org.apache.wicket.protocol.http.request
Class CryptedUrlWebRequestCodingStrategy

java.lang.Object
  org.apache.wicket.protocol.http.request.CryptedUrlWebRequestCodingStrategy

All Implemented Interfaces:

IRequestCodingStrategy, IRequestTargetMounter

public class CryptedUrlWebRequestCodingStrategy
extends Object
implements IRequestCodingStrategy

This is a request coding strategy which encrypts the URL and hence makes it impossible for users to guess what is in the url and rebuild it manually. It uses the CryptFactory registered with the application to encode and decode the URL. Hence, the coding algorithm must be a two-way one (reversible).

To register the request coding strategy you need to do the following:

 protected IRequestCycleProcessor newRequestCycleProcessor()
 {
        return new WebRequestCycleProcessor()
        {
                protected IRequestCodingStrategy newRequestCodingStrategy()
                {
                        return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy());
                }
        };
 }
 

Note: When trying to hack urls in the browser an exception might be caught while decoding the URL. By default, for safety reasons a very simple WicketRuntimeException is thrown. The original stack trace is only logged.

Note: by default Wicket uses KeyInSessionSunJceCryptFactory to encrypt the query-string. KeyInSessionSunJceCryptFactory creates a unique encryption key per session and uses the session as persistence store. Hence stateless pages will create a session as well and are no longer stateless. You may avoid that by implementing your own ICryptFactory which e.g. uses an application wide encryption key and thus doesn't need a session, but can potentially open your application to vulnerabilities such as CSRF attacks. You can register your own ICryptFactory via Application.getSecuritySettings().setCryptFactory().

Note: The usage of the default KeyInSessionSunJceCryptFactory will also make all bookmarkable urls generated during the user's session non-bookmarkable because they will be encrypted using a session-relative encryption key; however, bookmarkable urls are still available through their mounts.

Author:

Juergen Donnerstag

Nested Class Summary

class

CryptedUrlWebRequestCodingStrategy.HackAttackException

Constructor Summary

CryptedUrlWebRequestCodingStrategy(IRequestCodingStrategy defaultStrategy)
Construct.

Method Summary

void	addIgnoreMountPath(String path) Partly unmounts/ignores a path that normally would map to another mount path.
RequestParameters	decode(Request request) Decode the querystring of the URL
protected String	decodeURL(String url) Decode the "x" parameter of the querystring
CharSequence	encode(RequestCycle requestCycle, IRequestTarget requestTarget) Encode the querystring of the URL
protected CharSequence	encodeURL(CharSequence url) Returns the given url encoded.
void	mount(IRequestTargetUrlCodingStrategy urlCodingStrategy) Mounts a request target with the given path.
protected String	onError(Exception ex) Deprecated. Use onError(Exception, String)
protected String	onError(Exception ex, String url)
CharSequence	pathForTarget(IRequestTarget requestTarget) Gets the url that the provided request target conforms to.
protected String	rebuildUrl(CharSequence queryString) In case the query string has been shortened prior to encryption, than rebuild (lengthen) the query string now.
String	rewriteStaticRelativeUrl(String string) Rewrites relative paths found in static markup attributes (src,href,background) of wicket pages.
protected CharSequence	shortenUrl(CharSequence queryString) Try to shorten the querystring without loosing information.
IRequestTarget	targetForRequest(RequestParameters requestParameters) Gets the request target that conforms to the given request parameters.
void	unmount(String path) Unmounts a request target.
IRequestTargetUrlCodingStrategy	urlCodingStrategyForPath(String path) Gets the encoder that was mounted on the provided path if any.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CryptedUrlWebRequestCodingStrategy

public CryptedUrlWebRequestCodingStrategy(IRequestCodingStrategy defaultStrategy)

Construct.

Parameters:

defaultStrategy - The default strategy most requests are forwarded to

Method Detail

decode

public RequestParameters decode(Request request)

Decode the querystring of the URL

Specified by:

decode in interface IRequestCodingStrategy

Parameters:

request - the incoming request

Returns:

a request parameters object that corresponds to the request

See Also:

IRequestCodingStrategy.decode(org.apache.wicket.Request)

encode

public CharSequence encode(RequestCycle requestCycle,
                           IRequestTarget requestTarget)

Encode the querystring of the URL

Specified by:

encode in interface IRequestCodingStrategy

Parameters:

requestCycle - the current request cycle (for efficient access)

requestTarget - the request target

Returns:

the url to the provided target

See Also:

IRequestCodingStrategy.encode(org.apache.wicket.RequestCycle, org.apache.wicket.IRequestTarget)

mount

public void mount(IRequestTargetUrlCodingStrategy urlCodingStrategy)

Description copied from interface: IRequestTargetMounter

Mounts a request target with the given path.

