Hi, the question is: Why should we use encryption and serialization when it's actually >NOT< required for server side state? Sure, encryption should be safe actually but instead of using a better encryption algorithm like mentioned in the ticket, it's better to just removed the encryption. Probably it's also better for performance reasons - however i think it's not measurable.
IMO the best solution would be the following: 1) skip serialization on server-side state 2) upgrade to algorithm, like also mentioned in the ticket, for client side state So we are safer for client side state and absolutely safe for server side state. Also the community is interessted in doing the change. The TomEE guys already forked MyFaces do to this changes in 2.2.x AFAIR. Regards, Thomas 2018-01-29 3:07 GMT+01:00 Leonardo Uribe <[email protected]>: > Hi > > I think this issue has very low priority. After thinking a lot on it I > prefer do not do nothing. Less is more in my opinion. > > regards, > > Leonardo Uribe > > 2018-01-28 20:57 GMT-05:00 Leonardo Uribe <[email protected]>: > >> Hi >> >> I think MYFACES-4133 does not qualify to be a bug, because encryption >> should be always enabled. >> >> Is it required? No >> >> Is it an improvement? Not really. I still need a reason why enable this >> mode. >> >> Can we avoid the serialization/deserialization step? yes. >> >> regards, >> >> Leonardo Uribe >> >> 2018-01-28 9:12 GMT-05:00 Thomas Andraschko <[email protected]> >> : >> >>> Hi, >>> >>> IMO the change is almost mandatory for 2.3.0. >>> >>> Please also see the discussion in "[myfaces core] don't deserialize >>> ViewState-ID if state saving method is server". >>> >>> @Leo: Do you have time to refactor it? >>> >>> Otherwise i would reapply my patch but with "random" instead of >>> "secureRandom". >>> Thats fine for now. We can still refactor or improve the API later in >>> 2.3.x or even in JSF.next. >>> >>> Regards, >>> Thomas >>> >>> >>> >>> 2018-01-28 0:17 GMT+01:00 Paul Nicolucci <[email protected]>: >>> >>>> Hi, >>>> >>>> It looks like the only remaining item we have before we can deliver >>>> 2.3.0 is : https://issues.apache.org/jira/browse/MYFACES-4133 >>>> >>>> @Leonardo/Thomas, has an acceptable fix been created? Can we deliver >>>> 2.3.0 without a fix or is this mandatory? >>>> >>>> Thanks, >>>> >>>> Paul >>>> >>> >>> >> >
