Tumbler down
Hey all, just noticed that the Tumbler integration doesn‘t show up any projects. kind regards Tobias
Re: [GitHub] wicket pull request #283: Wicket-6563 page store implementation
Hi Edmund, many thanks for your first feedback. > this is an enormous amount of code to review so this will take some time Actually its mostly the old code squeezed into new classes. But we can take all the time we want to work on it. > I would recommend changing the code to using AES/CBC/PKCS5Padding with Sure, my first try was just using what popped up first in a Google search :P. It was just a nice opportunity to show how the new store chain is capable of adding encryption without much hassle. I've changed the crypt implementation now, I hope it performs better that way. Have fun Sven generated key: Am 09.07.2018 um 17:36 schrieb Emond Papegaaij: Hi Sven, Thanks for the work you have put into this. However, this is an enormous amount of code to review so this will take some time. I'll try to get this done this week, but I can't promise anything. For now, I can at least comment on CryptingPageStore.java. The ciphers used by this store are both obsolete and not applicable to this use case. It currently uses a Password Based Encryption (PBE) and a very insecure one (single DES). I would recommend changing the code to using AES/CBC/PKCS5Padding with a generated key: SecureRandom rnd = SecureRandom.getInstance("SHA1PRNG", "SUN"); KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(256, rnd); SecretKey key = keyGen.generateKey(); This key is serializable and can be stored in the session directly. Make sure that rnd is a SecureRandom with a strong algorithm, and very importantly: it must be reused. Due to application specific demands on this SecureRandom (such as automatic reseeding), I think users must be able to provide their own. To encrypt a page, use: Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE, key, rnd); AlgorithmParameters params = cipher.getParameters(); byte[] iv = params.getParameterSpec(IvParameterSpec.class).getIV(); byte[] ciphertext = cipher.doFinal(plainpagebytes); byte[] result = Bytes.concat(iv, ciphertext); Use the same SecureRandom for the cipher.init. This will be used to generate the IV. To decrypt the page, use: byte[] iv = new byte[16]; byte[] ciphertext = new byte[cipherInput.length - 16]; System.arraycopy(cipherInput, 0, iv, 0, iv.length); System.arraycopy(cipherInput, 16, ciphertext, 0, ciphertext.length); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv)); byte[] plainpagebytes = cipher.doFinal(ciphertext); This should give a much stronger and faster algorithm than using PBEWithMD5AndDES. Best regards, Emond On maandag 9 juli 2018 16:45:43 CEST svenmeier wrote: GitHub user svenmeier opened a pull request: https://github.com/apache/wicket/pull/283 Wicket-6563 page store implementation Basically I propose to *unify IPageStore with IDateStore *allow all IPageStore implementations to use Request/Session data (see DiskPageStore, GroupingPageStore and CryptingPageStore) as needed *cut down PageStoreManager to a very simple manager with a chain of stores, each offering different solutions. I appreciate your feedback. You can merge this pull request into a Git repository by running: $ git pull https://github.com/apache/wicket WICKET-6563 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/wicket/pull/283.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #283 commit bcf76f517310ac5d27a2092595c3a925c3973067 Author: Sven Meier Date: 2018-06-25T15:19:41Z WICKET-6563 new IPageStore implementation commit a3604f7c359f9bbd2df03d57831c3f0d838ef521 Author: Sven Meier Date: 2018-07-03T18:18:10Z WICKET-6563 allow passing of SerializedPage between page stores commit ad1f9b88ce8412e2b8eec5de72073b9688deb3bb Author: Sven Meier Date: 2018-07-03T21:52:10Z WICKET-6563 javadoc and test for SerializingPageStore; keep page type in serializedpage commit 2f70db06d3aa7f1ee07c96e1287507fe0021f18e Author: Sven Meier Date: 2018-07-05T18:09:49Z WICKET-6563 crypt page store commit 7e9c7e5166fda6692163c9551dc56d3177acfe6d Author: Sven Meier Date: 2018-07-07T18:37:54Z WICKET-6563 IPageContext set synchronization prevent multiple threads from settings data into IPageContext concurrently commit fd7b26bac6f72d5ebc647f490263c41f169faec1 Author: Sven Meier Date: 2018-07-09T08:54:57Z WICKET-6563 improved test ---
Re: [GitHub] wicket pull request #283: Wicket-6563 page store implementation
