org.apache.wicket.protocol.http.request
Class CryptedUrlWebRequestCodingStrategy

java.lang.Object
  org.apache.wicket.protocol.http.request.CryptedUrlWebRequestCodingStrategy

All Implemented Interfaces:

IRequestCodingStrategy, IRequestTargetMounter

public class CryptedUrlWebRequestCodingStrategy
extends java.lang.Object
implements IRequestCodingStrategy

This is a request coding strategy which encrypts the URL and hence makes it impossible for users to guess what is in the url and rebuild it manually. It uses the CryptFactory registered with the application to encode and decode the URL. Hence, the coding algorithm must be a two-way one (reversible). Because the algorithm is reversible, URLs which were bookmarkable before will remain bookmarkable.

To register the request coding strategy to need to do the following:

 protected IRequestCycleProcessor newRequestCycleProcessor()
 {
        return new WebRequestCycleProcessor()
        {
                protected IRequestCodingStrategy newRequestCodingStrategy()
                {
                        return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy());
                }
        };
 }
 

Note: When trying to hack urls in the browser an exception might be caught while decoding the URL. By default, for safety reasons a very simple WicketRuntimeException is thrown. The original stack trace is only logged.

Author:

Juergen Donnerstag

Nested Class Summary

class

CryptedUrlWebRequestCodingStrategy.HackAttackException

Constructor Summary

CryptedUrlWebRequestCodingStrategy(IRequestCodingStrategy defaultStrategy)
Construct.

Method Summary

RequestParameters	decode(Request request) Decode the querystring of the URL
protected java.lang.String	decodeURL(java.lang.String url) Decode the "x" parameter of the querystring
java.lang.CharSequence	encode(RequestCycle requestCycle, IRequestTarget requestTarget) Encode the querystring of the URL
protected java.lang.CharSequence	encodeURL(java.lang.CharSequence url) Returns the given url encoded.
void	mount(IRequestTargetUrlCodingStrategy urlCodingStrategy) Mounts a request target with the given path.
protected java.lang.String	onError(java.lang.Exception ex) Deprecated. Use onError(Exception, String)
protected java.lang.String	onError(java.lang.Exception ex, java.lang.String url)
java.lang.CharSequence	pathForTarget(IRequestTarget requestTarget) Gets the url that the provided request target conforms to.
protected java.lang.String	rebuildUrl(java.lang.CharSequence queryString) In case the query string has been shortened prior to encryption, than rebuild (lengthen) the query string now.
protected java.lang.CharSequence	shortenUrl(java.lang.CharSequence queryString) Try to shorten the querystring without loosing information.
IRequestTarget	targetForRequest(RequestParameters requestParameters) Gets the request target that conforms to the given request parameters.
void	unmount(java.lang.String path) Unmounts a request target.
IRequestTargetUrlCodingStrategy	urlCodingStrategyForPath(java.lang.String path) Gets the encoder that was mounted on the provided path if any.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CryptedUrlWebRequestCodingStrategy

public CryptedUrlWebRequestCodingStrategy(IRequestCodingStrategy defaultStrategy)

Construct.

Parameters:

defaultStrategy - The default strategy most requests are forwarded to

Method Detail

decode

public RequestParameters decode(Request request)

Decode the querystring of the URL

Specified by:

decode in interface IRequestCodingStrategy

Parameters:

request - the incoming request

Returns:

a request parameters object that corresponds to the request

See Also:

IRequestCodingStrategy.decode(org.apache.wicket.Request)

encode

public java.lang.CharSequence encode(RequestCycle requestCycle,
                                     IRequestTarget requestTarget)

Encode the querystring of the URL

Specified by:

encode in interface IRequestCodingStrategy

Parameters:

requestCycle - the current request cycle (for efficient access)

requestTarget - the request target

Returns:

the url to the provided target

See Also:

IRequestCodingStrategy.encode(org.apache.wicket.RequestCycle, org.apache.wicket.IRequestTarget)

mount

public void mount(IRequestTargetUrlCodingStrategy urlCodingStrategy)

Description copied from interface: IRequestTargetMounter

Mounts a request target with the given path.

Specified by:

mount in interface IRequestTargetMounter

Parameters:

urlCodingStrategy - The strategy to use for encoding and decoding urls

See Also:

IRequestTargetMounter.mount(org.apache.wicket.request.target.coding.IRequestTargetUrlCodingStrategy)

unmount

public void unmount(java.lang.String path)

Description copied from interface: IRequestTargetMounter

Unmounts a request target.

Specified by:

unmount in interface IRequestTargetMounter

Parameters:

path - the path to unmount

See Also:

IRequestTargetMounter.unmount(java.lang.String)

urlCodingStrategyForPath

public IRequestTargetUrlCodingStrategy urlCodingStrategyForPath(java.lang.String path)

Description copied from interface: IRequestTargetMounter

Gets the encoder that was mounted on the provided path if any.

Specified by:

urlCodingStrategyForPath in interface IRequestTargetMounter

Parameters:

path - the path

Returns:

The encoder/decoder that was mounted on the provided path, if any

See Also:

IRequestTargetMounter.urlCodingStrategyForPath(java.lang.String)

pathForTarget

public java.lang.CharSequence pathForTarget(IRequestTarget requestTarget)

Description copied from interface: IRequestTargetMounter

Gets the url that the provided request target conforms to.

Specified by:

pathForTarget in interface IRequestTargetMounter

Parameters:

requestTarget - the request target

Returns:

The url that the provided request target conforms to

See Also:

IRequestTargetMounter.pathForTarget(org.apache.wicket.IRequestTarget)

targetForRequest

public IRequestTarget targetForRequest(RequestParameters requestParameters)

Description copied from interface: IRequestTargetMounter

Gets the request target that conforms to the given request parameters.

Specified by:

targetForRequest in interface IRequestTargetMounter

Parameters:

requestParameters - the request parameters

Returns:

the request target or null if nothing was mounted with the given request parameters

See Also:

IRequestTargetMounter.targetForRequest(org.apache.wicket.request.RequestParameters)

encodeURL

protected java.lang.CharSequence encodeURL(java.lang.CharSequence url)

Returns the given url encoded.

Parameters:

url - The URL to encode

Returns:

The encoded url

decodeURL

protected java.lang.String decodeURL(java.lang.String url)

Decode the "x" parameter of the querystring

Parameters:

url - The encoded URL

Returns:

The decoded 'x' parameter of the querystring

onError

protected java.lang.String onError(java.lang.Exception ex)

Deprecated. Use onError(Exception, String)

Parameters:

ex -

Returns:

decoded URL

onError

protected java.lang.String onError(java.lang.Exception ex,
                                   java.lang.String url)

shortenUrl

protected java.lang.CharSequence shortenUrl(java.lang.CharSequence queryString)

Try to shorten the querystring without loosing information. Note: WebRequestWithCryptedUrl must implement exactly the opposite logic.

Parameters:

queryString - The original query string

Returns:

The shortened querystring

rebuildUrl

protected java.lang.String rebuildUrl(java.lang.CharSequence queryString)

In case the query string has been shortened prior to encryption, than rebuild (lengthen) the query string now. Note: This implementation must exactly match the reverse one implemented in WebResponseWithCryptedUrl.

Parameters:

queryString - The URL's query string

Returns:

The lengthened query string