View State is not encrypted --------------------------- Key: MYFACES-918 URL: http://issues.apache.org/jira/browse/MYFACES-918 Project: MyFaces Type: Bug Components: Implementation Environment: All Reporter: IM Priority: Critical
Just by looking at the source of Myfaces I noticed that the view state is not encrypted before it is sent to the client. It is just gzip-ped and then Base64-ed. This is a major security issue as: 1. any tech savvy java user can tamper it. 2. it is susceptible to the man-in-the-middle attacks The later prevents the usage of myfaces on publicly accessible web sites with state saving method client (i.e. most of the cluster installations). Moreover in the jsr it is clearly written that the view state have to be encrypted to guarantee the application security. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira