You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by iv...@apache.org on 2008/08/09 00:12:04 UTC

svn commit: r684126 - in /wicket/trunk/wicket/src/main/java/org/apache/wicket: settings/Settings.java util/crypt/KeyInSessionSunJceCryptFactory.java

Author: ivaynberg
Date: Fri Aug  8 15:12:04 2008
New Revision: 684126

URL: http://svn.apache.org/viewvc?rev=684126&view=rev
Log:
WICKET-1782: CSRF-safe encryption

Added:
    wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java   (with props)
Modified:
    wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java

Modified: wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java?rev=684126&r1=684125&r2=684126&view=diff
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java (original)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java Fri Aug  8 15:12:04 2008
@@ -53,8 +53,8 @@
 import org.apache.wicket.session.DefaultPageFactory;
 import org.apache.wicket.session.pagemap.IPageMapEvictionStrategy;
 import org.apache.wicket.session.pagemap.LeastRecentlyAccessedEvictionStrategy;
-import org.apache.wicket.util.crypt.CachingSunJceCryptFactory;
 import org.apache.wicket.util.crypt.ICryptFactory;
+import org.apache.wicket.util.crypt.KeyInSessionSunJceCryptFactory;
 import org.apache.wicket.util.file.IResourceFinder;
 import org.apache.wicket.util.file.IResourcePath;
 import org.apache.wicket.util.file.Path;
@@ -486,7 +486,7 @@
 	{
 		if (cryptFactory == null)
 		{
-			cryptFactory = new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY);
+			cryptFactory = new KeyInSessionSunJceCryptFactory();
 		}
 		return cryptFactory;
 	}
@@ -1028,8 +1028,7 @@
 		}
 		checkPageClass(pageExpiredErrorPage);
 
-		this.pageExpiredErrorPage = new WeakReference<Class<? extends Page>>(
-			pageExpiredErrorPage);
+		this.pageExpiredErrorPage = new WeakReference<Class<? extends Page>>(pageExpiredErrorPage);
 	}
 
 	/**

Added: wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java?rev=684126&view=auto
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java (added)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java Fri Aug  8 15:12:04 2008
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.util.crypt;
+
+import java.util.UUID;
+
+import javax.servlet.http.HttpSession;
+
+import org.apache.wicket.RequestCycle;
+import org.apache.wicket.protocol.http.WebRequestCycle;
+
+/**
+ * Crypt factory that produces {@link SunJceCrypt} instances based on http session-specific
+ * encryption key. This allows each user to have their own encryption key, hardening against CSRF
+ * attacks.
+ * 
+ * Note that the use of this crypt factory will result in an immediate creation of a http session
+ * 
+ * @author igor.vaynberg
+ */
+public class KeyInSessionSunJceCryptFactory implements ICryptFactory
+{
+	public ICrypt newCrypt()
+	{
+		WebRequestCycle rc = (WebRequestCycle)RequestCycle.get();
+
+		// get http session, create if necessary
+		HttpSession session = rc.getWebRequest().getHttpServletRequest().getSession(true);
+
+		// retrieve or generate encryption key from session
+		final String keyAttr = rc.getApplication().getApplicationKey() + "." + getClass().getName();
+		String key = (String)session.getAttribute(keyAttr);
+		if (key == null)
+		{
+			// generate new key
+			key = session.getId() + "." + UUID.randomUUID().toString();
+			session.setAttribute(keyAttr, key);
+		}
+
+		// build the crypt based on session key
+		ICrypt crypt = new SunJceCrypt();
+		crypt.setKey(key);
+		return crypt;
+	}
+}

Propchange: wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain