On page 331 of "Wicket In Action" is the following excerpt, "Note that you
should modify the default encryption key that is stored in
ISecuritySettings to prevent malicious hackers from using the default
publicly available key as an attack vector." Does this only pertain to
when Sun JCE is not available and Wicket defaults to "no encryption?" From
what I can gather, the key should be generated by...
KeyInSessionSunJceCryptFactory.java
if (key == null)
{
// generate new key
key = session.getId() + "." + UUID.randomUUID().toString
();
session.setAttribute(keyAttr, key);
}
Notice: This communication, including any attachments, is intended solely
for the use of the individual or entity to which it is addressed. This
communication may contain information that is protected from disclosure
under State and/or Federal law. Please notify the sender immediately if
you have received this communication in error and delete this email from
your system. If you are not the intended recipient, you are requested not
to disclose, copy, distribute or take any action in reliance on the
contents of this information.
