Write maintainable, secure and scalable web applications using just Java and HTML
Latest News Get started Live Examples
Current release: 7.5.0

Introducing Apache Wicket

Invented in 2004, Wicket is one of the few survivors of the Java serverside web framework wars of the mid 2000's. Wicket is an open source, component oriented, serverside, Java web application framework. With a history of over a decade, it is still going strong and has a solid future ahead. Learn why you should consider Wicket for your next web application.

Work with JavaScript and CSS

Global JavaScript libraries and CSS styling mix properly with component local JavaScript and CSS resources. You can use custom component libraries that ship with default JavaScript behaviour and CSS styling, without having to do anything yourself. Creating such self-contained component libraries is as easy as creating a JAR file.

Projects Using Apache Wicket

Many projects use Wicket but are not known for it. Below you find a list of projects that are Powered by Wicket.

This list is generated from our Tumblr feed 'Built with Wicket'. You can submit your own project to this list through this form.

News about Apache Wicket

Get the latest updates to releases, security bulletins, community news and more.

CVE-2016-6806 Apache Wicket CSRF detection vulnerability

08 Nov 2016

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 6.20.0, 6.21.0, 6.22.0, 6.23.0, 6.24.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0 and 8.0.0-M1

Description: Affected versions of Apache Wicket provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.

Mitigation: 6.x users should upgrade to 6.25.0, 7.x users should upgrade to 7.5.0 and 8.0.0-M1 users should upgrade to 8.0.0-M2.

Credit: This issue was discovered by Gerben Janssen van Doorn

References: https://wicket.apache.org/news

Users of Wicket verions prior to 6.20 are not affected because the particular component was introduced in 6.20.0.


Apache Wicket 8.0.0-M2 released

26 Oct 2016

The Apache Wicket PMC is proud to announce Apache Wicket 8.0.0-M2!

Apache Wicket is an open source Java component oriented web application framework that powers thousands of web applications and web sites for governments, stores, universities, cities, banks, email providers, and more. You can find more about Apache Wicket at https://wicket.apache.org

This release marks the first milestone of the major release of Wicket 8. We use semantic versioning for the development of Wicket, and as such no API breaks are present breaks are present in this release compared to 8.0.0.

Using this release

With Apache Maven update your dependency to (and don’t forget to update any other dependencies on Wicket projects to the same version):


Or download and build the distribution yourself, or use our convenience binary package