |
|---|
|
// improved API
getHeaderResponseDecorators().add(response -> new CustomResponse(response)); |
With the deprecated API you were required to keep a ResourceAggregator around. Its usage is not recommended, since it prevents usage of CSP (see above):
| Code Block |
|---|
| language | java |
|---|
| title | Wicket 8.x |
|---|
|
// deprecated API
setHeaderResponseDecorator(response -> new ResourceAggregator(new CustomResponse())); |
Move ConversationPropagator.getPage
The method ConversationPropagator.getPage(IRequestHandler) has been moved to IPageRequestHandler.
Removals
Utility class available in JDK is removed | Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6783 |
|---|
|
wicket-util/src/main/java/org/apache/wicket/util/collections/ConcurrentHashSet.java
Removed from wicket-core all the deprecated classes
| Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6562 |
|---|
|
...
Several workarounds for older browsers were removed. The special JavaScript event "inputchange" for IE is no longer supported and should be replaced with the standard "input change" instead.
The Ajax debug-window was removed, users should use their favorite browser's JS console instead.
AjaxFormChoiceComponentUpdatingBehavior and FormComponentUpdatingBehavior "change" event
| Jira |
|---|
| server | ASF JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6718 |
|---|
|
Behaviors to update form components always use the "change" JavaScript event now, the previous workaround with "click" for IE<9 was removed.
Dependencies
Wicket 9.0 requires Java 11
...
The old wicket-cdi module based on CDI 1.0 has been replaced removed. The with wicket-cdi-1.1 module (based on CDI 1.1), which has been updated to CDI 2.0 and renamed to wicket-cdi. No code change or API break has been required for this update, hence those . Those who were using wicket-cdi-1.1 should have no problem migrating switch to the new wicket-cdi module. No other steps are needed. Anyone still using the old wicket-cdi module should migrate to CDI 2.0.
Use JQuery 3.x by default | Jira |
|---|
| server | ASF JIRA |
|---|
| serverId | 5aa69414-a9e9-3523-82ec-879b028fb15b |
|---|
| key | WICKET-6596 |
|---|
|
...