Tumbler down
Hey all, just noticed that the Tumbler integration doesn‘t show up any projects. kind regards Tobias
Re: [GitHub] wicket pull request #283: Wicket-6563 page store implementation
Hi Edmund,
many thanks for your first feedback.
> this is an enormous amount of code to review so this will take some time
Actually its mostly the old code squeezed into new classes. But we can
take all the time we want to work on it.
> I would recommend changing the code to using AES/CBC/PKCS5Padding with
Sure, my first try was just using what popped up first in a Google
search :P.
It was just a nice opportunity to show how the new store chain is
capable of adding encryption without much hassle.
I've changed the crypt implementation now, I hope it performs better
that way.
Have fun
Sven
generated key:
Am 09.07.2018 um 17:36 schrieb Emond Papegaaij:
Hi Sven,
Thanks for the work you have put into this. However, this is an enormous
amount of code to review so this will take some time. I'll try to get this
done this week, but I can't promise anything.
For now, I can at least comment on CryptingPageStore.java. The ciphers used by
this store are both obsolete and not applicable to this use case. It currently
uses a Password Based Encryption (PBE) and a very insecure one (single DES). I
would recommend changing the code to using AES/CBC/PKCS5Padding with a
generated key:
SecureRandom rnd = SecureRandom.getInstance("SHA1PRNG", "SUN");
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256, rnd);
SecretKey key = keyGen.generateKey();
This key is serializable and can be stored in the session directly. Make sure
that rnd is a SecureRandom with a strong algorithm, and very importantly: it
must be reused. Due to application specific demands on this SecureRandom (such
as automatic reseeding), I think users must be able to provide their own. To
encrypt a page, use:
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key, rnd);
AlgorithmParameters params = cipher.getParameters();
byte[] iv = params.getParameterSpec(IvParameterSpec.class).getIV();
byte[] ciphertext = cipher.doFinal(plainpagebytes);
byte[] result = Bytes.concat(iv, ciphertext);
Use the same SecureRandom for the cipher.init. This will be used to generate
the IV. To decrypt the page, use:
byte[] iv = new byte[16];
byte[] ciphertext = new byte[cipherInput.length - 16];
System.arraycopy(cipherInput, 0, iv, 0, iv.length);
System.arraycopy(cipherInput, 16, ciphertext, 0, ciphertext.length);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv));
byte[] plainpagebytes = cipher.doFinal(ciphertext);
This should give a much stronger and faster algorithm than using
PBEWithMD5AndDES.
Best regards,
Emond
On maandag 9 juli 2018 16:45:43 CEST svenmeier wrote:
GitHub user svenmeier opened a pull request:
https://github.com/apache/wicket/pull/283
Wicket-6563 page store implementation
Basically I propose to
*unify IPageStore with IDateStore
*allow all IPageStore implementations to use Request/Session data (see
DiskPageStore, GroupingPageStore and CryptingPageStore) as needed *cut down
PageStoreManager to a very simple manager with a chain of stores, each
offering different solutions.
I appreciate your feedback.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/apache/wicket WICKET-6563
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/wicket/pull/283.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #283
commit bcf76f517310ac5d27a2092595c3a925c3973067
Author: Sven Meier
Date: 2018-06-25T15:19:41Z
WICKET-6563 new IPageStore implementation
commit a3604f7c359f9bbd2df03d57831c3f0d838ef521
Author: Sven Meier
Date: 2018-07-03T18:18:10Z
WICKET-6563 allow passing of SerializedPage
between page stores
commit ad1f9b88ce8412e2b8eec5de72073b9688deb3bb
Author: Sven Meier
Date: 2018-07-03T21:52:10Z
WICKET-6563 javadoc and test
for SerializingPageStore; keep page type in serializedpage
commit 2f70db06d3aa7f1ee07c96e1287507fe0021f18e
Author: Sven Meier
Date: 2018-07-05T18:09:49Z
WICKET-6563 crypt page store
commit 7e9c7e5166fda6692163c9551dc56d3177acfe6d
Author: Sven Meier
Date: 2018-07-07T18:37:54Z
WICKET-6563 IPageContext set synchronization
prevent multiple threads from settings data into IPageContext
concurrently
commit fd7b26bac6f72d5ebc647f490263c41f169faec1
Author: Sven Meier
Date: 2018-07-09T08:54:57Z
WICKET-6563 improved test
---
Re: [GitHub] wicket pull request #283: Wicket-6563 page store implementation
Hi Sven,
Thanks for the work you have put into this. However, this is an enormous
amount of code to review so this will take some time. I'll try to get this
done this week, but I can't promise anything.
