Child pages
  • Migration to Wicket 9.0
Skip to end of metadata
Go to start of metadata

Important notes before you start

With version 9 Wicket introduced a content security policy (CSP) active by default which prevents inline JavaScript and CSS code from been executed. If you are not planning to make your web app CSP compliant you can disable this policy using a simple line of code during app initialization:

disable csp
public void init() {

For more details see CSP paragraph .


Component placeholders and form hidden fields

Hidden markup generated by Component placeholders and forms is no longer hidden with style="display:none;" but with HTML5 "hidden" attribute instead:

Applications must ensure that their CSS do not reveal this markup, e.g. by falsely changing the CSS display:

/* applied to *all* divs, including hidden */
div {
  display: flex;


/* fix */
*[hidden] {
  display: none;

IPageStore rework WICKET-6563 - Getting issue details... STATUS

Storage of pages was reworked:

  • PageStoreManager was broken up into specific managers for storing pages in the request and session and further storage
  • IPageStore and IDataStore were unified

Most application code should be uneffected by this change, IPageManager stays the central mediator between the application and page storage(s).
Users might consider utilizing new features as:

  • CryptingPageStore for encryption of persisted pages
  • FilePageStore with improvements for storing of pages that receive alternating requests

Stores in were also updated.

PriorityHeadItems siblings ordering  WICKET-6673 - Getting issue details... STATUS

The order of siblings' PriorityHeaderItems are now preserved.

Content Security Policy   WICKET-6733 - Getting issue details... STATUS

A strict content security policy (CSP) is now in effect in Wicket 9. This policy forbids any inline javascript and styling. This includes inline javascript event handlers. This CSP greatly enhances the security of a web application, but it can be difficult to make a large application compliant. See  WICKET-6687 - Getting issue details... STATUS  for the changes that were made in Wicket for this change.

The documentation on the configuration of the CSP and guidelines for fixing violations can be found in the user guide:

While we do not recommend disabling the CSP entirely, this can be done with one line of code in your application's init method:


Disabling the CSP will not make your application less secure than it was with Wicket 8, but you will miss the extra protection against attacks like XSS.

API Changes

Deprecate package org.apache.wicket.util.time from wicket-util WICKET-6662 - Getting issue details... STATUS

Wicket used custom classes from package org.apache.wicket.util.time to handle and manipulate time entities such as "duration" or "current instant".
These classes have been replaced with standard Java 8 classes java.time.Duration and java.time.Instant.

Deprecate src/main/java/org/apache/wicket/util/collections/ from wicket-util  WICKET-6783 - Getting issue details... STATUS

Map#of(Object, Object) should be used instead

Deprecate ModalWindow from wicket-extension WICKET-6666 - Getting issue details... STATUS

ModalWindow was deprecated and its usage should be replaced with the new ModalDialog implementation.

Deprecate Appliation#setHeaderResponseDecorator() WICKET-6729 - Getting issue details... STATUS

Applications now support multiple decorators for header responses. This simplifies adding a decorator, since you no longer have to remind to keep a ResourceAggregator around:

Wicket 8.x
// deprecated API
setHeaderResponseDecorator(response -> new ResourceAggregator(new CustomResponse()));
Wicket 9.x
// improved API 
getHeaderResponseDecorators().add(response -> new CustomResponse(response));

Move ConversationPropagator.getPage

The method ConversationPropagator.getPage(IRequestHandler) has been moved to IPageRequestHandler.


Utility class available in JDK is removed  WICKET-6783 - Getting issue details... STATUS


Removed from wicket-core all the deprecated classes WICKET-6562 - Getting issue details... STATUS

Several deprecated classes were removed from wicket-core:

  • org/apache/wicket/

  • org/apache/wicket/markup/

  • org/apache/wicket/model/

  • org/apache/wicket/model/

  • org/apache/wicket/protocol/http/documentvalidation/

  • org/apache/wicket/protocol/http/documentvalidation/

  • org/apache/wicket/protocol/http/documentvalidation/

  • org/apache/wicket/protocol/http/documentvalidation/

  • org/apache/wicket/protocol/http/documentvalidation/

  • org/apache/wicket/protocol/http/documentvalidation/

  • org/apache/wicket/request/cycle/

Browser User agent detection WICKET-6544 - Getting issue details... STATUS

Wicket's user agent detection was removed (was deprecated in Wicket 8.x), as the API and implementation was not sufficient for modern browsers. Users are encouraged to utilize

IE<11 and other browser workarounds WICKET-6667 - Getting issue details... STATUS

Several workarounds for older browsers were removed. The special JavaScript event "inputchange" for IE is no longer supported and should be replaced with the standard "input change" instead.

AjaxFormChoiceComponentUpdatingBehavior and FormComponentUpdatingBehavior "change" event WICKET-6718 - Getting issue details... STATUS

Behaviors to update form components always use the "change" JavaScript event now, the previous workaround with "click" for IE<9 was removed.


Wicket 9.0 requires Java 11

Upgrade JUnit to version 5  WICKET-6595 - Getting issue details... STATUS

All **Tester classes (e.g. WicketTester, FormTester, TagTester, WebSocketTester) now depend on JUnit 5.x instead of 4.x.

Update CDI integration to CDI 2.0 specification  WICKET-6581 - Getting issue details... STATUS

The old wicket-cdi  module based on CDI 1.0  has been removed. The with wicket-cdi-1.1 module (based on CDI 1.1), has been updated to CDI 2.0 and renamed to wicket-cdi. No code change or API break  has been required for this update. Those who were using wicket-cdi-1.1 should switch to the new wicket-cdi  module. No other steps are needed. Anyone still using the old wicket-cdi module should migrate to CDI 2.0.

Use JQuery 3.x by default  WICKET-6596 - Getting issue details... STATUS

JQuery 2.x is not maintained anymore by jQuery team. Wicket will use by default latest available 3.x version.

Upgrade Apache Velocity to 2.x  WICKET-6653 - Getting issue details... STATUS

wicket-velocity module now uses org.apache.velocity:velocity-engine-core:2.1 dependency instead of org.apache.velocity:velocity:1.7. Because of this change there are small API changes in the signature of the Wicket Model used for the variables.

Overall updates

All libraries on which Wicket modules depend are updated to their latest stable versions.
The most notable ones are:

  • Spring Framework 5.x
  • Objenesis 3.x  WICKET-6598 - Getting issue details... STATUS
  • No labels