You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by MZ...@osc.state.ny.us on 2010/01/20 16:59:50 UTC
Wicket URL Encryption Key
On page 331 of "Wicket In Action" is the following excerpt, "Note that you
should modify the default encryption key that is stored in
ISecuritySettings to prevent malicious hackers from using the default
publicly available key as an attack vector." Does this only pertain to
when Sun JCE is not available and Wicket defaults to "no encryption?" From
what I can gather, the key should be generated by...
KeyInSessionSunJceCryptFactory.java
if (key == null)
{
// generate new key
key = session.getId() + "." + UUID.randomUUID().toString
();
session.setAttribute(keyAttr, key);
}
Notice: This communication, including any attachments, is intended solely
for the use of the individual or entity to which it is addressed. This
communication may contain information that is protected from disclosure
under State and/or Federal law. Please notify the sender immediately if
you have received this communication in error and delete this email from
your system. If you are not the intended recipient, you are requested not
to disclose, copy, distribute or take any action in reliance on the
contents of this information.
Re: Wicket URL Encryption Key
Posted by Jonas <ba...@gmail.com>.
A quick search through wicket's fisheye [1] revealed the default was changed
in wicket 1.3.5 to fix [2]
[1] <http://fisheye6.atlassian.com/browse/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java#r684127>
[2] <http://issues.apache.org/jira/browse/WICKET-1782>
On Wed, Jan 20, 2010 at 5:13 PM, Jonas <ba...@gmail.com> wrote:
> I think the book refers to wicket 1.3. The default behaviour of
> Settings#getCryptFactory has changed
> in 1.4. I think in 1.3 the default was ClassCryptFactory with a default key
> as still visible in ISecuritySettings#DEFAULT_ENCRYPTION_KEY. Now in 1.4,
> the KeyInSessionSunJceCryptFactory with a generated key (as you mentioned)
> is used.
>
> On Wed, Jan 20, 2010 at 4:59 PM, <MZ...@osc.state.ny.us> wrote:
>> On page 331 of "Wicket In Action" is the following excerpt, "Note that you
>> should modify the default encryption key that is stored in
>> ISecuritySettings to prevent malicious hackers from using the default
>> publicly available key as an attack vector." Does this only pertain to
>> when Sun JCE is not available and Wicket defaults to "no encryption?" From
>> what I can gather, the key should be generated by...
>>
>> KeyInSessionSunJceCryptFactory.java
>> if (key == null)
>> {
>> // generate new key
>> key = session.getId() + "." + UUID.randomUUID().toString
>> ();
>> session.setAttribute(keyAttr, key);
>> }
>>
>>
>>
>> Notice: This communication, including any attachments, is intended solely
>> for the use of the individual or entity to which it is addressed. This
>> communication may contain information that is protected from disclosure
>> under State and/or Federal law. Please notify the sender immediately if
>> you have received this communication in error and delete this email from
>> your system. If you are not the intended recipient, you are requested not
>> to disclose, copy, distribute or take any action in reliance on the
>> contents of this information.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Wicket URL Encryption Key
Posted by Jonas <ba...@gmail.com>.
I think the book refers to wicket 1.3. The default behaviour of
Settings#getCryptFactory has changed
in 1.4. I think in 1.3 the default was ClassCryptFactory with a default key
as still visible in ISecuritySettings#DEFAULT_ENCRYPTION_KEY. Now in 1.4,
the KeyInSessionSunJceCryptFactory with a generated key (as you mentioned)
is used.
On Wed, Jan 20, 2010 at 4:59 PM, <MZ...@osc.state.ny.us> wrote:
> On page 331 of "Wicket In Action" is the following excerpt, "Note that you
> should modify the default encryption key that is stored in
> ISecuritySettings to prevent malicious hackers from using the default
> publicly available key as an attack vector." Does this only pertain to
> when Sun JCE is not available and Wicket defaults to "no encryption?" From
> what I can gather, the key should be generated by...
>
> KeyInSessionSunJceCryptFactory.java
> if (key == null)
> {
> // generate new key
> key = session.getId() + "." + UUID.randomUUID().toString
> ();
> session.setAttribute(keyAttr, key);
> }
>
>
>
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if
> you have received this communication in error and delete this email from
> your system. If you are not the intended recipient, you are requested not
> to disclose, copy, distribute or take any action in reliance on the
> contents of this information.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org