[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

2018-01-29 Thread Thomas Andraschko (JIRA)
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16343942#comment-16343942 ] Thomas Andraschko commented on MYFACES-4133: [~stockli] Seems like HMAC is already used. If

[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

2018-01-29 Thread Thomas Andraschko (JIRA)
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16343870#comment-16343870 ] Thomas Andraschko commented on MYFACES-4133: Commited a modified version - without deleting

[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

2017-12-20 Thread Andy Gumbrecht (JIRA)
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16298050#comment-16298050 ] Andy Gumbrecht commented on MYFACES-4133: - Hi All, I've not taken any liberty in the patches -

[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

2017-12-19 Thread Thomas Andraschko (JIRA)
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16297259#comment-16297259 ] Thomas Andraschko commented on MYFACES-4133: the classes were removed because "sequence"

[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

2017-08-21 Thread Thomas Andraschko (JIRA)
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16135942#comment-16135942 ] Thomas Andraschko commented on MYFACES-4133: [~lu4242] I had a look at it but not sure. IMO

[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

2017-08-19 Thread Mike Kienenberger (JIRA)
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16134108#comment-16134108 ] Mike Kienenberger commented on MYFACES-4133: There are times when encryption is not

[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

2017-08-18 Thread Thomas Andraschko (JIRA)
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16133048#comment-16133048 ] Thomas Andraschko commented on MYFACES-4133: 1) makes sense 2) i think it's valid to disable

[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

2017-08-18 Thread JIRA
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16133041#comment-16133041 ] Peter Stöckli commented on MYFACES-4133: [~lu4242]: I propose following steps: # Don't

[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

2017-08-16 Thread Leonardo Uribe (JIRA)
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16128817#comment-16128817 ] Leonardo Uribe commented on MYFACES-4133: - Encryption should NEVER be disabled for view state

[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

2017-08-16 Thread Thomas Andraschko (JIRA)
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16128488#comment-16128488 ] Thomas Andraschko commented on MYFACES-4133: I see - now i understand your problem (also