Author: adelbene
Date: Fri Nov 14 15:28:51 2014
New Revision: 1639671
URL: http://svn.apache.org/r1639671
Log:
Changes for WICKET-5756
Added:
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_6.gdoc
Modified:
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_3.gdoc
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_5.gdoc
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/urls/urls_6.gdoc
Modified:
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_3.gdoc
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_3.gdoc?rev=1639671&r1=1639670&r2=1639671&view=diff
==============================================================================
---
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_3.gdoc
(original)
+++
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_3.gdoc
Fri Nov 14 15:28:51 2014
@@ -4,7 +4,7 @@ HTTPS is the standard technology adopted
In Wicket we can easily protect our pages with HTTPS mounting a special
request mapper called @HttpsMapper@ and using annotation RequireHttps with
those pages we want to serve over this protocol. Both these two entities are in
package @org.apache.wicket.protocol.https@.
-HttpsMapper wraps an existing mapper and redirects incoming requests to HTTPS
if the related response must render a page containing annotation
@RequireHttps@. Most of the times the wrapped mapper will be the root one, just
like we saw before for @CryptoManager@ in paragraph 10.6.
+HttpsMapper wraps an existing mapper and redirects incoming requests to HTTPS
if the related response must render a page containing annotation
@RequireHttps@. Most of the times the wrapped mapper will be the root one, just
like we saw before for @CryptoMapper@ in paragraph 10.6.
Another parameter needed to build a @HttpsMapper@ is an instance of class
@HttpsConfi@g. This class allows us to specify which ports must be used for
HTTPS and HTTP. By default the port numbers used by these two protocols are
respectively 443 and 80.
Modified:
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_5.gdoc
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_5.gdoc?rev=1639671&r1=1639670&r2=1639671&view=diff
==============================================================================
---
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_5.gdoc
(original)
+++
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_5.gdoc
Fri Nov 14 15:28:51 2014
@@ -1,14 +1,12 @@
+To encrypt/decryp page URLs Wicket uses an instance of interface
@org.apache.wicket.util.crypt.ICrypt@:
+{code}
+public interface ICrypt
+{
+ String encryptUrlSafe(final String plainText);
+
+ String decryptUrlSafe(final String encryptedText);
+}
+{code}
- In this chapter we have seen the components and the mechanisms that allow us
to implement security policies in our Wicket-based applications. Wicket comes
with an out of the box support for both authorization and authentication.
-
-The central element of authorization mechanism is the interface
@IAuthorizationStrategy@ which decouples our components from any detail about
security strategy. The implementations of this interface must decide if a user
is allowed to instantiate a given page or component and if she/he can perform a
given action on it.
-
-Wicket natively supports role-based authorizations with strategies
@MetaDataRoleAuthorizationStrategy@ and @AnnotationsRoleAuthorizationStrategy@.
The difference between these two strategies is that the first offers a
programmatic approach for role handling while the second promotes a declarative
approach using built-in annotations.
-
-After having explored how Wicket internally implements authentication and
authorization, in the last part of the chapter we have learnt how to configure
our applications to support HTTPS and how to specify which pages must be served
over this protocol.
-
-In the last paragraph we have seen how Wicket protects package resources with
a guard entity that allows us to decide which package resources can be accessed
from users.
-
-
-
+The default implementation for this interface
Added:
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_6.gdoc
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_6.gdoc?rev=1639671&view=auto
==============================================================================
---
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_6.gdoc
(added)
+++
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/security/security_6.gdoc
Fri Nov 14 15:28:51 2014
@@ -0,0 +1,14 @@
+
+
+In this chapter we have seen the components and the mechanisms that allow us
to implement security policies in our Wicket-based applications. Wicket comes
with an out of the box support for both authorization and authentication.
+
+The central element of authorization mechanism is the interface
@IAuthorizationStrategy@ which decouples our components from any detail about
security strategy. The implementations of this interface must decide if a user
is allowed to instantiate a given page or component and if she/he can perform a
given action on it.
+
+Wicket natively supports role-based authorizations with strategies
@MetaDataRoleAuthorizationStrategy@ and @AnnotationsRoleAuthorizationStrategy@.
The difference between these two strategies is that the first offers a
programmatic approach for role handling while the second promotes a declarative
approach using built-in annotations.
+
+After having explored how Wicket internally implements authentication and
authorization, in the last part of the chapter we have learnt how to configure
our applications to support HTTPS and how to specify which pages must be served
over this protocol.
+
+In the last paragraph we have seen how Wicket protects package resources with
a guard entity that allows us to decide which package resources can be accessed
from users.
+
+
+
Modified:
wicket/common/site/trunk/_site/guide/guide/src/docs/guide/urls/urls_6.gdoc
URL:
http://svn.apache.org/viewvc/wicket/common/site/trunk/_site/guide/guide/src/docs/guide/urls/urls_6.gdoc?rev=1639671&r1=1639670&r2=1639671&view=diff
==============================================================================
--- wicket/common/site/trunk/_site/guide/guide/src/docs/guide/urls/urls_6.gdoc
(original)
+++ wicket/common/site/trunk/_site/guide/guide/src/docs/guide/urls/urls_6.gdoc
Fri Nov 14 15:28:51 2014
@@ -185,13 +185,13 @@ Generated URL:
h3. Encrypting page URLs
-Sometimes URLs are a doubleâedged sword for our site because they can expose
too many details about the internal structure of our web application and
malicious users could exploit them to perform a "cross-site request
forgery":http://en.wikipedia.org/wiki/Cross-site_request_forgery .
+Sometimes URLs are a doubleâedged sword for our site because they can expose
too many details about the internal structure of our web application making it
more vulnerable to malicious users.
-To avoid this kind of security threat we can use the CryptoMapper request
mapper which wraps an existing mapper and encrypts the original URL producing a
single encrypted segment:
+To avoid this kind of security threat we can use the @CryptoMapper@ request
mapper which wraps an existing mapper and encrypts the original URL producing a
single encrypted segment:
!url-encrypted.png!
-Typically, CryptoMapper is registered into a Wicket application as the root
request mapper wrapping the default one:
+Typically, @CryptoMapper@ is registered into a Wicket application as the root
request mapper wrapping the default one:
{code}
@Override
@@ -202,4 +202,8 @@ public void init() {
mountPage("/foo/", HomePage.class);
{code}
-As pointed out in the code above, pages and resources must be mounted after
having set CryptoMapper as root mapper, otherwise the mounted paths will not
work.
\ No newline at end of file
+As pointed out in the code above, pages and resources must be mounted after
having set @CryptoMapper@ as root mapper, otherwise the mounted paths will not
work.
+
+{warning}
+By default @CryptoMapper@ encrypts page URLs with a cipher that might not be
strong enough for production environment. Paragraph 21.4 will provide a more
detailed description of how Wicket encrypts page URLs and we will see how to
use stronger ciphers.
+{warning}