For now, I can at least comment on CryptingPageStore.java. The ciphers used by
this store are both obsolete and not applicable to this use case. It currently
uses a Password Based Encryption (PBE) and a very insecure one (single DES). I
would recommend changing the code to using AES/CBC/PKCS5Padding with a
generated key:
SecureRandom rnd = SecureRandom.getInstance("SHA1PRNG", "SUN");
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256, rnd);
SecretKey key = keyGen.generateKey();
This key is serializable and can be stored in the session directly. Make sure
that rnd is a SecureRandom with a strong algorithm, and very importantly: it
must be reused. Due to application specific demands on this SecureRandom (such
as automatic reseeding), I think users must be able to provide their own. To
encrypt a page, use:
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key, rnd);
AlgorithmParameters params = cipher.getParameters();
byte[] iv = params.getParameterSpec(IvParameterSpec.class).getIV();
byte[] ciphertext = cipher.doFinal(plainpagebytes);
byte[] result = Bytes.concat(iv, ciphertext);
Use the same SecureRandom for the cipher.init. This will be used to generate
the IV. To decrypt the page, use:
byte[] iv = new byte[16];
byte[] ciphertext = new byte[cipherInput.length - 16];
System.arraycopy(cipherInput, 0, iv, 0, iv.length);
System.arraycopy(cipherInput, 16, ciphertext, 0, ciphertext.length);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv));
byte[] plainpagebytes = cipher.doFinal(ciphertext);
This should give a much stronger and faster algorithm than using
PBEWithMD5AndDES.
Best regards,
Emond
On maandag 9 juli 2018 16:45:43 CEST svenmeier wrote:
> GitHub user svenmeier opened a pull request:
>
> https://github.com/apache/wicket/pull/283
>
> Wicket-6563 page store implementation
>
> Basically I propose to
> *unify IPageStore with IDateStore
> *allow all IPageStore implementations to use Request/Session data (see
> DiskPageStore, GroupingPageStore and CryptingPageStore) as needed *cut down
> PageStoreManager to a very simple manager with a chain of stores, each
> offering different solutions.
>
> I appreciate your feedback.
>
> You can merge this pull request into a Git repository by running:
>
> $ git pull https://github.com/apache/wicket WICKET-6563
>
> Alternatively you can review and apply these changes as the patch at:
>
> https://github.com/apache/wicket/pull/283.patch
>
> To close this pull request, make a commit to your master/trunk branch
> with (at least) the following in the commit message:
>
> This closes #283
>
>
> commit bcf76f517310ac5d27a2092595c3a925c3973067
> Author: Sven Meier
> Date: 2018-06-25T15:19:41Z
>
> WICKET-6563 new IPageStore implementation
>
> commit a3604f7c359f9bbd2df03d57831c3f0d838ef521
> Author: Sven Meier
> Date: 2018-07-03T18:18:10Z
>
> WICKET-6563 allow passing of SerializedPage
>
> between page stores
>
> commit ad1f9b88ce8412e2b8eec5de72073b9688deb3bb
> Author: Sven Meier
> Date: 2018-07-03T21:52:10Z
>
> WICKET-6563 javadoc and test
>
> for SerializingPageStore; keep page type in serializedpage
>
> commit 2f70db06d3aa7f1ee07c96e1287507fe0021f18e
> Author: Sven Meier
> Date: 2018-07-05T18:09:49Z
>
> WICKET-6563 crypt page store
>
> commit 7e9c7e5166fda6692163c9551dc56d3177acfe6d
> Author: Sven Meier
> Date: 2018-07-07T18:37:54Z
>
> WICKET-6563 IPageContext set synchronization
>
> prevent multiple threads from settings data into IPageContext
> concurrently
>
> commit fd7b26bac6f72d5ebc647f490263c41f169faec1
> Author: Sven Meier
> Date: 2018-07-09T08:54:57Z
>
> WICKET-6563 improved test
>
>
>
>
> ---
[GitHub] wicket pull request #283: Wicket-6563 page store implementation
GitHub user svenmeier opened a pull request: https://github.com/apache/wicket/pull/283 Wicket-6563 page store implementation Basically I propose to *unify IPageStore with IDateStore *allow all IPageStore implementations to use Request/Session data (see DiskPageStore, GroupingPageStore and CryptingPageStore) as needed *cut down PageStoreManager to a very simple manager with a chain of stores, each offering different solutions. I appreciate your feedback. You can merge this pull request into a Git repository by running: $ git pull https://github.com/apache/wicket WICKET-6563 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/wicket/pull/283.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #283 commit bcf76f517310ac5d27a2092595c3a925c3973067 Author: Sven Meier Date: 2018-06-25T15:19:41Z WICKET-6563 new IPageStore implementation commit a3604f7c359f9bbd2df03d57831c3f0d838ef521 Author: Sven Meier Date: 2018-07-03T18:18:10Z WICKET-6563 allow passing of SerializedPage between page stores commit ad1f9b88ce8412e2b8eec5de72073b9688deb3bb Author: Sven Meier Date: 2018-07-03T21:52:10Z WICKET-6563 javadoc and test for SerializingPageStore; keep page type in serializedpage commit 2f70db06d3aa7f1ee07c96e1287507fe0021f18e Author: Sven Meier Date: 2018-07-05T18:09:49Z WICKET-6563 crypt page store commit 7e9c7e5166fda6692163c9551dc56d3177acfe6d Author: Sven Meier Date: 2018-07-07T18:37:54Z WICKET-6563 IPageContext set synchronization prevent multiple threads from settings data into IPageContext concurrently commit fd7b26bac6f72d5ebc647f490263c41f169faec1 Author: Sven Meier Date: 2018-07-09T08:54:57Z WICKET-6563 improved test ---
