This is an automated email from the ASF dual-hosted git repository. svenmeier pushed a commit to branch WICKET-6864-crypt-enhancement in repository https://gitbox.apache.org/repos/asf/wicket.git
The following commit(s) were added to refs/heads/WICKET-6864-crypt-enhancement by this push: new 57a9ab1 WICKET-6864 updated crypt configuration 57a9ab1 is described below commit 57a9ab14388dba0da5ccb9af34d9662baf0b6557 Author: Sven Meier <svenme...@apache.org> AuthorDate: Wed Feb 10 18:13:34 2021 +0100 WICKET-6864 updated crypt configuration applied review changes --- .../strategy/DefaultAuthenticationStrategy.java | 12 ++++++------ .../core/util/crypt/KeyInSessionSunJceCryptFactory.java | 4 ++-- .../java/org/apache/wicket/util/crypt/SunJceCrypt.java | 15 +++++++++------ 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/wicket-core/src/main/java/org/apache/wicket/authentication/strategy/DefaultAuthenticationStrategy.java b/wicket-core/src/main/java/org/apache/wicket/authentication/strategy/DefaultAuthenticationStrategy.java index 6567bdd..105db6a 100644 --- a/wicket-core/src/main/java/org/apache/wicket/authentication/strategy/DefaultAuthenticationStrategy.java +++ b/wicket-core/src/main/java/org/apache/wicket/authentication/strategy/DefaultAuthenticationStrategy.java @@ -16,7 +16,6 @@ */ package org.apache.wicket.authentication.strategy; -import java.util.Random; import java.util.UUID; import org.apache.wicket.authentication.IAuthenticationStrategy; @@ -34,7 +33,7 @@ import org.slf4j.LoggerFactory; * password, encrypt it and put it into one Cookie. * <p> * Note: To support automatic authentication across application restarts you have to use - * the constructor {@link DefaultAuthenticationStrategy#DefaultAuthenticationStrategy(String, String, byte[])}. + * the constructor {@link DefaultAuthenticationStrategy#DefaultAuthenticationStrategy(String, ICrypt)}. * * @author Juergen Donnerstag */ @@ -48,7 +47,7 @@ public class DefaultAuthenticationStrategy implements IAuthenticationStrategy /** * @deprecated no longer used TODO remove in Wicket 10 */ - @Deprecated + @Deprecated(forRemoval = true) protected final String encryptionKey = null; /** The separator used to concatenate the username and password */ @@ -68,7 +67,7 @@ public class DefaultAuthenticationStrategy implements IAuthenticationStrategy * * @deprecated supply a crypt instead TODO remove in Wicket 10 */ - @Deprecated + @Deprecated(forRemoval = true) public DefaultAuthenticationStrategy(final String cookieKey) { this(cookieKey, defaultEncryptionKey()); @@ -82,7 +81,7 @@ public class DefaultAuthenticationStrategy implements IAuthenticationStrategy /** * @deprecated supply a crypt instead TODO remove in Wicket 10 */ - @Deprecated + @Deprecated(forRemoval = true) public DefaultAuthenticationStrategy(final String cookieKey, final String encryptionKey) { this(cookieKey, defaultCrypt(encryptionKey)); @@ -98,7 +97,8 @@ public class DefaultAuthenticationStrategy implements IAuthenticationStrategy } /** - * Constructor + * This is the recommended constructor to be used, which allows automatic authentication across + * application restarts. * * @param cookieKey * The name of the cookie diff --git a/wicket-core/src/main/java/org/apache/wicket/core/util/crypt/KeyInSessionSunJceCryptFactory.java b/wicket-core/src/main/java/org/apache/wicket/core/util/crypt/KeyInSessionSunJceCryptFactory.java index 381b83f..ef25aa7 100644 --- a/wicket-core/src/main/java/org/apache/wicket/core/util/crypt/KeyInSessionSunJceCryptFactory.java +++ b/wicket-core/src/main/java/org/apache/wicket/core/util/crypt/KeyInSessionSunJceCryptFactory.java @@ -19,7 +19,6 @@ package org.apache.wicket.core.util.crypt; import java.io.Serializable; import java.security.Provider; import java.security.Security; -import java.util.Random; import java.util.UUID; import org.apache.wicket.MetaDataKey; @@ -114,8 +113,9 @@ public class KeyInSessionSunJceCryptFactory implements ICryptFactory /** * @return the {@link org.apache.wicket.util.crypt.ICrypt} to use * - * @deprecated this method is no longer called + * @deprecated this method is no longer called TODO remove in Wicket 10 */ + @Deprecated(forRemoval = true) protected ICrypt createCrypt() { return null; diff --git a/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java b/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java index 32bd77d..652e024 100644 --- a/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java +++ b/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java @@ -69,8 +69,9 @@ public class SunJceCrypt extends AbstractCrypt /** * Constructor * - * @deprecated + * @deprecated TODO remove in Wicket 10 */ + @Deprecated(forRemoval = true) public SunJceCrypt() { this(DEFAULT_CRYPT_METHOD); @@ -92,8 +93,9 @@ public class SunJceCrypt extends AbstractCrypt /** * Constructor * - * @deprecated + * @deprecated TODO remove in Wicket 10 */ + @Deprecated(forRemoval = true) public SunJceCrypt(String cryptMethod) { this(cryptMethod, SALT, DEFAULT_ITERATION_COUNT); @@ -115,7 +117,7 @@ public class SunJceCrypt extends AbstractCrypt { this.cryptMethod = Args.notNull(cryptMethod, "Crypt method"); this.salt = Args.notNull(salt, "salt"); - this.iterationCount = iterationCount; + this.iterationCount = Args.withinRange(1, Integer.MAX_VALUE, iterationCount, "iterationCount"); } /** @@ -195,13 +197,14 @@ public class SunJceCrypt extends AbstractCrypt } /** - * Create a random salt. + * Create a random salt to be used for this crypt. * - * @return salt + * @return salt, always 8 bytes long */ public static byte[] randomSalt() { - // only 8 bytes long supported + // must be 8 bytes - for anything else PBES1Core throws + // InvalidAlgorithmParameterException: Salt must be 8 bytes long byte[] salt = new byte[8]; new Random().nextBytes(salt); return salt;