wicket-user-guide/src/main/asciidoc/security/security_4.adoc - wicket - Git at Google


 In chapter <<_generating_structured_and_clear_urls,10.6>> we have seen how to encrypt URLs using _CryptoMapper_ request mapper. To encrypt/decrypt page URLs _CryptoMapper_ uses an instance of _org.apache.wicket.util.crypt.ICrypt_ interface:

 [source,java]
 ----
 public interface ICrypt
 {
 	String encryptUrlSafe(final String plainText);

 	String decryptUrlSafe(final String encryptedText);

 	...
 }
 ----

 The default implementation for this interface is class _org.apache.wicket.util.crypt.SunJceCrypt_. It provides password-based cryptography using _PBEWithMD5AndDES_ algorithm coming with the standard security providers in the Java Runtime Environment.

 NOTE: For better security it is recommended to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html[Policy Files]

 By using _CryptoMapper(IRequestMapper wrappedMapper, Application application)_ constructor the mapper will use the configured _org.apache.wicket.util.crypt.ICryptFactory_ from _org.apache.wicket.settings.SecuritySettings.getCryptFactory()_. To use a stronger cryptography mechanism there are the following options:

 * The first option is to use constructor _CryptoMapper(IRequestMapper wrappedMapper, Supplier<ICrypt> cryptProvider)_ and give it an implementation of _java.util.function.Supplier_ that returns a custom _org.apache.wicket.util.crypt.ICrypt_.

 * The second option is to register a cipher factory at application level with method _setCryptFactory(ICryptFactory cryptFactory)_ of class _SecuritySettings_:

 [source,java]
 ----
 @Override
 public void init() {
 	super.init();
 	getSecuritySettings().setCryptFactory(new SomeCryptFactory());
 	setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));
 }
 ----


 Since version 6.19.0 Wicket uses _org.apache.wicket.core.util.crypt.KeyInSessionSunJceCryptFactory_ as a default factory for _ICrypt_ objects. This factory generates a unique key for each user that is stored in her HTTP
 session. This way it helps to protect the application against https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)[CSRF]
 for each user of the application. The url itself serves as https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Encrypted_Token_Pattern[encrypted token]

 WARNING: _org.apache.wicket.core.util.crypt.KeyInSessionSunJceCryptFactory_ binds the http session if it is not already bound! If the application needs to run in stateless mode then the application will have to provide a custom
 implementation of _ICryptFactory_ that stores the user specific keys by other means.

	In chapter <<_generating_structured_and_clear_urls,10.6>> we have seen how to encrypt URLs using _CryptoMapper_ request mapper. To encrypt/decrypt page URLs _CryptoMapper_ uses an instance of _org.apache.wicket.util.crypt.ICrypt_ interface:

	[source,java]
	----
	public interface ICrypt
	{
	String encryptUrlSafe(final String plainText);

	String decryptUrlSafe(final String encryptedText);

	...
	}
	----

	The default implementation for this interface is class _org.apache.wicket.util.crypt.SunJceCrypt_. It provides password-based cryptography using _PBEWithMD5AndDES_ algorithm coming with the standard security providers in the Java Runtime Environment.

	NOTE: For better security it is recommended to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html[Policy Files]

	By using _CryptoMapper(IRequestMapper wrappedMapper, Application application)_ constructor the mapper will use the configured _org.apache.wicket.util.crypt.ICryptFactory_ from _org.apache.wicket.settings.SecuritySettings.getCryptFactory()_. To use a stronger cryptography mechanism there are the following options:

	* The first option is to use constructor _CryptoMapper(IRequestMapper wrappedMapper, Supplier<ICrypt> cryptProvider)_ and give it an implementation of _java.util.function.Supplier_ that returns a custom _org.apache.wicket.util.crypt.ICrypt_.

	* The second option is to register a cipher factory at application level with method _setCryptFactory(ICryptFactory cryptFactory)_ of class _SecuritySettings_:

	[source,java]
	----
	@Override
	public void init() {
	super.init();
	getSecuritySettings().setCryptFactory(new SomeCryptFactory());
	setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));
	}
	----


	Since version 6.19.0 Wicket uses _org.apache.wicket.core.util.crypt.KeyInSessionSunJceCryptFactory_ as a default factory for _ICrypt_ objects. This factory generates a unique key for each user that is stored in her HTTP
	session. This way it helps to protect the application against https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)[CSRF]
	for each user of the application. The url itself serves as https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Encrypted_Token_Pattern[encrypted token]

	WARNING: _org.apache.wicket.core.util.crypt.KeyInSessionSunJceCryptFactory_ binds the http session if it is not already bound! If the application needs to run in stateless mode then the application will have to provide a custom
	implementation of _ICryptFactory_ that stores the user specific keys by other means.