You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by mg...@apache.org on 2014/11/11 14:59:46 UTC

wicket git commit: WICKET-5327 write warning to stderr for insecure default crypt key

Repository: wicket
Updated Branches:
  refs/heads/5756-improve-crypt f0554d06e -> b5307cc09


WICKET-5327 write warning to stderr for insecure default crypt key

(cherry picked from commit d7b13f72f418bb7f300bbc3ac14fdb6e094f20a6)


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/b5307cc0
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/b5307cc0
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/b5307cc0

Branch: refs/heads/5756-improve-crypt
Commit: b5307cc09f8ee4238b8e3d3b1f54a729ee88c740
Parents: f0554d0
Author: svenmeier <sv...@meiers.net>
Authored: Thu Nov 28 20:25:40 2013 +0100
Committer: Martin Tzvetanov Grigorov <mg...@apache.org>
Committed: Tue Nov 11 15:59:32 2014 +0200

----------------------------------------------------------------------
 .../wicket/settings/def/SecuritySettings.java       | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/wicket/blob/b5307cc0/wicket-core/src/main/java/org/apache/wicket/settings/def/SecuritySettings.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/settings/def/SecuritySettings.java b/wicket-core/src/main/java/org/apache/wicket/settings/def/SecuritySettings.java
index 5e4aa10..8f1a79c 100644
--- a/wicket-core/src/main/java/org/apache/wicket/settings/def/SecuritySettings.java
+++ b/wicket-core/src/main/java/org/apache/wicket/settings/def/SecuritySettings.java
@@ -81,12 +81,26 @@ public class SecuritySettings implements ISecuritySettings
 		return authorizationStrategy;
 	}
 
+	/**
+	 * Note: Prints a warning to stderr if no factory was set and {@link #DEFAULT_ENCRYPTION_KEY} is
+	 * used instead.
+	 * 
+	 * @return crypt factory used to generate crypt objects
+	 */
 	@Override
 	public synchronized ICryptFactory getCryptFactory()
 	{
 		if (cryptFactory == null)
 		{
-			cryptFactory = new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY);
+			System.err
+				.print("********************************************************************\n"
+					+ "*** WARNING: Wicket is using a DEFAULT_ENCRYPTION_KEY            ***\n"
+					+ "***                            ^^^^^^^^^^^^^^^^^^^^^^            ***\n"
+					+ "*** Do NOT deploy to your live server(s) without changing this.  ***\n"
+					+ "*** See SecuritySettings#setCryptFactory() for more information. ***\n"
+					+ "********************************************************************\n");
+
+			cryptFactory = new CachingSunJceCryptFactory(DEFAULT_ENCRYPTION_KEY);
 		}
 		return cryptFactory;
 	}