[ http://issues.apache.org/jira/browse/MYFACES-918?page=all ]
Mike Kienenberger closed MYFACES-918:
-------------------------------------
Resolution: Invalid
First off, the 1.1 spec does not address encryption. Myfaces implements JSF
1.1, not JSF 1.2. Second, the 1.2 spec only "highly recommends" encrypting the
client-side state, not but does not require it.
However, MyFaces does support encrypting the view state. See the following
link for instructions.
http://wiki.apache.org/myfaces/Secure_Your_Application
> View State is not encrypted
> ---------------------------
>
> Key: MYFACES-918
> URL: http://issues.apache.org/jira/browse/MYFACES-918
> Project: MyFaces
> Type: Bug
> Components: Implementation
> Environment: All
> Reporter: Ivo Marinchev
> Priority: Critical
>
> Just by looking at the source of Myfaces I noticed that the view state is not
> encrypted before it is sent to the client. It is just gzip-ped and then
> Base64-ed. This is a major security issue as:
> 1. any tech savvy java user can tamper it.
> 2. it is susceptible to the man-in-the-middle attacks
> The later prevents the usage of myfaces on publicly accessible web sites with
> state saving method client (i.e. most of the cluster installations). Moreover
> in the jsr it is clearly written that the view state have to be encrypted to
> guarantee the application security.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
