There is an unexpected and insecure default setting for the encryption provider.
When CryptoMapper is enabled using
setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));
CompoundRequestMapper root = new CompoundRequestMapper();
root.add(new CryptoMapper(getRootRequestMapper(), this));
Wicket uses "new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY)" as the CryptFactory, with ISecuritySettings.DEFAULT_ENCRYPTION_KEY being "WiCkEt-FRAMEwork". This generates always the same encrypted strings for each of the URLs and is possibly not a secure way to encrypt URLs even if the encryption key is unknown.