Re: URL Encryption in detail
On 19/02/2015 13:23, andrea del bene wrote: On 19/02/2015 11:28, lucast wrote: Dear forum, Reading the Apache Wicket Guide on URL Encryption in detail <https://wicket.apache.org/guide/guide/security.html#security_4> , the section suggests that simply calling is not enough for url encryption at production level. Further down on that section, there is one recommendation of making the url encryption stronger: Is simply adding *getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory())*; line enough to make the URLs on my application better as suggested on URL Encryption in detail <https://wicket.apache.org/guide/guide/security.html#security_4> ? My impression is that maybe it isn't since I understand KeyInSessionSunJceCryptFactory is the default CryptFactory for the application. Well no, the default one is CachingSunJceCryptFactory which does NOT generate a separate key for each user. On the contrary KeyInSessionSunJceCryptFactory creates a different key for each user (session). It uses a password-based algorithm to encrypt/decrypt urls which is secure enough for this purpose. Sorry, with Wicket 6.19.0 the default CryptFactory is actually KeyInSessionSunJceCryptFactory so you are ok with just : WicketApplication.init() { setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this)); } you might need to implement you own stronger CryptFactory only if you are not satisfied with password-based cypher. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: URL Encryption in detail
On 19/02/2015 11:28, lucast wrote: Dear forum, Reading the Apache Wicket Guide on URL Encryption in detail <https://wicket.apache.org/guide/guide/security.html#security_4> , the section suggests that simply calling is not enough for url encryption at production level. Further down on that section, there is one recommendation of making the url encryption stronger: Is simply adding *getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory())*; line enough to make the URLs on my application better as suggested on URL Encryption in detail <https://wicket.apache.org/guide/guide/security.html#security_4> ? My impression is that maybe it isn't since I understand KeyInSessionSunJceCryptFactory is the default CryptFactory for the application. Well no, the default one is CachingSunJceCryptFactory which does NOT generate a separate key for each user. On the contrary KeyInSessionSunJceCryptFactory creates a different key for each user (session). It uses a password-based algorithm to encrypt/decrypt urls which is secure enough for this purpose. In addition to this, CryptoMapper(IRequestMapper wrappedMapper, Application application) API Doc states that: "For better security it is recommended to use CryptoMapper(IRequestMapper, IProvider) with a specific ICrypt implementation that generates a separate key for each user. KeyInSessionSunJceCryptFactory provides such an implementation that stores the key in the HTTP session." Does the above sentence mean that one ought to implement a CryptProvider class using KeyInSessionSunJceCryptFactory or something better/stronger ? Encryption and security are not my forte and at the same time I admit I am looking for an out-of-the-box solution where I can just simply carry on implementing the rest of my wicket app. Thanks in advance, Lucas -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/URL-Encryption-in-detail-tp4669640.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
URL Encryption in detail
Dear forum, Reading the Apache Wicket Guide on URL Encryption in detail <https://wicket.apache.org/guide/guide/security.html#security_4> , the section suggests that simply calling is not enough for url encryption at production level. Further down on that section, there is one recommendation of making the url encryption stronger: Is simply adding *getSecuritySettings().setCryptFactory(new KeyInSessionSunJceCryptFactory())*; line enough to make the URLs on my application better as suggested on URL Encryption in detail <https://wicket.apache.org/guide/guide/security.html#security_4> ? My impression is that maybe it isn't since I understand KeyInSessionSunJceCryptFactory is the default CryptFactory for the application. In addition to this, CryptoMapper(IRequestMapper wrappedMapper, Application application) API Doc states that: "For better security it is recommended to use CryptoMapper(IRequestMapper, IProvider) with a specific ICrypt implementation that generates a separate key for each user. KeyInSessionSunJceCryptFactory provides such an implementation that stores the key in the HTTP session." Does the above sentence mean that one ought to implement a CryptProvider class using KeyInSessionSunJceCryptFactory or something better/stronger ? Encryption and security are not my forte and at the same time I admit I am looking for an out-of-the-box solution where I can just simply carry on implementing the rest of my wicket app. Thanks in advance, Lucas -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/URL-Encryption-in-detail-tp4669640.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org