jsessionid is managed by the servlet container. we cant encrypt it because its not part of the page path or query string, its in its own weird ;jsessionid thing that containers mangle in there. maybe your container has an option to encrypt it, or maybe you can write a plugin for it that encrypts it...
-igor On Mon, Nov 21, 2011 at 9:32 AM, lesterburlap <nbe...@voyence.com> wrote: > > lesterburlap wrote >> >> Caused by: java.lang.ClassCastException: >> com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES cannot be cast to >> javax.crypto.SecretKeyFactorySpi >> at javax.crypto.SecretKeyFactory.getInstance(Unknown Source) >> at >> org.apache.wicket.util.crypt.SunJceCrypt.generateSecretKey(SunJceCrypt.java:119) >> > > I'm guessing now that this issue must be a classpath version conflict of > some sort between PBEKeyFactory and SecretKeyFactorySpi. So, just for > giggles, I went down the route of implementing the Wicket "TrivialCrypt", > just to see if I could get URL encrypting to work at all. That worked fine. > > However, the jsessionid still shows up in the URL, which was the entire > reason I was wanting to encrypt the URL: > http://localhost:8080/app/;jsessionid=1xb3ytqs2y4ch?x=ydXFzcXFxcU > > So, dang it. > > My whole point here is to prevent the "session fixation" security > vulnerability with the JSESSIONID cookie being set on a (supposedly > stateless) Login Page. Calling WebSession.replaceSession() after Login to > generate a new session id does not work for me because of some legacy > authentication junk my Wicket app sits on top of (it relies on the session > id to remain the same, or it totally freaks out). > > So, I've suppressed the JSESSIONID cookie from being written when the > stateless Login Page loads (by setting an expired JSESSIONID cookie before > the response is sent). And also overriding WebApplication.newWebResponse so > that it doesn't encode the jsessionid. But then that causes wicket to stick > the session id in new URLs after login (I guess because the JSESSIONID > cookie is not present in the login POST data). > > Good times. I think I have officially been defeated. > > LBB > > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/wicket-url-encoding-ClassCastException-using-SunJceCrypt-tp4090613p4092331.html > Sent from the Users forum mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
