Integrating Jasypt with Apache Wicket

Jasypt provides the jasypt-wicket13 (for Wicket 1.3 and 1.4) and jasypt-wicket15 (for Wicket 1.5) artifacts for integration with Apache Wicket. Since jasypt 1.9.0, these artifacts must be added to your classpath separately.

Although the most usual way of using jasypt in wicket applications is password encryption, transparent data persistance, etc. as usual, and for these operations no especial wicket integration features are needed, there still exist some specific security features in wicket which could make a good use of an encryption library like Jasypt. Specifically, URL encryption.

Wicket can configure URLs to be encrypted, like http://server/myapp/?x=ASD4-23*23412vwed3A3A. And for supporting this feature, it provides two cryptography utility interfaces called org.apache.wicket.util.crypt.ICryptFactory (for encryptor factories) and org.apache.wicket.util.crypt.ICrypt (for encryptor objects).

Wicket provides a set of simplistic implementations of these interfaces, but security and configurability can be vastly improved by using jasypt's infrastructure.

Jasypt provides:

  • org.jasypt.wicket13|wicket15.JasyptCryptFactory, an implementation of wicket's ICryptFactory interface which receives an org.jasypt.encryption.pbe.PBEByteEncryption object (configured at the user's wish: environment variables, web PBE config...) and provides encryptors of class org.jasypt.wicket13|wicket15.JasyptCrypt (implementing ICrypt interface).
  • org.jasypt.wicket13|wicket15.JasyptCrypt, implementation of wicket's ICrypt returned by JasyptCryptFactory.

Note that JasyptCrypt objects adhere to wicket specifications of returning String output in the form of URL and filename safe Base64.

Configuring the factory

The ICryptFactory being used is configured at the init() method of the Application class.

    
public class MyApplication extends WebApplication {

    ...
    ...

    @Override
    protected void init() {
        
        super.init();
        
        /*
         * In the following code example we will create a Jasypt byte 
         * encryptor by hand, but in real world we can get it from Spring, 
         * configure it via Web PBE configuration... whatever we want to. 
         */
        StandardPBEByteEncryptor encryptor = new StandardPBEByteEncryptor();
        encryptor.setAlgorithm("PBEWithMD5AndDES");
        encryptor.setPassword("jasypt");
        StringFixedSaltGenerator generator = 
            new StringFixedSaltGenerator("wicketwicketwicketwicketwicket");
        encryptor.setSaltGenerator(generator);
        
        /*
         * Create the Jasypt Crypt Factory with the desired encryptor,
         * which will return org.jasypt.wicket.JasyptCrypt objects implementing
         * the org.apache.wicket.util.crypt.ICrypt interface.
         */
        ICryptFactory jasyptCryptFactory = new JasyptCryptFactory(encryptor);
        
        /*
         * Set the Jasypt Crypt Factory into the application configuration.
         */
        getSecuritySettings().setCryptFactory(jasyptCryptFactory);
        
    }
    
    ...
    ...

}

Configuring URL encryption

Finally, for configuring URL encryption for our application:

    
public class MyApplication extends WebApplication {

    ...
    ...

    @Override
    protected IRequestCycleProcessor newRequestCycleProcessor() {
        
        return new WebRequestCycleProcessor() {
            @Override
            protected IRequestCodingStrategy newRequestCodingStrategy() {
                return new CryptedUrlWebRequestCodingStrategy(new WebRequestCodingStrategy());
            }
        };
        
    }    
    
    ...
    ...

}