Dont know for sure but didn't we also encrypt cookies (form data) 2007/11/22, Daniel Fernández Garrido <[EMAIL PROTECTED]>: > Hello everyone, > > I am about to release a new version (1.4) of Jasypt [http://www.jasypt.org], > and I am considering the addition of some wicket integration features for > improving wicket's encryption capabilities. > > But I would first need to ask a couple of things :-)... > > > First, what I will do (have already done, in fact): I have added to jasypt > both an implentation of the org.apache.wicket.util.crypt.ICrypt and > org.apache.wicket.util.crypt.ICryptFactory interfaces. The idea is to use > JasyptFactory as the desired ICryptFactory implementation for the > application, like this: > > > ------(CODE WHICH WOULD GO INTO OUR "WebApplication" CLASS)------ > > @Override > protected void init() { > > super.init(); > > /* > * In the following code example we will create a Jasypt byte > * encryptor by hand, but in real world we can get it from Spring, > * configure it via Web PBE configuration... whatever we want to. > */ > StandardPBEByteEncryptor encryptor = new StandardPBEByteEncryptor(); > encryptor.setAlgorithm("PBEWithMD5AndDES"); > encryptor.setPassword("jasypt"); > > /* > * Create the Jasypt Crypt Factory with the desired encryptor, > * which will return org.jasypt.wicket.JasyptCrypt objects > implementing > * the org.apache.wicket.util.crypt.ICrypt interface. > */ > ICryptFactory jasyptCryptFactory = new JasyptCryptFactory(encryptor); > > /* > * Set the Jasypt Crypt Factory into the application configuration. > */ > getSecuritySettings().setCryptFactory(jasyptCryptFactory); > > } > > ------------ > > > But the question here is... what is the real use of the ICryptFactory today > (1.3.0-rc1) in wicket? Is it "only" encrypting URLs? (I see > PasswordTextFields are not encrypted anymore) > > And if so, would it be of real use/need? Of course, It would increase much > (as much as Java can) the security of the URLs' encryption but, would you > see any other uses? > > > If this is only used for encrypting URLs, and if I am not wrong, our > "WebApplication" class would also need something like this: > > > ------(CODE WHICH WOULD GO INTO OUR "WebApplication" CLASS)------ > > @Override > protected IRequestCycleProcessor newRequestCycleProcessor() { > > return new WebRequestCycleProcessor() { > @Override > protected IRequestCodingStrategy newRequestCodingStrategy() { > return new CryptedUrlWebRequestCodingStrategy(new > WebRequestCodingStrategy()); > } > }; > > } > > ------------ > > Would this be correct/adequate? > > > And more important: can I consider wicket's ICrypt and ICryptFactory > interfaces *stable*? (at least until a stable 1.3.0 release). Have you got > any short-term plans for changing anything in this encryption > infrastructure? > > > And the last thing: the "setKey()" method in ICrypt is not usable in Jasypt, > as encryptor configuration and initialization is quite more complex and PBE > keys (encryption passwords) cannot be changed once an encryptor has already > been initialized (password is set on the jasypt encryptor, not the > wicket-friendly JasyptCrypt). > > So, JasyptCrypt will always throw an exception if this method is called. > Currently in wicket, "setKey" is only called from > org.apache.wicket.util.crypt.ClassCryptFactory, which jasypt does not > extend, so this would not pose any problems for the future, but... could it > make sense that that "setKey" method were called by the developer anywhere > else? this would render jasypt integration quite complicated... > > > Sorry for the size of the message and the lot of questions :-) > > > Regards, > Daniel. >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