Specified by:

mount in interface IRequestTargetMounter

Parameters:

urlCodingStrategy - The strategy to use for encoding and decoding urls

See Also:

IRequestTargetMounter.mount(org.apache.wicket.request.target.coding.IRequestTargetUrlCodingStrategy)

unmount

public void unmount(String path)

Description copied from interface: IRequestTargetMounter

Unmounts a request target.

Specified by:

unmount in interface IRequestTargetMounter

Parameters:

path - the path to unmount

See Also:

IRequestTargetMounter.unmount(java.lang.String)

addIgnoreMountPath

public void addIgnoreMountPath(String path)

Description copied from interface: IRequestTargetMounter

Partly unmounts/ignores a path that normally would map to another mount path. Like mount("/mypage", MyPage.class); and then "/mypage/arealdir" should be ignored. This can be done by calling unMount("/mypage/arealdir");

Specified by:

addIgnoreMountPath in interface IRequestTargetMounter

Parameters:

path - the path that should be ignored.

See Also:

IRequestTargetMounter.addIgnoreMountPath(java.lang.String)

urlCodingStrategyForPath

public IRequestTargetUrlCodingStrategy urlCodingStrategyForPath(String path)

Description copied from interface: IRequestTargetMounter

Gets the encoder that was mounted on the provided path if any.

Specified by:

urlCodingStrategyForPath in interface IRequestTargetMounter

Parameters:

path - the path

Returns:

The encoder/decoder that was mounted on the provided path, if any

See Also:

IRequestTargetMounter.urlCodingStrategyForPath(java.lang.String)

pathForTarget

public CharSequence pathForTarget(IRequestTarget requestTarget)

Description copied from interface: IRequestTargetMounter

Gets the url that the provided request target conforms to.

Specified by:

pathForTarget in interface IRequestTargetMounter

Parameters:

requestTarget - the request target

Returns:

The url that the provided request target conforms to

See Also:

IRequestTargetMounter.pathForTarget(org.apache.wicket.IRequestTarget)

targetForRequest

public IRequestTarget targetForRequest(RequestParameters requestParameters)

Description copied from interface: IRequestTargetMounter

Gets the request target that conforms to the given request parameters.

Specified by:

targetForRequest in interface IRequestTargetMounter

Parameters:

requestParameters - the request parameters

Returns:

the request target or null if nothing was mounted with the given request parameters

See Also:

IRequestTargetMounter.targetForRequest(org.apache.wicket.request.RequestParameters)

encodeURL

protected CharSequence encodeURL(CharSequence url)

Returns the given url encoded.

Parameters:

url - The URL to encode

Returns:

The encoded url

decodeURL

protected String decodeURL(String url)

Decode the "x" parameter of the querystring

Parameters:

url - The encoded URL

Returns:

The decoded 'x' parameter of the querystring

onError

@Deprecated
protected String onError(Exception ex)

Deprecated. Use onError(Exception, String)

Parameters:

ex -

Returns:

xxx

onError

protected String onError(Exception ex,
                         String url)

Parameters:

ex -

url -

Returns:

error text

shortenUrl

protected CharSequence shortenUrl(CharSequence queryString)

Try to shorten the querystring without loosing information. Note: WebRequestWithCryptedUrl must implement exactly the opposite logic.

Parameters:

queryString - The original query string

Returns:

The shortened querystring

rebuildUrl

protected String rebuildUrl(CharSequence queryString)

In case the query string has been shortened prior to encryption, than rebuild (lengthen) the query string now. Note: This implementation must exactly match the reverse one implemented in WebResponseWithCryptedUrl.

Parameters:

queryString - The URL's query string

Returns:

The lengthened query string

rewriteStaticRelativeUrl

public String rewriteStaticRelativeUrl(String string)

Description copied from interface: IRequestCodingStrategy

Rewrites relative paths found in static markup attributes (src,href,background) of wicket pages. Since we do not know the url depth at which the page will be rendered the implementations should usually simply append a prefix, eg ../../, to make the path context-relative. If the url is not relative it is returned intact. Implementations can be as simple as delegating to UrlUtils.rewriteToContextRelative(String, Request)

Specified by:

rewriteStaticRelativeUrl in interface IRequestCodingStrategy

Returns:

rewritten path

See Also:

IRequestCodingStrategy.rewriteStaticRelativeUrl(java.lang.String)