Hi
It is in the wiki page. See org.apache.myfaces.ALGORITHM.IV web config
param for details.
If you want to take a look at the class where the encryption happens, see
org.apache.myfaces.shared.util.StateUtils in
http://svn.apache.org/repos/asf/myfaces/core/trunk/shared/src/main/java/org/apache/m
Any thoughts on the below ?
On Fri, Jan 27, 2017 at 10:57 AM, karthik kn wrote:
> Hi All,
> We were able to update the jsf version to the lates and randomly generate
> the enc key as mentioned in
> https://wiki.apache.org/myfaces/Secure_Your_Application
>
> However, the Initialization vector for
Hi All,
We were able to update the jsf version to the lates and randomly generate
the enc key as mentioned in
https://wiki.apache.org/myfaces/Secure_Your_Application
However, the Initialization vector for CBC needs to be mentioned. Can we
not generate it randomly ?
Is this a bug in JSF ?
If i co
Hi,
i don't think there is any other way to configure it but you can still
check the sources: http://svn.apache.org/viewvc/myfaces/core/branches/1.1.x/
Regards,
Thomas
2016-12-23 11:21 GMT+01:00 karthik kn :
> Hi All,
> Any thoughts on the below ?
>
> On Wed, Dec 21, 2016 at 10:22 AM, karthik k
Hi All,
Any thoughts on the below ?
On Wed, Dec 21, 2016 at 10:22 AM, karthik kn wrote:
> Hi,
> If i use a new key in web.xml as SECRET, it could be still exposed to the
> Administrator on accessing the system.
>
> Wont this cause a vulnerability ? Is there any other mechanism of storing
> the
Hi,
If i use a new key in web.xml as SECRET, it could be still exposed to the
Administrator on accessing the system.
Wont this cause a vulnerability ? Is there any other mechanism of storing
the secret ?
On Tue, Dec 20, 2016 at 6:52 PM, Moritz Bechler wrote:
> Hi,
>
> > Thank you for clarifica
Hi,
> Thank you for clarification. Using the secret mentioned in the below page
> would suffice or there is some mechanism to generate the SECRET ?
>
You must not use the keys specified on this page but generate your own
secret ones. An attacker using the same key can then produce a valid
ViewSt
Hi,
Thank you for clarification. Using the secret mentioned in the below page
would suffice or there is some mechanism to generate the SECRET ?
https://wiki.apache.org/myfaces/Secure_Your_Application
org.apache.myfaces.SECRET
MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz
org.apache.myfaces.ALGORITHM
AES
Hi,
> Currently we are not in a position to update to 1.1.8 as the change would
> require a upgrade of legacy software.
>
> With just 1.1.5,based on the below, it has been mentioned that it is ok to
> use "Server" for state saving. Based on this, can you clarify that
> encryption is not required
Hi,
Currently we are not in a position to update to 1.1.8 as the change would
require a upgrade of legacy software.
With just 1.1.5,based on the below, it has been mentioned that it is ok to
use "Server" for state saving. Based on this, can you clarify that
encryption is not required for server st
Hi
1.1.5 is too old. Please update to 1.1.8 or upper versions.
See https://wiki.apache.org/myfaces/Secure_Your_Application for details.
regards,
Leonardo Uribe
2016-12-19 5:44 GMT-05:00 karthik kn :
> Hi,
> I am using myfaces-1.1.5 and using the following state saving method
>
> javax.faces.
Hi,
I am using myfaces-1.1.5 and using the following state saving method
javax.faces.STATE_SAVING_METHODserver
However,i see that the object identifier is being sent to the server as
following
This is the serialized object identifier sent over the network
We are using only https and not http.
12 matches
Mail list logo