How to encrypt / encode URL in Wicket
In Wicket, encode or encrypt URL is a very easy task, this feature is provided by default, you just need to activate it.
Wicket default normal URL
http://localhost:8080/WicketExamples/?wicket:interface=:0:urlQueryPanel:
Wicket encoded or encrypted URL
http://localhost:8080/WicketExamples/?x=YwbAGQPpvT9MHF2-6S6FwvocqYPuA
To enable this feature, paste the following code in Wicket’s web application class.
@Override protected IRequestCycleProcessor newRequestCycleProcessor() { return new WebRequestCycleProcessor() { protected IRequestCodingStrategy newRequestCodingStrategy() { return new CryptedUrlWebRequestCodingStrategy( new WebRequestCodingStrategy()); } }; }
See full example…
package com.mkyong; import org.apache.wicket.protocol.http.WebApplication; import org.apache.wicket.protocol.http.WebRequestCycleProcessor; import org.apache.wicket.protocol.http.request.CryptedUrlWebRequestCodingStrategy; import org.apache.wicket.protocol.http.request.WebRequestCodingStrategy; import org.apache.wicket.request.IRequestCodingStrategy; import org.apache.wicket.request.IRequestCycleProcessor; import com.mkyong.user.UserPage; public class WicketApplication extends WebApplication { @Override public Class<UserPage> getHomePage() { return UserPage.class; // return default page } @Override protected IRequestCycleProcessor newRequestCycleProcessor() { return new WebRequestCycleProcessor() { protected IRequestCodingStrategy newRequestCodingStrategy() { return new CryptedUrlWebRequestCodingStrategy( new WebRequestCodingStrategy()); } }; } }
Done.
A little thought
Wicket is using Password-Based Encryption mechanism to encode and decode URL. All the necessary classes are located at “wicket-1.4-rc1-sources.jar\org\apache\wicket\util\crypt“. I think the most powerful feature is the individual session random encryption key, it uses session and UUID to generate it, so that every visitors using their own encryption key (different http session).
File : KeyInSessionSunJceCryptFactory.java
if (key == null) { // generate new key key = session.getId() + "." + UUID.randomUUID().toString(); session.setAttribute(keyAttr, key); }
In Password-Based Encryption mechanism, The “Salt” and “Iterator count” is public , but with a strong encryption key (session + UUID) like above, it just make the Wicket’s URL encode function very hard to decode, even you have the wicket’s source code on hands.
If you think Wicket’s default encryption mechanism is not safe enough, you can easily implement different encryption mechanism like AES or SHA.
Wicket’s is using SunJceCrypt class as default URL encode and decode implementation.
References
Hi mkyong,
Thanks for posting these tutorials.
Have you thought of updating some of the tutorials to cover wicket 1.5?
Thanks in advance,
Lucas
Thanks lucas for this suggestion. I will try my best to upgrade it next year, just many many tutorials are pending.