View State is not encrypted
---------------------------
Key: MYFACES-918
URL: http://issues.apache.org/jira/browse/MYFACES-918
Project: MyFaces
Type: Bug
Components: Implementation
Environment: All
Reporter: IM
Priority: Critical
Just by looking at the source of Myfaces I noticed that the view state is not
encrypted before it is sent to the client. It is just gzip-ped and then
Base64-ed. This is a major security issue as:
1. any tech savvy java user can tamper it.
2. it is susceptible to the man-in-the-middle attacks
The later prevents the usage of myfaces on publicly accessible web sites with
state saving method client (i.e. most of the cluster installations). Moreover
in the jsr it is clearly written that the view state have to be encrypted to
guarantee the application security.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
