|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.apache.wicket.protocol.http.request.CryptedUrlWebRequestCodingStrategy
public class CryptedUrlWebRequestCodingStrategy
This is a request coding strategy which encrypts the URL and hence makes it impossible for users to guess what is in the url and rebuild it manually. It uses the CryptFactory registered with the application to encode and decode the URL. Hence, the coding algorithm must be a two-way one (reversible).
To register the request coding strategy you need to do the following:
protected IRequestCycleProcessor newRequestCycleProcessor() { return new WebRequestCycleProcessor() { protected IRequestCodingStrategy newRequestCodingStrategy() { return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy()); } }; }Note: When trying to hack urls in the browser an exception might be caught while decoding the URL. By default, for safety reasons a very simple WicketRuntimeException is thrown. The original stack trace is only logged.
Note: by default Wicket uses
KeyInSessionSunJceCryptFactory
to encrypt the query-string.
KeyInSessionSunJceCryptFactory creates a unique encryption key per session and uses the session
as persistence store. Hence stateless pages will create a session as well and are no longer
stateless. You may avoid that by implementing your own ICryptFactory which e.g. uses an
application wide encryption key and thus doesn't need a session, but can potentially open your
application to vulnerabilities such as CSRF attacks. You can register your own ICryptFactory via
Application.getSecuritySettings().setCryptFactory().
Note: The usage of the default KeyInSessionSunJceCryptFactory
will also make all
bookmarkable urls generated during the user's session non-bookmarkable because they will be
encrypted using a session-relative encryption key; however, bookmarkable urls are still available
through their mounts.
Nested Class Summary | |
---|---|
class |
CryptedUrlWebRequestCodingStrategy.HackAttackException
|
Constructor Summary | |
---|---|
CryptedUrlWebRequestCodingStrategy(IRequestCodingStrategy defaultStrategy)
Construct. |
Method Summary | |
---|---|
void |
addIgnoreMountPath(String path)
Partly unmounts/ignores a path that normally would map to another mount path. |
RequestParameters |
decode(Request request)
Decode the querystring of the URL |
protected String |
decodeURL(String url)
Decode the "x" parameter of the querystring |
CharSequence |
encode(RequestCycle requestCycle,
IRequestTarget requestTarget)
Encode the querystring of the URL |
protected CharSequence |
encodeURL(CharSequence url)
Returns the given url encoded. |
void |
mount(IRequestTargetUrlCodingStrategy urlCodingStrategy)
Mounts a request target with the given path. |
protected String |
onError(Exception ex)
Deprecated. Use onError(Exception, String) |
protected String |
onError(Exception ex,
String url)
|
CharSequence |
pathForTarget(IRequestTarget requestTarget)
Gets the url that the provided request target conforms to. |
protected String |
rebuildUrl(CharSequence queryString)
In case the query string has been shortened prior to encryption, than rebuild (lengthen) the query string now. |
String |
rewriteStaticRelativeUrl(String string)
Rewrites relative paths found in static markup attributes ( src,href,background )
of wicket pages. |
protected CharSequence |
shortenUrl(CharSequence queryString)
Try to shorten the querystring without loosing information. |
IRequestTarget |
targetForRequest(RequestParameters requestParameters)
Gets the request target that conforms to the given request parameters. |
void |
unmount(String path)
Unmounts a request target. |
IRequestTargetUrlCodingStrategy |
urlCodingStrategyForPath(String path)
Gets the encoder that was mounted on the provided path if any. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public CryptedUrlWebRequestCodingStrategy(IRequestCodingStrategy defaultStrategy)
defaultStrategy
- The default strategy most requests are forwarded toMethod Detail |
---|
public RequestParameters decode(Request request)
decode
in interface IRequestCodingStrategy
request
- the incoming request
IRequestCodingStrategy.decode(org.apache.wicket.Request)
public CharSequence encode(RequestCycle requestCycle, IRequestTarget requestTarget)
encode
in interface IRequestCodingStrategy
requestCycle
- the current request cycle (for efficient access)requestTarget
- the request target
IRequestCodingStrategy.encode(org.apache.wicket.RequestCycle,
org.apache.wicket.IRequestTarget)
public void mount(IRequestTargetUrlCodingStrategy urlCodingStrategy)
IRequestTargetMounter
mount
in interface IRequestTargetMounter
urlCodingStrategy
- The strategy to use for encoding and decoding urlsIRequestTargetMounter.mount(org.apache.wicket.request.target.coding.IRequestTargetUrlCodingStrategy)
public void unmount(String path)
IRequestTargetMounter
unmount
in interface IRequestTargetMounter
path
- the path to unmountIRequestTargetMounter.unmount(java.lang.String)
public void addIgnoreMountPath(String path)
IRequestTargetMounter
addIgnoreMountPath
in interface IRequestTargetMounter
path
- the path that should be ignored.IRequestTargetMounter.addIgnoreMountPath(java.lang.String)
public IRequestTargetUrlCodingStrategy urlCodingStrategyForPath(String path)
IRequestTargetMounter
urlCodingStrategyForPath
in interface IRequestTargetMounter
path
- the path
IRequestTargetMounter.urlCodingStrategyForPath(java.lang.String)
public CharSequence pathForTarget(IRequestTarget requestTarget)
IRequestTargetMounter
pathForTarget
in interface IRequestTargetMounter
requestTarget
- the request target
IRequestTargetMounter.pathForTarget(org.apache.wicket.IRequestTarget)
public IRequestTarget targetForRequest(RequestParameters requestParameters)
IRequestTargetMounter
targetForRequest
in interface IRequestTargetMounter
requestParameters
- the request parameters
IRequestTargetMounter.targetForRequest(org.apache.wicket.request.RequestParameters)
protected CharSequence encodeURL(CharSequence url)
url
- The URL to encode
protected String decodeURL(String url)
url
- The encoded URL
@Deprecated protected String onError(Exception ex)
onError(Exception, String)
ex
-
protected String onError(Exception ex, String url)
ex
- url
-
protected CharSequence shortenUrl(CharSequence queryString)
queryString
- The original query string
protected String rebuildUrl(CharSequence queryString)
queryString
- The URL's query string
public String rewriteStaticRelativeUrl(String string)
IRequestCodingStrategy
src,href,background
)
of wicket pages. Since we do not know the url depth at which the page will be rendered the
implementations should usually simply append a prefix, eg ../../
, to make the
path context-relative. If the url is not relative it is returned intact.
Implementations can be as simple as delegating to
UrlUtils.rewriteToContextRelative(String, Request)
rewriteStaticRelativeUrl
in interface IRequestCodingStrategy
IRequestCodingStrategy.rewriteStaticRelativeUrl(java.lang.String)
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |