ISecuritySettings#setEnforceMounts(true) is meant to be used to prevent access to mounted-pages via BookmarkableMapper, e.g. when Page1.class is mounted:
... then the following url will not be accepted:
But starting with Wicket 1.5.x access to all non-mounted pages via BookmarkableMapper is prevented, i.e. no url "http://localhost:8080/niceurl/wicket/bookmarkable/*" is matched.