[ http://issues.apache.org/jira/browse/MYFACES-918?page=all ] Mike Kienenberger closed MYFACES-918: -------------------------------------
Resolution: Invalid First off, the 1.1 spec does not address encryption. Myfaces implements JSF 1.1, not JSF 1.2. Second, the 1.2 spec only "highly recommends" encrypting the client-side state, not but does not require it. However, MyFaces does support encrypting the view state. See the following link for instructions. http://wiki.apache.org/myfaces/Secure_Your_Application > View State is not encrypted > --------------------------- > > Key: MYFACES-918 > URL: http://issues.apache.org/jira/browse/MYFACES-918 > Project: MyFaces > Type: Bug > Components: Implementation > Environment: All > Reporter: Ivo Marinchev > Priority: Critical > > Just by looking at the source of Myfaces I noticed that the view state is not > encrypted before it is sent to the client. It is just gzip-ped and then > Base64-ed. This is a major security issue as: > 1. any tech savvy java user can tamper it. > 2. it is susceptible to the man-in-the-middle attacks > The later prevents the usage of myfaces on publicly accessible web sites with > state saving method client (i.e. most of the cluster installations). Moreover > in the jsr it is clearly written that the view state have to be encrypted to > guarantee the application security. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira