Wicket URL Encryption Key

[MZ...@osc.state.ny.us]

On page 331 of "Wicket In Action" is the following excerpt, "Note that you 
should modify the default encryption key that is stored in 
ISecuritySettings to prevent malicious hackers from using the default 
publicly available key as an attack vector."  Does this only pertain to 
when Sun JCE is not available and Wicket defaults to "no encryption?" From 
what I can gather, the key should be generated by...

KeyInSessionSunJceCryptFactory.java
if (key == null)
{
                 // generate new key
                 key = session.getId() + "." + UUID.randomUUID().toString
();
                 session.setAttribute(keyAttr, key);
}



Notice: This communication, including any attachments, is intended solely 
for the use of the individual or entity to which it is addressed. This 
communication may contain information that is protected from disclosure 
under State and/or Federal law. Please notify the sender immediately if 
you have received this communication in error and delete this email from 
your system. If you are not the intended recipient, you are requested not 
to disclose, copy, distribute or take any action in reliance on the 
contents of this information.

Re: Wicket URL Encryption Key

[Jonas <ba...@gmail.com>]

A quick search through wicket's fisheye [1] revealed the default was changed
in wicket 1.3.5 to fix [2]

[1] <http://fisheye6.atlassian.com/browse/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java#r684127>
[2] <http://issues.apache.org/jira/browse/WICKET-1782>

On Wed, Jan 20, 2010 at 5:13 PM, Jonas <ba...@gmail.com> wrote:
> I think the book refers to wicket 1.3. The default behaviour of
> Settings#getCryptFactory has changed
> in 1.4. I think in 1.3 the default was ClassCryptFactory with a default key
> as still visible in ISecuritySettings#DEFAULT_ENCRYPTION_KEY. Now in 1.4,
> the KeyInSessionSunJceCryptFactory with a generated key (as you mentioned)
> is used.
>
> On Wed, Jan 20, 2010 at 4:59 PM,  <MZ...@osc.state.ny.us> wrote:
>> On page 331 of "Wicket In Action" is the following excerpt, "Note that you
>> should modify the default encryption key that is stored in
>> ISecuritySettings to prevent malicious hackers from using the default
>> publicly available key as an attack vector."  Does this only pertain to
>> when Sun JCE is not available and Wicket defaults to "no encryption?" From
>> what I can gather, the key should be generated by...
>>
>> KeyInSessionSunJceCryptFactory.java
>> if (key == null)
>> {
>>                 // generate new key
>>                 key = session.getId() + "." + UUID.randomUUID().toString
>> ();
>>                 session.setAttribute(keyAttr, key);
>> }
>>
>>
>>
>> Notice: This communication, including any attachments, is intended solely
>> for the use of the individual or entity to which it is addressed. This
>> communication may contain information that is protected from disclosure
>> under State and/or Federal law. Please notify the sender immediately if
>> you have received this communication in error and delete this email from
>> your system. If you are not the intended recipient, you are requested not
>> to disclose, copy, distribute or take any action in reliance on the
>> contents of this information.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: Wicket URL Encryption Key

[Jonas <ba...@gmail.com>]

I think the book refers to wicket 1.3. The default behaviour of
Settings#getCryptFactory has changed
in 1.4. I think in 1.3 the default was ClassCryptFactory with a default key
as still visible in ISecuritySettings#DEFAULT_ENCRYPTION_KEY. Now in 1.4,
the KeyInSessionSunJceCryptFactory with a generated key (as you mentioned)
is used.

On Wed, Jan 20, 2010 at 4:59 PM,  <MZ...@osc.state.ny.us> wrote:
> On page 331 of "Wicket In Action" is the following excerpt, "Note that you
> should modify the default encryption key that is stored in
> ISecuritySettings to prevent malicious hackers from using the default
> publicly available key as an attack vector."  Does this only pertain to
> when Sun JCE is not available and Wicket defaults to "no encryption?" From
> what I can gather, the key should be generated by...
>
> KeyInSessionSunJceCryptFactory.java
> if (key == null)
> {
>                 // generate new key
>                 key = session.getId() + "." + UUID.randomUUID().toString
> ();
>                 session.setAttribute(keyAttr, key);
> }
>
>
>
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if
> you have received this communication in error and delete this email from
> your system. If you are not the intended recipient, you are requested not
> to disclose, copy, distribute or take any action in reliance on the
> contents of this information.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org