Re: URL Encryption in detail

Thu, 19 Feb 2015 04:25:00 -0800 


On 19/02/2015 11:28, lucast wrote:

Dear forum,


Reading the Apache Wicket Guide on  URL Encryption in detail
<https://wicket.apache.org/guide/guide/security.html#security_4>  , the
section suggests that simply calling

is not enough for url encryption at production level.

Further down on that section, there is one recommendation of making the url
encryption stronger:



Is simply adding *getSecuritySettings().setCryptFactory(new
KeyInSessionSunJceCryptFactory())*; line enough to make the URLs on my
application better as suggested on  URL Encryption in detail
<https://wicket.apache.org/guide/guide/security.html#security_4>  ?

My impression is that maybe it isn't since I understand
KeyInSessionSunJceCryptFactory is the default CryptFactory for the
application.
Well no, the default one is CachingSunJceCryptFactory which does NOT generate a separate key for each user. On the contrary KeyInSessionSunJceCryptFactory creates a different key for each user (session). It uses a password-based algorithm to encrypt/decrypt urls which is secure enough for this purpose. 



In addition to this, CryptoMapper(IRequestMapper wrappedMapper,  Application
application) API Doc states that: "For better security it is recommended to
use CryptoMapper(IRequestMapper, IProvider) with a specific ICrypt
implementation that generates a separate key for each user.
KeyInSessionSunJceCryptFactory provides such an implementation that stores
the key in the HTTP session."

Does the above sentence mean that one ought to implement a CryptProvider
class using KeyInSessionSunJceCryptFactory or something better/stronger ?

Encryption and security are not my forte and at the same time I admit I am
looking for an out-of-the-box solution where I can just simply carry on
implementing the rest of my wicket app.


Thanks in advance,
Lucas

--
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/URL-Encryption-in-detail-tp4669640.html
Sent from the Users forum mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to