svn commit: r684126 - in /wicket/trunk/wicket/src/main/java/org/apache/wicket: settings/Settings.java util/crypt/KeyInSessionSunJceCryptFactory.java

Fri, 08 Aug 2008 15:12:25 -0700 

Author: ivaynberg
Date: Fri Aug  8 15:12:04 2008
New Revision: 684126

URL: http://svn.apache.org/viewvc?rev=684126&view=rev
Log:
WICKET-1782: CSRF-safe encryption

Added:
    
wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
   (with props)
Modified:
    wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java

Modified: 
wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java
URL: 
http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java?rev=684126&r1=684125&r2=684126&view=diff
==============================================================================
--- wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java 
(original)
+++ wicket/trunk/wicket/src/main/java/org/apache/wicket/settings/Settings.java 
Fri Aug  8 15:12:04 2008
@@ -53,8 +53,8 @@
 import org.apache.wicket.session.DefaultPageFactory;
 import org.apache.wicket.session.pagemap.IPageMapEvictionStrategy;
 import org.apache.wicket.session.pagemap.LeastRecentlyAccessedEvictionStrategy;
-import org.apache.wicket.util.crypt.CachingSunJceCryptFactory;
 import org.apache.wicket.util.crypt.ICryptFactory;
+import org.apache.wicket.util.crypt.KeyInSessionSunJceCryptFactory;
 import org.apache.wicket.util.file.IResourceFinder;
 import org.apache.wicket.util.file.IResourcePath;
 import org.apache.wicket.util.file.Path;
@@ -486,7 +486,7 @@
        {
                if (cryptFactory == null)
                {
-                       cryptFactory = new 
CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY);
+                       cryptFactory = new KeyInSessionSunJceCryptFactory();
                }
                return cryptFactory;
        }
@@ -1028,8 +1028,7 @@
                }
                checkPageClass(pageExpiredErrorPage);
 
-               this.pageExpiredErrorPage = new WeakReference<Class<? extends 
Page>>(
-                       pageExpiredErrorPage);
+               this.pageExpiredErrorPage = new WeakReference<Class<? extends 
Page>>(pageExpiredErrorPage);
        }
 
        /**

Added: 
wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
URL: 
http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java?rev=684126&view=auto
==============================================================================
--- 
wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
 (added)
+++ 
wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
 Fri Aug  8 15:12:04 2008
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.util.crypt;
+
+import java.util.UUID;
+
+import javax.servlet.http.HttpSession;
+
+import org.apache.wicket.RequestCycle;
+import org.apache.wicket.protocol.http.WebRequestCycle;
+
+/**
+ * Crypt factory that produces [EMAIL PROTECTED] SunJceCrypt} instances based 
on http session-specific
+ * encryption key. This allows each user to have their own encryption key, 
hardening against CSRF
+ * attacks.
+ * 
+ * Note that the use of this crypt factory will result in an immediate 
creation of a http session
+ * 
+ * @author igor.vaynberg
+ */
+public class KeyInSessionSunJceCryptFactory implements ICryptFactory
+{
+       public ICrypt newCrypt()
+       {
+               WebRequestCycle rc = (WebRequestCycle)RequestCycle.get();
+
+               // get http session, create if necessary
+               HttpSession session = 
rc.getWebRequest().getHttpServletRequest().getSession(true);
+
+               // retrieve or generate encryption key from session
+               final String keyAttr = rc.getApplication().getApplicationKey() 
+ "." + getClass().getName();
+               String key = (String)session.getAttribute(keyAttr);
+               if (key == null)
+               {
+                       // generate new key
+                       key = session.getId() + "." + 
UUID.randomUUID().toString();
+                       session.setAttribute(keyAttr, key);
+               }
+
+               // build the crypt based on session key
+               ICrypt crypt = new SunJceCrypt();
+               crypt.setKey(key);
+               return crypt;
+       }
+}

Propchange: 
wicket/trunk/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Reply via email to