You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "IM (JIRA)" <de...@myfaces.apache.org> on 2005/12/08 18:57:08 UTC

[jira] Created: (MYFACES-918) View State is not encrypted

View State is not encrypted
---------------------------

         Key: MYFACES-918
         URL: http://issues.apache.org/jira/browse/MYFACES-918
     Project: MyFaces
        Type: Bug
  Components: Implementation  
 Environment: All
    Reporter: IM
    Priority: Critical


Just by looking at the source of Myfaces I noticed that the view state is not encrypted before it is sent to the client. It is just gzip-ped and then Base64-ed. This is a major security issue as:
1.  any tech savvy java user can tamper it. 
2. it is susceptible to the man-in-the-middle attacks
The later prevents the usage of myfaces on publicly accessible web sites with state saving method client (i.e. most of the cluster installations). Moreover in the jsr it is clearly written that the view state have to be encrypted to guarantee the application security.



-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Closed: (MYFACES-918) View State is not encrypted

Posted by "Mike Kienenberger (JIRA)" <de...@myfaces.apache.org>.

     [ http://issues.apache.org/jira/browse/MYFACES-918?page=all ]
     
Mike Kienenberger closed MYFACES-918:
-------------------------------------

    Resolution: Invalid

First off, the 1.1 spec does not address encryption.   Myfaces implements JSF 1.1, not JSF 1.2.  Second, the 1.2 spec only "highly recommends" encrypting the client-side state, not but does not require it.

However, MyFaces does support encrypting the view state.   See the following link for instructions.

http://wiki.apache.org/myfaces/Secure_Your_Application

> View State is not encrypted
> ---------------------------
>
>          Key: MYFACES-918
>          URL: http://issues.apache.org/jira/browse/MYFACES-918
>      Project: MyFaces
>         Type: Bug
>   Components: Implementation
>  Environment: All
>     Reporter: Ivo Marinchev
>     Priority: Critical

>
> Just by looking at the source of Myfaces I noticed that the view state is not encrypted before it is sent to the client. It is just gzip-ped and then Base64-ed. This is a major security issue as:
> 1.  any tech savvy java user can tamper it. 
> 2. it is susceptible to the man-in-the-middle attacks
> The later prevents the usage of myfaces on publicly accessible web sites with state saving method client (i.e. most of the cluster installations). Moreover in the jsr it is clearly written that the view state have to be encrypted to guarantee the application security.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira