On 19/02/2015 13:23, andrea del bene wrote:
On 19/02/2015 11:28, lucast wrote:
Dear forum,
Reading the Apache Wicket Guide on URL Encryption in detail
<https://wicket.apache.org/guide/guide/security.html#security_4> , the
section suggests that simply calling
is not enough for url encryption at production level.
Further down on that section, there is one recommendation of making
the url
encryption stronger:
Is simply adding *getSecuritySettings().setCryptFactory(new
KeyInSessionSunJceCryptFactory())*; line enough to make the URLs on my
application better as suggested on URL Encryption in detail
<https://wicket.apache.org/guide/guide/security.html#security_4> ?
My impression is that maybe it isn't since I understand
KeyInSessionSunJceCryptFactory is the default CryptFactory for the
application.
Well no, the default one is CachingSunJceCryptFactory which does NOT
generate a separate key for each user. On the contrary
KeyInSessionSunJceCryptFactory creates a different key for each user
(session). It uses a password-based algorithm to encrypt/decrypt urls
which is secure enough for this purpose.
Sorry, with Wicket 6.19.0 the default CryptFactory is actually
KeyInSessionSunJceCryptFactory so you are ok with just :
WicketApplication.init() {
setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));
}
you might need to implement you own stronger CryptFactory only if you
are not satisfied with password-based cypher.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
