Encrypt resource references when using CryptedUrlWebRequestCodingStrategy +
WebRequestCodingStrategy
----------------------------------------------------------------------------------------------------
Key: WICKET-2689
URL: https://issues.apache.org/jira/browse/WICKET-2689
Project: Wicket
Issue Type: Improvement
Affects Versions: 1.4.5
Reporter: Sergey Olefir
With current implementations of CryptedUrlWebRequestCodingStrategy and
WebRequestCodingStrategy resource references inside HTML are not encrypted (and
they by default include class FQNs which can be considered security risk).
Specifically it applies to the configuration (as from various examples):
@Override
protected IRequestCycleProcessor newRequestCycleProcessor() {
return new WebRequestCycleProcessor(){
protected IRequestCodingStrategy newRequestCodingStrategy(){
return new CryptedUrlWebRequestCodingStrategy(new
WebRequestCodingStrategy());
}
};
}
It would be great if Wicket provided resource references encryption out of the
box in addition to URL encryption (perhaps as an option).
The current implementation doesn't do it because WebRequestCodingStrategy
encodes resource references as path, while CryptedUrlWebRequestCodingStrategy
only encrypts arguments.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
