Enhancing Java Portlets 7-59 1. Create a cipher manager class, InsecureCipherManager. This class will be used for encryption and decryption of personalization data exported from or imported to a Web provider. A base64 encoded, hard coded secret key is used with the DES algorithm supplied by the default javax.crypto provider of the underlying Java Runtime Environment. As a result, this particular sample is insecure because the encoded key can be recovered by a malicious party simply by decompiling the byte code. package oracle.portal.sample.v2.devguide.tx; import java.io.IOException; import java.security.GeneralSecurityException; import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.DESKeySpec; import oracle.portal.provider.v2.ProviderException; import oracle.portal.provider.v2.security.CipherManager; import sun.misc.BASE64Decoder; public final class InsecureCipherManager implements CipherManager { Base64 encoded external form of a javax.crypto.SecretKey which was generated for the DES algorithm. This is completely insecure Anyone can decompile the bytecode and recostitue the key. A more secure implementation would implement a key management policy in a java.security.KeyStore. private static final String sEncodedKey = UTJds807Arw=; Generated from the insecure encoded form in sEncodedKey. private SecretKey mKey; Transforms the input data to a more secure form, in a single operation, using the DES cryptographic algorithm along with a statically defined secret key. param toEncode the input data. return an encoded form of the input data. throws ProviderException if an error occurs during transform. public final byte[] encodebyte[] toEncode throws ProviderException { try { Cipher c = Cipher.getInstanceDES; c.initCipher.ENCRYPT_MODE, getSecretKey; return c.doFinaltoEncode; } catch GeneralSecurityException gse { throw new ProviderExceptiongse; } catch IOException ioe { Note: This sample makes use of the javax.crypto package, which is optional in Java 1.3 and must be installed manually. In Java 1.4, though, this package is present by default.