[
https://issues.apache.org/jira/browse/WICKET-5326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13756061#comment-13756061
]
Jesse Long commented on WICKET-5326:
------------------------------------
Hi Walter,
1. True. IRequestListener URLs on the home page are displayed to the user
unencrypted.
2. The URLs in your link and ajax fallback link are not absolute urls to the
target page, they are session relative links like "?1-1.ILinkListener-link".
The "?1-1" part means execute ILinkListener on component path "-link" for page
number "1" (which has been rendered once). I know, it would be nicer if these
were encrypted, but remember, if the links were encrypted, the encryption would
probably not add anything to your security - the user would still have a link,
which if he clicked would load Page2. He would still "know the fixed URL of the
page" as much as he does now, considering what I said about "session relative".
The encrypted URL are also session relative.
3. Wicket does not know the target page for the AjaxFallbackLink or the Link -
the target page is only set once the link is clicked, so Wicket would have no
way of directly generating an encrypted URL for Page2. If you use
BookmarkableLink you will see that the result is the same as your external
link. This is because for bookmarkable and external link, Wicket already knows
what the target page is, and so it can render an encrypted URL for the that
target page.
4. This "not encrypting IRequestListener URLs" behaviour only presents itself
on the home page. The reason is: the home page is effectively a mounted page,
mounted at "/". Some users want to have their own page parameters supplied to
the home page. They want to be able to link to the home page using a
BookmarkableLink with page parameters like:
"/?startDate=2013-08-01&endDate=2013-09-02" etc etc. They dont want these page
parameters to be encrypted. Ordinarily, when using the CryptoMapper, you mount
pages AFTER the CryptoMapper is set as the root request mapper, so all mounted
pages have that effect - page parameters are not encrypted. Because home page
is "mounted" before CryptoMapper is set, the default behaviour would be to
encrypt the page parameters, but we make a special effort to not encrypt the
URLs to the home page, so that the home page may have very similar if not
exactly the same behaviour as normal mounted pages.
Having said all of that, maybe it is beneficial for us to encrypt URLs for the
home page, when, and only when, the URL is a IRequestListener URL. Something
like:
// to encrypt or not to encrypt, that is the question.
if (url.getSegments().isEmpty()){
// this is for home page
if (url.getQueryParameters().size() == 1 &&
Strings.isEmpty(url.getQueryParameters().get(0).getValue() &&
PageComponentInfo.parse(url.getQueryParameters().get(0).getName())
!= null){
// return encrypted url
}else{
// return unencrypted url
}
}
Sven, Martin-g, what do you think?
> Wicket doesn't encrypt links and Ajax URLs when CryptoMapper is used
> --------------------------------------------------------------------
>
> Key: WICKET-5326
> URL: https://issues.apache.org/jira/browse/WICKET-5326
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 6.10.0
> Environment: Linux
> Reporter: Walter B. Rasmann
> Labels: security
> Attachments: 5326.tar.gz
>
>
> URL encryption does not work in Wicket links and Ajax URLs.
> For links the URL appears unencrypted in the href attribute value and is only
> later forwarded to the encrypted URL using a 302 response.
> I am uploading a quickstart.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
