You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by iv...@apache.org on 2008/08/09 00:12:04 UTC
svn commit: r684126 - in
/wicket/trunk/wicket/src/main/java/org/apache/wicket:
settings/Settings.java util/crypt/KeyInSessionSunJceCryptFactory.java
Author: ivaynberg
Date: Fri Aug 8 15:12:04 2008
New Revision: 684126
URL: http://svn.apache.org/viewvc?rev=684126&view=rev
Log:
WICKET-1782: CSRF-safe encryption
Added:
wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java (with props)
Modified:
wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java
Modified: wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java?rev=684126&r1=684125&r2=684126&view=diff
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java (original)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java Fri Aug 8 15:12:04 2008
@@ -53,8 +53,8 @@
import org.apache.wicket.session.DefaultPageFactory;
import org.apache.wicket.session.pagemap.IPageMapEvictionStrategy;
import org.apache.wicket.session.pagemap.LeastRecentlyAccessedEvictionStrategy;
-import org.apache.wicket.util.crypt.CachingSunJceCryptFactory;
import org.apache.wicket.util.crypt.ICryptFactory;
+import org.apache.wicket.util.crypt.KeyInSessionSunJceCryptFactory;
import org.apache.wicket.util.file.IResourceFinder;
import org.apache.wicket.util.file.IResourcePath;
import org.apache.wicket.util.file.Path;
@@ -486,7 +486,7 @@
{
if (cryptFactory == null)
{
- cryptFactory = new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY);
+ cryptFactory = new KeyInSessionSunJceCryptFactory();
}
return cryptFactory;
}
@@ -1028,8 +1028,7 @@
}
checkPageClass(pageExpiredErrorPage);
- this.pageExpiredErrorPage = new WeakReference<Class<? extends Page>>(
- pageExpiredErrorPage);
+ this.pageExpiredErrorPage = new WeakReference<Class<? extends Page>>(pageExpiredErrorPage);
}
/**
Added: wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
URL: http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java?rev=684126&view=auto
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java (added)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java Fri Aug 8 15:12:04 2008
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.util.crypt;
+
+import java.util.UUID;
+
+import javax.servlet.http.HttpSession;
+
+import org.apache.wicket.RequestCycle;
+import org.apache.wicket.protocol.http.WebRequestCycle;
+
+/**
+ * Crypt factory that produces {@link SunJceCrypt} instances based on http session-specific
+ * encryption key. This allows each user to have their own encryption key, hardening against CSRF
+ * attacks.
+ *
+ * Note that the use of this crypt factory will result in an immediate creation of a http session
+ *
+ * @author igor.vaynberg
+ */
+public class KeyInSessionSunJceCryptFactory implements ICryptFactory
+{
+ public ICrypt newCrypt()
+ {
+ WebRequestCycle rc = (WebRequestCycle)RequestCycle.get();
+
+ // get http session, create if necessary
+ HttpSession session = rc.getWebRequest().getHttpServletRequest().getSession(true);
+
+ // retrieve or generate encryption key from session
+ final String keyAttr = rc.getApplication().getApplicationKey() + "." + getClass().getName();
+ String key = (String)session.getAttribute(keyAttr);
+ if (key == null)
+ {
+ // generate new key
+ key = session.getId() + "." + UUID.randomUUID().toString();
+ session.setAttribute(keyAttr, key);
+ }
+
+ // build the crypt based on session key
+ ICrypt crypt = new SunJceCrypt();
+ crypt.setKey(key);
+ return crypt;
+ }
+}
Propchange: wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
------------------------------------------------------------------------------
svn:mime-type = text/plain