Hi Sven, Thanks for the work you have put into this. However, this is an enormous amount of code to review so this will take some time. I'll try to get this done this week, but I can't promise anything. For now, I can at least comment on CryptingPageStore.java. The ciphers used by this store are both obsolete and not applicable to this use case. It currently uses a Password Based Encryption (PBE) and a very insecure one (single DES). I would recommend changing the code to using AES/CBC/PKCS5Padding with a generated key: SecureRandom rnd = SecureRandom.getInstance("SHA1PRNG", "SUN"); KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(256, rnd); SecretKey key = keyGen.generateKey(); This key is serializable and can be stored in the session directly. Make sure that rnd is a SecureRandom with a strong algorithm, and very importantly: it must be reused. Due to application specific demands on this SecureRandom (such as automatic reseeding), I think users must be able to provide their own. To encrypt a page, use: Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE, key, rnd); AlgorithmParameters params = cipher.getParameters(); byte[] iv = params.getParameterSpec(IvParameterSpec.class).getIV(); byte[] ciphertext = cipher.doFinal(plainpagebytes); byte[] result = Bytes.concat(iv, ciphertext); Use the same SecureRandom for the cipher.init. This will be used to generate the IV. To decrypt the page, use: byte[] iv = new byte[16]; byte[] ciphertext = new byte[cipherInput.length - 16]; System.arraycopy(cipherInput, 0, iv, 0, iv.length); System.arraycopy(cipherInput, 16, ciphertext, 0, ciphertext.length); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv)); byte[] plainpagebytes = cipher.doFinal(ciphertext); This should give a much stronger and faster algorithm than using PBEWithMD5AndDES. Best regards, Emond On maandag 9 juli 2018 16:45:43 CEST svenmeier wrote: > GitHub user svenmeier opened a pull request: > > https://github.com/apache/wicket/pull/283 > > Wicket-6563 page store implementation > > Basically I propose to > *unify IPageStore with IDateStore > *allow all IPageStore implementations to use Request/Session data (see > DiskPageStore, GroupingPageStore and CryptingPageStore) as needed *cut down > PageStoreManager to a very simple manager with a chain of stores, each > offering different solutions. > > I appreciate your feedback. > > You can merge this pull request into a Git repository by running: > > $ git pull https://github.com/apache/wicket WICKET-6563 > > Alternatively you can review and apply these changes as the patch at: > > https://github.com/apache/wicket/pull/283.patch > > To close this pull request, make a commit to your master/trunk branch > with (at least) the following in the commit message: > > This closes #283 > > > commit bcf76f517310ac5d27a2092595c3a925c3973067 > Author: Sven Meier > Date: 2018-06-25T15:19:41Z > > WICKET-6563 new IPageStore implementation > > commit a3604f7c359f9bbd2df03d57831c3f0d838ef521 > Author: Sven Meier > Date: 2018-07-03T18:18:10Z > > WICKET-6563 allow passing of SerializedPage > > between page stores > > commit ad1f9b88ce8412e2b8eec5de72073b9688deb3bb > Author: Sven Meier > Date: 2018-07-03T21:52:10Z > > WICKET-6563 javadoc and test > > for SerializingPageStore; keep page type in serializedpage > > commit 2f70db06d3aa7f1ee07c96e1287507fe0021f18e > Author: Sven Meier > Date: 2018-07-05T18:09:49Z > > WICKET-6563 crypt page store > > commit 7e9c7e5166fda6692163c9551dc56d3177acfe6d > Author: Sven Meier > Date: 2018-07-07T18:37:54Z > > WICKET-6563 IPageContext set synchronization > > prevent multiple threads from settings data into IPageContext > concurrently > > commit fd7b26bac6f72d5ebc647f490263c41f169faec1 > Author: Sven Meier > Date: 2018-07-09T08:54:57Z > > WICKET-6563 improved test > > > > > ---
[GitHub] wicket pull request #283: Wicket-6563 page store implementation
GitHub user svenmeier opened a pull request: https://github.com/apache/wicket/pull/283 Wicket-6563 page store implementation Basically I propose to *unify IPageStore with IDateStore *allow all IPageStore implementations to use Request/Session data (see DiskPageStore, GroupingPageStore and CryptingPageStore) as needed *cut down PageStoreManager to a very simple manager with a chain of stores, each offering different solutions. I appreciate your feedback. You can merge this pull request into a Git repository by running: $ git pull https://github.com/apache/wicket WICKET-6563 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/wicket/pull/283.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #283 commit bcf76f517310ac5d27a2092595c3a925c3973067 Author: Sven Meier Date: 2018-06-25T15:19:41Z WICKET-6563 new IPageStore implementation commit a3604f7c359f9bbd2df03d57831c3f0d838ef521 Author: Sven Meier Date: 2018-07-03T18:18:10Z WICKET-6563 allow passing of SerializedPage between page stores commit ad1f9b88ce8412e2b8eec5de72073b9688deb3bb Author: Sven Meier Date: 2018-07-03T21:52:10Z WICKET-6563 javadoc and test for SerializingPageStore; keep page type in serializedpage commit 2f70db06d3aa7f1ee07c96e1287507fe0021f18e Author: Sven Meier Date: 2018-07-05T18:09:49Z WICKET-6563 crypt page store commit 7e9c7e5166fda6692163c9551dc56d3177acfe6d Author: Sven Meier Date: 2018-07-07T18:37:54Z WICKET-6563 IPageContext set synchronization prevent multiple threads from settings data into IPageContext concurrently commit fd7b26bac6f72d5ebc647f490263c41f169faec1 Author: Sven Meier Date: 2018-07-09T08:54:57Z WICKET-6563 improved test ---