Register now for ApacheCon and save $250
Greetings, Apache software enthusiasts! (You’re getting this because you’re on one or more dev@ or users@ lists for some Apache Software Foundation project.) ApacheCon North America, in Montreal, is now just 80 days away, and early bird prices end in just two weeks - on July 21. Prices will be going up from $550 to $800 so register NOW to save $250, at http://apachecon.com/acna18 And don’t forget to reserve your hotel room. We have negotiated a special rate and the room block closes August 24. http://www.apachecon.com/acna18/venue.html Our schedule includes over 100 talks and we’ll be featuring talks from dozens of ASF projects., We have inspiring keynotes from some of the brilliant members of our community and the wider tech space, including: * Myrle Krantz, PMC chair for Apache Fineract, and leader in the open source financing space * Cliff Schmidt, founder of Literacy Bridge (now Amplio) and creator of the Talking Book project * Bridget Kromhout, principal cloud developer advocate at Microsoft * Euan McLeod, Comcast engineer, and pioneer in streaming video We’ll also be featuring tracks for Geospatial science, Tomcat, Cloudstack, and Big Data, as well as numerous other fields where Apache software is leading the way. See the full schedule at http://apachecon.com/acna18/schedule.html As usual we’ll be running our Apache BarCamp, the traditional ApacheCon Hackathon, and the Wednesday evening Lighting Talks, too, so you’ll want to be there. Register today at http://apachecon.com/acna18 and we’ll see you in Montreal! -- Rich Bowen VP, Conferences, The Apache Software Foundation h...@apachecon.com @ApacheCon
Re: [jira] [Updated] (WICKET-6563) Rework page and data storage
Nice job Sven! I will try to review your changes ASAP. Thnak you. On Sat, Jul 7, 2018 at 10:11 PM, Sven Meier (JIRA) wrote: > > [ https://issues.apache.org/jira/browse/WICKET-6563?page= > com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] > > Sven Meier updated WICKET-6563: > --- > Description: > IPageManager, IPageStore and IDataStore are riddled with complicated and > error-prone code aiming to do one simple thing: keeping pages around. > > There are multiple problems with the current implementation: > * PageStoreManger does too much > ** it handles request and session storage > ** it contains workarounds for DiskDataStore, when the sessionId changes > * IPageStore/AbstractPageStore > ** has no access to IPageManagerContext > ** juggles with byte[], serialization and conversion > * IDataStore introduces an unncecessary third layer into the API > > Additional or specialized stores are difficult to implement. > > We should rework that. > > was: > IPageManager, IPageStore and IDataStore are riddled with complicated and > error-prone code aiming to do one simple thing: keeping pages around. > > We should rework that. > > > > Rework page and data storage > > > > > > Key: WICKET-6563 > > URL: https://issues.apache.org/jira/browse/WICKET-6563 > > Project: Wicket > > Issue Type: Improvement > > Components: wicket > >Affects Versions: 9.0.0 > >Reporter: Sven Meier > >Assignee: Sven Meier > >Priority: Minor > > > > IPageManager, IPageStore and IDataStore are riddled with complicated and > error-prone code aiming to do one simple thing: keeping pages around. > > There are multiple problems with the current implementation: > > * PageStoreManger does too much > > ** it handles request and session storage > > ** it contains workarounds for DiskDataStore, when the sessionId changes > > * IPageStore/AbstractPageStore > > ** has no access to IPageManagerContext > > ** juggles with byte[], serialization and conversion > > * IDataStore introduces an unncecessary third layer into the API > > Additional or specialized stores are difficult to implement. > > We should rework that. > > > > -- > This message was sent by Atlassian JIRA > (v7.6.3#76005) > -- Andrea Del Bene. Apache Wicket committer.
