Re: CryptedUrlWebRequestCodingStrategy + WebRequestCodingStrategy = resource URLs are not encrypted (bug?).

Mon, 18 Jan 2010 08:18:54 -0800 

the original design goal of the crypted strategy was to only encrypt
what the user sees in the url bar. since they never see resource urls
there was no reason to encrypt those.

re fqns, you can add class aliases into SharedResources to hide those.

-igor

2010/1/18 Sergejs Olefirs <sergejs.olef...@parex.lv>:
> Hi,
>
> I started using Wicket rather recently. As part of our security
> considerations, we do not want immediately expose the underlying
> framework(s) we are using, so we went ahead with URL encryption. We used
> standard approach as described in examples:
>
> @Override
> protected IRequestCycleProcessor newRequestCycleProcessor() {
>
> return new WebRequestCycleProcessor(){
>  protected IRequestCodingStrategy newRequestCodingStrategy(){
>        return new CryptedUrlWebRequestCodingStrategy(new
> WebRequestCodingStrategy());
>       }
> };
>
> }
>
>
> Unfortunately I later discovered that this approach doesn't encrypt resource
> URLs, e.g. from:
> CSSPackageResource.getHeaderContribution(..);
> or
> link.add(new Image("logoImage"));
>
> What's worse such resource references include FQN of related classes.
>
>
> After some investigation I found out that the problem is that
> CryptedUrlWebRequestCodingStrategy only encrypts arguments string of the URL
> and WebRequestCodingStrategy encodes resource references as path rather than
> as argument.
>
> I was able to get around this by subclassing WebRequestCodingStrategy and
> overriding methods:
> addResourceParameters(..);
> encode(RequestCycle requestCycle, ISharedResourceRequestTarget
> requestTarget);
> to use arguments rather than path as resource reference.
>
>
> However I'm unsure as to original reasoning behind original
> CryptedUrlWebRequestCodingStrategy and WebRequestCodingStrategy. Is the
> resource behaviour simply a bug? Or is it there for some reason that is
> going to bite me down the road if I use my own 'fix'?
>
>
> Best regards,
> Sergey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to