Important notes before you start
For more details see CSP paragraph .
Component placeholders and form hidden fields
Hidden markup generated by Component placeholders and forms is no longer hidden with style="display:none;" but with HTML5 "hidden" attribute instead:
Applications must ensure that their CSS do not reveal this markup, e.g. by falsely changing the CSS display:
Storage of pages was reworked:
- PageStoreManager was broken up into specific managers for storing pages in the request and session and further storage
- IPageStore and IDataStore were unified
Most application code should be uneffected by this change, IPageManager stays the central mediator between the application and page storage(s).
Users might consider utilizing new features as:
- CryptingPageStore for encryption of persisted pages
- FilePageStore with improvements for storing of pages that receive alternating requests
Stores in https://github.com/wicketstuff/core/wiki/DataStores were also updated.
The order of siblings' PriorityHeaderItems are now preserved.
The documentation on the configuration of the CSP and guidelines for fixing violations can be found in the user guide: https://ci.apache.org/projects/wicket/guide/9.x/single.html#_content_security_policy_csp
While we do not recommend disabling the CSP entirely, this can be done with one line of code in your application's init method:
Disabling the CSP will not make your application less secure than it was with Wicket 8, but you will miss the extra protection against attacks like XSS.
Flush and detach (and asynchronous page serialization)
Since Wicket 8.x pages were serialized asynchronously by default - WICKET-6177Getting issue details... STATUS , i.e. requests are processed, detached and flushed to the client without waiting for the serialization of the touched pages. This feature was introduced to reduce the response time for requests to Wicket pages.
However this resulted in possible race conditions, when consecutive requests hit an identical page instance, which is still under process of serialization from a prior request. - WICKET-6702Getting issue details... STATUS
WICKET-6831Getting issue details...
presents a better solution to this problem: Pages are always serialized synchronously now (storing the serialized data in a persistent storage is still done asynchronously though). But the request is now flushed to the client before detaching of the RequestCycle - besides other clean-up of the request this includes serialization of all touched pages
IRequestCycleListener#onEndRequest(), RequestCycle#onEndRequest() and Session#endRequest() are called before flush, thus allowing code to create - WICKET-6847Getting issue details... STATUS or invalidate a session - WICKET-6848Getting issue details... STATUS .
Note: This improvement was backported to WIcket 8.11.0.
Deprecate package org.apache.wicket.util.time from wicket-util - WICKET-6662Getting issue details... STATUS
Wicket used custom classes from package org.apache.wicket.util.time to handle and manipulate time entities such as "duration" or "current instant".
These classes have been replaced with standard Java 8 classes java.time.Duration and java.time.Instant.
Deprecate src/main/java/org/apache/wicket/util/collections/MicroMap.java from wicket-util - WICKET-6783Getting issue details... STATUS
Map#of(Object, Object) should be used instead
ModalWindow was deprecated and its usage should be replaced with the new ModalDialog implementation.
Applications now support multiple decorators for header responses. This simplifies adding a decorator:
With the deprecated API you were required to keep a ResourceAggregator around. Its usage is not recommended, since it prevents usage of CSP (see above):
The method ConversationPropagator.getPage(IRequestHandler) has been moved to IPageRequestHandler.
Several deprecated classes were removed from wicket-core:
Wicket's user agent detection was removed (was deprecated in Wicket 8.x), as the API and implementation was not sufficient for modern browsers. Users are encouraged to utilize https://github.com/nielsbasjes/yauaa
The Ajax debug-window was removed, users should use their favorite browser's JS console instead.
AjaxFormChoiceComponentUpdatingBehavior and FormComponentUpdatingBehavior "change" event - WICKET-6718Getting issue details... STATUS
Wicket 9.0 requires Java 11
All **Tester classes (e.g. WicketTester, FormTester, TagTester, WebSocketTester) now depend on JUnit 5.x instead of 4.x.
The old wicket-cdi module based on CDI 1.0 has been removed. The with wicket-cdi-1.1 module (based on CDI 1.1), has been updated to CDI 2.0 and renamed to wicket-cdi. No code change or API break has been required for this update. Those who were using wicket-cdi-1.1 should switch to the new wicket-cdi module. No other steps are needed. Anyone still using the old wicket-cdi module should migrate to CDI 2.0.
JQuery 2.x is not maintained anymore by jQuery team. Wicket will use by default latest available 3.x version.
wicket-velocity module now uses org.apache.velocity:velocity-engine-core:2.1 dependency instead of org.apache.velocity:velocity:1.7. Because of this change there are small API changes in the signature of the Wicket Model used for the variables.
All libraries on which Wicket modules depend are updated to their latest stable versions.
The most notable ones are: