lesterburlap wrote > > Caused by: java.lang.ClassCastException: > com.sun.crypto.provider.PBEKeyFactory$PBEWithMD5AndDES cannot be cast to > javax.crypto.SecretKeyFactorySpi > at javax.crypto.SecretKeyFactory.getInstance(Unknown Source) > at > org.apache.wicket.util.crypt.SunJceCrypt.generateSecretKey(SunJceCrypt.java:119) >
I'm guessing now that this issue must be a classpath version conflict of some sort between PBEKeyFactory and SecretKeyFactorySpi. So, just for giggles, I went down the route of implementing the Wicket "TrivialCrypt", just to see if I could get URL encrypting to work at all. That worked fine. However, the jsessionid still shows up in the URL, which was the entire reason I was wanting to encrypt the URL: http://localhost:8080/app/;jsessionid=1xb3ytqs2y4ch?x=ydXFzcXFxcU So, dang it. My whole point here is to prevent the "session fixation" security vulnerability with the JSESSIONID cookie being set on a (supposedly stateless) Login Page. Calling WebSession.replaceSession() after Login to generate a new session id does not work for me because of some legacy authentication junk my Wicket app sits on top of (it relies on the session id to remain the same, or it totally freaks out). So, I've suppressed the JSESSIONID cookie from being written when the stateless Login Page loads (by setting an expired JSESSIONID cookie before the response is sent). And also overriding WebApplication.newWebResponse so that it doesn't encode the jsessionid. But then that causes wicket to stick the session id in new URLs after login (I guess because the JSESSIONID cookie is not present in the login POST data). Good times. I think I have officially been defeated. LBB -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/wicket-url-encoding-ClassCastException-using-SunJceCrypt-tp4090613p4092331.html Sent from the Users forum mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