Register now for ApacheCon and save $250
Greetings, Apache software enthusiasts! (You’re getting this because you’re on one or more dev@ or users@ lists for some Apache Software Foundation project.) ApacheCon North America, in Montreal, is now just 80 days away, and early bird prices end in just two weeks - on July 21. Prices will be going up from $550 to $800 so register NOW to save $250, at http://apachecon.com/acna18 And don’t forget to reserve your hotel room. We have negotiated a special rate and the room block closes August 24. http://www.apachecon.com/acna18/venue.html Our schedule includes over 100 talks and we’ll be featuring talks from dozens of ASF projects., We have inspiring keynotes from some of the brilliant members of our community and the wider tech space, including: * Myrle Krantz, PMC chair for Apache Fineract, and leader in the open source financing space * Cliff Schmidt, founder of Literacy Bridge (now Amplio) and creator of the Talking Book project * Bridget Kromhout, principal cloud developer advocate at Microsoft * Euan McLeod, Comcast engineer, and pioneer in streaming video We’ll also be featuring tracks for Geospatial science, Tomcat, Cloudstack, and Big Data, as well as numerous other fields where Apache software is leading the way. See the full schedule at http://apachecon.com/acna18/schedule.html As usual we’ll be running our Apache BarCamp, the traditional ApacheCon Hackathon, and the Wednesday evening Lighting Talks, too, so you’ll want to be there. Register today at http://apachecon.com/acna18 and we’ll see you in Montreal! -- Rich Bowen VP, Conferences, The Apache Software Foundation h...@apachecon.com @ApacheCon
Re: [jira] [Updated] (WICKET-6563) Rework page and data storage
Nice job Sven! I will try to review your changes ASAP. Thnak you. On Sat, Jul 7, 2018 at 10:11 PM, Sven Meier (JIRA) wrote: > > [ https://issues.apache.org/jira/browse/WICKET-6563?page= > com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] > > Sven Meier updated WICKET-6563: > --- > Description: > IPageManager, IPageStore and IDataStore are riddled with complicated and > error-prone code aiming to do one simple thing: keeping pages around. > > There are multiple problems with the current implementation: > * PageStoreManger does too much > ** it handles request and session storage > ** it contains workarounds for DiskDataStore, when the sessionId changes > * IPageStore/AbstractPageStore > ** has no access to IPageManagerContext > ** juggles with byte[], serialization and conversion > * IDataStore introduces an unncecessary third layer into the API > > Additional or specialized stores are difficult to implement. > > We should rework that. > > was: > IPageManager, IPageStore and IDataStore are riddled with complicated and > error-prone code aiming to do one simple thing: keeping pages around. > > We should rework that. > > > > Rework page and data storage > > > > > > Key: WICKET-6563 > > URL: https://issues.apache.org/jira/browse/WICKET-6563 > > Project: Wicket > > Issue Type: Improvement > > Components: wicket > >Affects Versions: 9.0.0 > >Reporter: Sven Meier > >Assignee: Sven Meier > >Priority: Minor > > > > IPageManager, IPageStore and IDataStore are riddled with complicated and > error-prone code aiming to do one simple thing: keeping pages around. > > There are multiple problems with the current implementation: > > * PageStoreManger does too much > > ** it handles request and session storage > > ** it contains workarounds for DiskDataStore, when the sessionId changes > > * IPageStore/AbstractPageStore > > ** has no access to IPageManagerContext > > ** juggles with byte[], serialization and conversion > > * IDataStore introduces an unncecessary third layer into the API > > Additional or specialized stores are difficult to implement. > > We should rework that. > > > > -- > This message was sent by Atlassian JIRA > (v7.6.3#76005) > -- Andrea Del Bene. Apache Wicket committer.