Author: ivaynberg
Date: Fri Aug 8 15:12:53 2008
New Revision: 684127
URL: http://svn.apache.org/viewvc?rev=684127&view=rev
Log:
WICKET-1782: CSRF safe encryption
Added:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
(with props)
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java?rev=684127&r1=684126&r2=684127&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java
Fri Aug 8 15:12:53 2008
@@ -52,8 +52,8 @@
import org.apache.wicket.session.DefaultPageFactory;
import org.apache.wicket.session.pagemap.IPageMapEvictionStrategy;
import org.apache.wicket.session.pagemap.LeastRecentlyAccessedEvictionStrategy;
-import org.apache.wicket.util.crypt.CachingSunJceCryptFactory;
import org.apache.wicket.util.crypt.ICryptFactory;
+import org.apache.wicket.util.crypt.KeyInSessionSunJceCryptFactory;
import org.apache.wicket.util.file.IResourceFinder;
import org.apache.wicket.util.file.IResourcePath;
import org.apache.wicket.util.file.Path;
@@ -310,12 +310,12 @@
private boolean addLastModifiedTimeToResourceReferenceUrl = false;
- /**
- * escape string for '..' within resource keys
- */
- private CharSequence parentFolderPlaceholder = "$up$";
+ /**
+ * escape string for '..' within resource keys
+ */
+ private CharSequence parentFolderPlaceholder = "$up$";
- /**
+ /**
* Create the application settings, carrying out any necessary
initializations.
*
* @param application
@@ -480,7 +480,7 @@
{
if (cryptFactory == null)
{
- cryptFactory = new
CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY);
+ cryptFactory = new KeyInSessionSunJceCryptFactory();
}
return cryptFactory;
}
@@ -1360,20 +1360,20 @@
throwExceptionOnMissingXmlDeclaration = throwException;
}
- /**
- * @see
org.apache.wicket.settings.IResourceSettings#getParentFolderPlaceholder()
- */
- public CharSequence getParentFolderPlaceholder()
- {
- return parentFolderPlaceholder;
- }
-
- /**
- * @see
org.apache.wicket.settings.IResourceSettings#setParentFolderPlaceholder(CharSequence)
- */
- public void setParentFolderPlaceholder(final CharSequence sequence)
- {
- parentFolderPlaceholder = sequence;
- }
+ /**
+ * @see
org.apache.wicket.settings.IResourceSettings#getParentFolderPlaceholder()
+ */
+ public CharSequence getParentFolderPlaceholder()
+ {
+ return parentFolderPlaceholder;
+ }
+
+ /**
+ * @see
org.apache.wicket.settings.IResourceSettings#setParentFolderPlaceholder(CharSequence)
+ */
+ public void setParentFolderPlaceholder(final CharSequence sequence)
+ {
+ parentFolderPlaceholder = sequence;
+ }
}
Added:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java?rev=684127&view=auto
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
(added)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
Fri Aug 8 15:12:53 2008
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.util.crypt;
+
+import java.util.UUID;
+
+import javax.servlet.http.HttpSession;
+
+import org.apache.wicket.RequestCycle;
+import org.apache.wicket.protocol.http.WebRequestCycle;
+
+/**
+ * Crypt factory that produces [EMAIL PROTECTED] SunJceCrypt} instances based
on http session-specific
+ * encryption key. This allows each user to have their own encryption key,
hardening against CSRF
+ * attacks.
+ *
+ * Note that the use of this crypt factory will result in an immediate
creation of a http session
+ *
+ * @author igor.vaynberg
+ */
+public class KeyInSessionSunJceCryptFactory implements ICryptFactory
+{
+ public ICrypt newCrypt()
+ {
+ WebRequestCycle rc = (WebRequestCycle)RequestCycle.get();
+
+ // get http session, create if necessary
+ HttpSession session =
rc.getWebRequest().getHttpServletRequest().getSession(true);
+
+ // retrieve or generate encryption key from session
+ final String keyAttr = rc.getApplication().getApplicationKey()
+ "." + getClass().getName();
+ String key = (String)session.getAttribute(keyAttr);
+ if (key == null)
+ {
+ // generate new key
+ key = session.getId() + "." +
UUID.randomUUID().toString();
+ session.setAttribute(keyAttr, key);
+ }
+
+ // build the crypt based on session key
+ ICrypt crypt = new SunJceCrypt();
+ crypt.setKey(key);
+ return crypt;
+ }
+}
Propchange:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/crypt/KeyInSessionSunJceCryptFactory.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
