How to encrypt / encode URL in Wicket

In Wicket, encode or encrypt URL is a very easy task, this feature is provided by default, you just need to activate it.

Wicket default normal URL


http://localhost:8080/WicketExamples/?wicket:interface=:0:urlQueryPanel:

Wicket encoded or encrypted URL


http://localhost:8080/WicketExamples/?x=YwbAGQPpvT9MHF2-6S6FwvocqYPuA

To enable this feature, paste the following code in Wicket’s web application class.


        @Override
	protected IRequestCycleProcessor newRequestCycleProcessor() {

		return new WebRequestCycleProcessor() {
			protected IRequestCodingStrategy newRequestCodingStrategy() {
				return new CryptedUrlWebRequestCodingStrategy(
					new WebRequestCodingStrategy());
			}
		};
	}

See full example…


package com.mkyong;

import org.apache.wicket.protocol.http.WebApplication;
import org.apache.wicket.protocol.http.WebRequestCycleProcessor;
import org.apache.wicket.protocol.http.request.CryptedUrlWebRequestCodingStrategy;
import org.apache.wicket.protocol.http.request.WebRequestCodingStrategy;
import org.apache.wicket.request.IRequestCodingStrategy;
import org.apache.wicket.request.IRequestCycleProcessor;
import com.mkyong.user.UserPage;

public class WicketApplication extends WebApplication {

	@Override
	public Class<UserPage> getHomePage() {

		return UserPage.class; // return default page
	}

	@Override
	protected IRequestCycleProcessor newRequestCycleProcessor() {

		return new WebRequestCycleProcessor() {
			protected IRequestCodingStrategy newRequestCodingStrategy() {
				return new CryptedUrlWebRequestCodingStrategy(
					new WebRequestCodingStrategy());
			}
		};
	}

}

Done.

A little thought

Wicket is using Password-Based Encryption mechanism to encode and decode URL. All the necessary classes are located at “wicket-1.4-rc1-sources.jar\org\apache\wicket\util\crypt“. I think the most powerful feature is the individual session random encryption key, it uses session and UUID to generate it, so that every visitors using their own encryption key (different http session).

File : KeyInSessionSunJceCryptFactory.java


if (key == null)
{
	// generate new key
	key = session.getId() + "." + UUID.randomUUID().toString();
	session.setAttribute(keyAttr, key);
}

In Password-Based Encryption mechanism, The “Salt” and “Iterator count” is public , but with a strong encryption key (session + UUID) like above, it just make the Wicket’s URL encode function very hard to decode, even you have the wicket’s source code on hands.

If you think Wicket’s default encryption mechanism is not safe enough, you can easily implement different encryption mechanism like AES or SHA.

Note
Wicket’s is using SunJceCrypt class as default URL encode and decode implementation.

References

  1. Wicket URLs coding strategies
  2. Wicket obfuscating URLs

About the Author

author image
mkyong
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities.

Comments

avatar
3 Comment threads
2 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
5 Comment authors
Programmerpay day loansrockjavamkyongLucas Recent comment authors
newest oldest most voted
pay day loans
Guest
pay day loans

Take the amount of money of money you have for your monthly expenses aside
take out abode equity proper loan for you to pay for weddings.
The third strategy for responding to a commercial mortgage rejection a short menstruation of
time, the banks may think you’re do-or-die for hard currency and a greater hazard as a issue.

rockjava
Guest
rockjava

yong,

How can we achive URL Encryption , in normal web applicaiton which is using spring frame work?

Programmer
Guest
Programmer

I’m also looking for url encryption in spring. An example here would be great help.

Lucas
Guest
Lucas

Hi mkyong,
Thanks for posting these tutorials.
Have you thought of updating some of the tutorials to cover wicket 1.5?
Thanks in advance,
Lucas