You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by lucast <lu...@hotmail.com> on 2015/02/19 11:28:07 UTC
URL Encryption in detail
Dear forum,
Reading the Apache Wicket Guide on URL Encryption in detail
<https://wicket.apache.org/guide/guide/security.html#security_4> , the
section suggests that simply calling
is not enough for url encryption at production level.
Further down on that section, there is one recommendation of making the url
encryption stronger:
Is simply adding *getSecuritySettings().setCryptFactory(new
KeyInSessionSunJceCryptFactory())*; line enough to make the URLs on my
application better as suggested on URL Encryption in detail
<https://wicket.apache.org/guide/guide/security.html#security_4> ?
My impression is that maybe it isn't since I understand
KeyInSessionSunJceCryptFactory is the default CryptFactory for the
application.
In addition to this, CryptoMapper(IRequestMapper wrappedMapper, Application
application) API Doc states that: "For better security it is recommended to
use CryptoMapper(IRequestMapper, IProvider) with a specific ICrypt
implementation that generates a separate key for each user.
KeyInSessionSunJceCryptFactory provides such an implementation that stores
the key in the HTTP session."
Does the above sentence mean that one ought to implement a CryptProvider
class using KeyInSessionSunJceCryptFactory or something better/stronger ?
Encryption and security are not my forte and at the same time I admit I am
looking for an out-of-the-box solution where I can just simply carry on
implementing the rest of my wicket app.
Thanks in advance,
Lucas
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/URL-Encryption-in-detail-tp4669640.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: URL Encryption in detail
Posted by andrea del bene <an...@gmail.com>.
On 19/02/2015 13:23, andrea del bene wrote:
>
> On 19/02/2015 11:28, lucast wrote:
>> Dear forum,
>>
>>
>> Reading the Apache Wicket Guide on URL Encryption in detail
>> <https://wicket.apache.org/guide/guide/security.html#security_4> , the
>> section suggests that simply calling
>>
>> is not enough for url encryption at production level.
>>
>> Further down on that section, there is one recommendation of making
>> the url
>> encryption stronger:
>>
>>
>>
>> Is simply adding *getSecuritySettings().setCryptFactory(new
>> KeyInSessionSunJceCryptFactory())*; line enough to make the URLs on my
>> application better as suggested on URL Encryption in detail
>> <https://wicket.apache.org/guide/guide/security.html#security_4> ?
>>
>> My impression is that maybe it isn't since I understand
>> KeyInSessionSunJceCryptFactory is the default CryptFactory for the
>> application.
> Well no, the default one is CachingSunJceCryptFactory which does NOT
> generate a separate key for each user. On the contrary
> KeyInSessionSunJceCryptFactory creates a different key for each user
> (session). It uses a password-based algorithm to encrypt/decrypt urls
> which is secure enough for this purpose.
>
Sorry, with Wicket 6.19.0 the default CryptFactory is actually
KeyInSessionSunJceCryptFactory so you are ok with just :
WicketApplication.init() {
setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));
}
you might need to implement you own stronger CryptFactory only if you
are not satisfied with password-based cypher.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: URL Encryption in detail
Posted by andrea del bene <an...@gmail.com>.
On 19/02/2015 11:28, lucast wrote:
> Dear forum,
>
>
> Reading the Apache Wicket Guide on URL Encryption in detail
> <https://wicket.apache.org/guide/guide/security.html#security_4> , the
> section suggests that simply calling
>
> is not enough for url encryption at production level.
>
> Further down on that section, there is one recommendation of making the url
> encryption stronger:
>
>
>
> Is simply adding *getSecuritySettings().setCryptFactory(new
> KeyInSessionSunJceCryptFactory())*; line enough to make the URLs on my
> application better as suggested on URL Encryption in detail
> <https://wicket.apache.org/guide/guide/security.html#security_4> ?
>
> My impression is that maybe it isn't since I understand
> KeyInSessionSunJceCryptFactory is the default CryptFactory for the
> application.
Well no, the default one is CachingSunJceCryptFactory which does NOT
generate a separate key for each user. On the contrary
KeyInSessionSunJceCryptFactory creates a different key for each user
(session). It uses a password-based algorithm to encrypt/decrypt urls
which is secure enough for this purpose.
>
> In addition to this, CryptoMapper(IRequestMapper wrappedMapper, Application
> application) API Doc states that: "For better security it is recommended to
> use CryptoMapper(IRequestMapper, IProvider) with a specific ICrypt
> implementation that generates a separate key for each user.
> KeyInSessionSunJceCryptFactory provides such an implementation that stores
> the key in the HTTP session."
>
> Does the above sentence mean that one ought to implement a CryptProvider
> class using KeyInSessionSunJceCryptFactory or something better/stronger ?
>
> Encryption and security are not my forte and at the same time I admit I am
> looking for an out-of-the-box solution where I can just simply carry on
> implementing the rest of my wicket app.
>
>
> Thanks in advance,
> Lucas
>
> --
> View this message in context: http://apache-wicket.1842946.n4.nabble.com/URL-Encryption-in-detail-tp4669640.html
> Sent from the Users forum mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org