Apache Wicket 9.0.0-M5 released

06 Apr 2020

The Apache Wicket PMC is proud to announce Apache Wicket 9.0.0-M5!

Apache Wicket is an open source Java component oriented web application framework that powers thousands of web applications and web sites for governments, stores, universities, cities, banks, email providers, and more. You can find more about Apache Wicket at https://wicket.apache.org

This release marks another minor release of Wicket 9. We use semantic versioning for the development of Wicket, and as such no API breaks are present breaks are present in this release compared to 9.0.0.

New and noteworthy

With this milestone Wicket introduces support for content security policy (CSP) which is active by default and prevents inline JavaScript and CSS code from been executed. For more details about CSP support see Wicket 9 migration guide linked below.

Using this release

With Apache Maven update your dependency to (and don’t forget to update any other dependencies on Wicket projects to the same version):


Or download and build the distribution yourself, or use our convenience binary package you can find here:

  • Download: http://wicket.apache.org/start/wicket-9.x.html#manually

Upgrading from earlier versions

If you upgrade from 9.y.z this release is a drop in replacement. If you come from a version prior to 9.0.0, please read our Wicket 9 migration guide found at

  • http://s.apache.org/wicket9migrate

Have fun!

— The Wicket team


This Release

CHANGELOG for 9.0.0-M5:

  • [WICKET-6715] - FileUpload class should not implement IClusterable
  • [WICKET-6745] - CSP: inline JS in server and client time response filters
  • [WICKET-6746] - HttpsMapper cannot deal with resources over websockets
  • [WICKET-6752] - Some dependencies contain CVEs
  • [WICKET-6753] - res/modal.js using aria-labelledby where it should be using aria-label
  • [WICKET-6754] - Iteration stops with nested containers
  • [WICKET-6755] - MockServletContext does not decode real path
  • [WICKET-6756] - Avoid URL.getFile() when actually expecting paths.
  • [WICKET-6757] - Avoid URL.getFile during mime type detection.
  • [WICKET-6758] - NPE in AbstractWebSocketProcessor after session times out
New Feature
  • [WICKET-6727] - Configurable CSP
  • [WICKET-6729] - allow adding IHeaderResponseDecorator without replacing all others
  • [WICKET-6730] - Global access to secure random data
  • [WICKET-6724] - CSP: Inline Javascript in AjaxLink
  • [WICKET-6725] - CSP: display:none in Component.renderPlaceholderTag
  • [WICKET-6726] - CSP: inline styling and js in Form submitbutton handling
  • [WICKET-6731] - CSP: inline JS in SubmitLink
  • [WICKET-6732] - CSP: inline JS in Link and ExternalLink
  • [WICKET-6733] - CSP: enable by default
  • [WICKET-6735] - CSP: inline styling in FormComponentFeedbackBorder/Indicator
  • [WICKET-6736] - CSP: Inline styling in BrowserInfoForm
  • [WICKET-6737] - CSP: violations in examples
  • [WICKET-6738] - CSP: inline styling in UploadProgressBar
  • [WICKET-6739] - CSP: inline JS in Palette
  • [WICKET-6740] - CSP: inline JS in Button
  • [WICKET-6741] - CSP: inline JS in FormComponentUpdatingBehavior
  • [WICKET-6749] - CSP: Inline styling in ExceptionErrorPage.html
  • [WICKET-6759] - Support disabling error notification for websockets
  • [WICKET-6760] - Nested Form placeholder should preserve tag name
  • [WICKET-6761] - Support multiple connections to the same websocket resource from a single session
  • [WICKET-6762] - Support manual initialization of websocket connections
  • [WICKET-6687] - Cleanup the code from attribute inline styles and attribute inline scripts
  • [WICKET-6747] - Document CSP in user guide and migration guide
  • [WICKET-6751] - Support creating custom page access synchronization strategies