A quick search through wicket's fisheye [1] revealed the default was changed in wicket 1.3.5 to fix [2]
[1] <http://fisheye6.atlassian.com/browse/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java#r684127> [2] <http://issues.apache.org/jira/browse/WICKET-1782> On Wed, Jan 20, 2010 at 5:13 PM, Jonas <barney...@gmail.com> wrote: > I think the book refers to wicket 1.3. The default behaviour of > Settings#getCryptFactory has changed > in 1.4. I think in 1.3 the default was ClassCryptFactory with a default key > as still visible in ISecuritySettings#DEFAULT_ENCRYPTION_KEY. Now in 1.4, > the KeyInSessionSunJceCryptFactory with a generated key (as you mentioned) > is used. > > On Wed, Jan 20, 2010 at 4:59 PM, <mzem...@osc.state.ny.us> wrote: >> On page 331 of "Wicket In Action" is the following excerpt, "Note that you >> should modify the default encryption key that is stored in >> ISecuritySettings to prevent malicious hackers from using the default >> publicly available key as an attack vector." Does this only pertain to >> when Sun JCE is not available and Wicket defaults to "no encryption?" From >> what I can gather, the key should be generated by... >> >> KeyInSessionSunJceCryptFactory.java >> if (key == null) >> { >> // generate new key >> key = session.getId() + "." + UUID.randomUUID().toString >> (); >> session.setAttribute(keyAttr, key); >> } >> >> >> >> Notice: This communication, including any attachments, is intended solely >> for the use of the individual or entity to which it is addressed. This >> communication may contain information that is protected from disclosure >> under State and/or Federal law. Please notify the sender immediately if >> you have received this communication in error and delete this email from >> your system. If you are not the intended recipient, you are requested not >> to disclose, copy, distribute or take any action in reliance on the >> contents of this information. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
