I think the book refers to wicket 1.3. The default behaviour of
Settings#getCryptFactory has changed
in 1.4. I think in 1.3 the default was ClassCryptFactory with a default key
as still visible in ISecuritySettings#DEFAULT_ENCRYPTION_KEY. Now in 1.4,
the KeyInSessionSunJceCryptFactory with a generated key (as you mentioned)
is used.
On Wed, Jan 20, 2010 at 4:59 PM, <mzem...@osc.state.ny.us> wrote:
> On page 331 of "Wicket In Action" is the following excerpt, "Note that you
> should modify the default encryption key that is stored in
> ISecuritySettings to prevent malicious hackers from using the default
> publicly available key as an attack vector." Does this only pertain to
> when Sun JCE is not available and Wicket defaults to "no encryption?" From
> what I can gather, the key should be generated by...
>
> KeyInSessionSunJceCryptFactory.java
> if (key == null)
> {
> // generate new key
> key = session.getId() + "." + UUID.randomUUID().toString
> ();
> session.setAttribute(keyAttr, key);
> }
>
>
>
> Notice: This communication, including any attachments, is intended solely
> for the use of the individual or entity to which it is addressed. This
> communication may contain information that is protected from disclosure
> under State and/or Federal law. Please notify the sender immediately if
> you have received this communication in error and delete this email from
> your system. If you are not the intended recipient, you are requested not
> to disclose, copy, distribute or take any action in reliance on the
> contents of this information.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
