You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "IM (JIRA)" <de...@myfaces.apache.org> on 2005/12/08 18:57:08 UTC
[jira] Created: (MYFACES-918) View State is not encrypted
View State is not encrypted
---------------------------
Key: MYFACES-918
URL: http://issues.apache.org/jira/browse/MYFACES-918
Project: MyFaces
Type: Bug
Components: Implementation
Environment: All
Reporter: IM
Priority: Critical
Just by looking at the source of Myfaces I noticed that the view state is not encrypted before it is sent to the client. It is just gzip-ped and then Base64-ed. This is a major security issue as:
1. any tech savvy java user can tamper it.
2. it is susceptible to the man-in-the-middle attacks
The later prevents the usage of myfaces on publicly accessible web sites with state saving method client (i.e. most of the cluster installations). Moreover in the jsr it is clearly written that the view state have to be encrypted to guarantee the application security.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (MYFACES-918) View State is not encrypted
Posted by "Mike Kienenberger (JIRA)" <de...@myfaces.apache.org>.
[ http://issues.apache.org/jira/browse/MYFACES-918?page=all ]
Mike Kienenberger closed MYFACES-918:
-------------------------------------
Resolution: Invalid
First off, the 1.1 spec does not address encryption. Myfaces implements JSF 1.1, not JSF 1.2. Second, the 1.2 spec only "highly recommends" encrypting the client-side state, not but does not require it.
However, MyFaces does support encrypting the view state. See the following link for instructions.
http://wiki.apache.org/myfaces/Secure_Your_Application
> View State is not encrypted
> ---------------------------
>
> Key: MYFACES-918
> URL: http://issues.apache.org/jira/browse/MYFACES-918
> Project: MyFaces
> Type: Bug
> Components: Implementation
> Environment: All
> Reporter: Ivo Marinchev
> Priority: Critical
>
> Just by looking at the source of Myfaces I noticed that the view state is not encrypted before it is sent to the client. It is just gzip-ped and then Base64-ed. This is a major security issue as:
> 1. any tech savvy java user can tamper it.
> 2. it is susceptible to the man-in-the-middle attacks
> The later prevents the usage of myfaces on publicly accessible web sites with state saving method client (i.e. most of the cluster installations). Moreover in the jsr it is clearly written that the view state have to be encrypted to guarantee the application security.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira