You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by iv...@apache.org on 2008/08/09 00:12:53 UTC

svn commit: r684127 - in /wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket: settings/Settings.java util/crypt/KeyInSessionSunJceCryptFactory.java

Author: ivaynberg
Date: Fri Aug  8 15:12:53 2008
New Revision: 684127

URL: http://svn.apache.org/viewvc?rev=684127&view=rev
Log:
WICKET-1782: CSRF safe encryption

Added:
    wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java   (with props)
Modified:
    wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java

Modified: wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java
URL: http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java?rev=684127&r1=684126&r2=684127&view=diff
==============================================================================
--- wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java (original)
+++ wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java Fri Aug  8 15:12:53 2008
@@ -52,8 +52,8 @@
 import org.apache.wicket.session.DefaultPageFactory;
 import org.apache.wicket.session.pagemap.IPageMapEvictionStrategy;
 import org.apache.wicket.session.pagemap.LeastRecentlyAccessedEvictionStrategy;
-import org.apache.wicket.util.crypt.CachingSunJceCryptFactory;
 import org.apache.wicket.util.crypt.ICryptFactory;
+import org.apache.wicket.util.crypt.KeyInSessionSunJceCryptFactory;
 import org.apache.wicket.util.file.IResourceFinder;
 import org.apache.wicket.util.file.IResourcePath;
 import org.apache.wicket.util.file.Path;
@@ -310,12 +310,12 @@
 
 	private boolean addLastModifiedTimeToResourceReferenceUrl = false;
 
-  /**
-   * escape string for '..' within resource keys
-   */
-  private CharSequence parentFolderPlaceholder = "$up$";
+	/**
+	 * escape string for '..' within resource keys
+	 */
+	private CharSequence parentFolderPlaceholder = "$up$";
 
-  /**
+	/**
 	 * Create the application settings, carrying out any necessary initializations.
 	 * 
 	 * @param application
@@ -480,7 +480,7 @@
 	{
 		if (cryptFactory == null)
 		{
-			cryptFactory = new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY);
+			cryptFactory = new KeyInSessionSunJceCryptFactory();
 		}
 		return cryptFactory;
 	}
@@ -1360,20 +1360,20 @@
 		throwExceptionOnMissingXmlDeclaration = throwException;
 	}
 
-  /**
-   * @see org.apache.wicket.settings.IResourceSettings#getParentFolderPlaceholder()
-   */
-  public CharSequence getParentFolderPlaceholder()
-  {
-    return parentFolderPlaceholder;
-  }
-
-  /**
-   * @see org.apache.wicket.settings.IResourceSettings#setParentFolderPlaceholder(CharSequence)
-   */
-  public void setParentFolderPlaceholder(final CharSequence sequence)
-  {
-    parentFolderPlaceholder = sequence;
-  }
+	/**
+	 * @see org.apache.wicket.settings.IResourceSettings#getParentFolderPlaceholder()
+	 */
+	public CharSequence getParentFolderPlaceholder()
+	{
+		return parentFolderPlaceholder;
+	}
+
+	/**
+	 * @see org.apache.wicket.settings.IResourceSettings#setParentFolderPlaceholder(CharSequence)
+	 */
+	public void setParentFolderPlaceholder(final CharSequence sequence)
+	{
+		parentFolderPlaceholder = sequence;
+	}
 
 }

Added: wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
URL: http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java?rev=684127&view=auto
==============================================================================
--- wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java (added)
+++ wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java Fri Aug  8 15:12:53 2008
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.util.crypt;
+
+import java.util.UUID;
+
+import javax.servlet.http.HttpSession;
+
+import org.apache.wicket.RequestCycle;
+import org.apache.wicket.protocol.http.WebRequestCycle;
+
+/**
+ * Crypt factory that produces {@link SunJceCrypt} instances based on http session-specific
+ * encryption key. This allows each user to have their own encryption key, hardening against CSRF
+ * attacks.
+ * 
+ * Note that the use of this crypt factory will result in an immediate creation of a http session
+ * 
+ * @author igor.vaynberg
+ */
+public class KeyInSessionSunJceCryptFactory implements ICryptFactory
+{
+	public ICrypt newCrypt()
+	{
+		WebRequestCycle rc = (WebRequestCycle)RequestCycle.get();
+
+		// get http session, create if necessary
+		HttpSession session = rc.getWebRequest().getHttpServletRequest().getSession(true);
+
+		// retrieve or generate encryption key from session
+		final String keyAttr = rc.getApplication().getApplicationKey() + "." + getClass().getName();
+		String key = (String)session.getAttribute(keyAttr);
+		if (key == null)
+		{
+			// generate new key
+			key = session.getId() + "." + UUID.randomUUID().toString();
+			session.setAttribute(keyAttr, key);
+		}
+
+		// build the crypt based on session key
+		ICrypt crypt = new SunJceCrypt();
+		crypt.setKey(key);
+		return crypt;
+	}
+}

Propchange: wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain