[WICKET-5327] CryptoMapper: insecure default encryption provider - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 6.10.0
Fix Version/s: 7.0.0-M1
Component/s: None
Labels:
- security

Description

There is an unexpected and insecure default setting for the encryption provider.

When CryptoMapper is enabled using

setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this));

CompoundRequestMapper root = new CompoundRequestMapper();
root.add(new CryptoMapper(getRootRequestMapper(), this));
setRootRequestMapper(root);

Wicket uses "new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY)" as the CryptFactory, with ISecuritySettings.DEFAULT_ENCRYPTION_KEY being "WiCkEt-FRAMEwork". This generates always the same encrypted strings for each of the URLs and is possibly not a secure way to encrypt URLs even if the encryption key is unknown.

Attachments

Activity

People

Assignee:: Sven Meier

Reporter:: Walter B. Rasmann

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 23/Aug/13 17:18

Updated:: 11/Nov/14 13:59

Resolved:: 29/Aug/13 14:22