Re: t:saveState server/client ... or request/session

2005-10-21 Thread Dennis Byrne
. Original message Date: Wed, 12 Oct 2005 15:57:59 -0400 From: Mike Kienenberger [EMAIL PROTECTED] Subject: Re: t:saveState server/client ... or request/session To: MyFaces Discussion users@myfaces.apache.org, [EMAIL PROTECTED] Werner, We're talking about encryption of the client state data

Re: t:saveState server/client ... or request/session

2005-10-16 Thread Martin Marinschek
there is only a small chunk of data needing to be hidden. Original message Date: Wed, 12 Oct 2005 22:02:39 +0200 From: Werner Punz [EMAIL PROTECTED] Subject: Re: t:saveState server/client ... or request/session To: users@myfaces.apache.org Ok sorry did not think of that anymore

Re: t:saveState server/client ... or request/session

2005-10-12 Thread Mike Kienenberger
be? .properties, DD, faces-config ? I really don't care ;) Original message Date: Tue, 11 Oct 2005 16:29:21 -0400 From: Mike Kienenberger [EMAIL PROTECTED] Subject: Re: t:saveState server/client ... or request/session To: MyFaces Discussion users@myfaces.apache.org Hey Dennis

Re: t:saveState server/client ... or request/session

2005-10-12 Thread Dennis Byrne
Saving the key in each session might work. The environment may preserve server-side sessions across restarts, depending on the configuration. Yes, and javax.crypto.spec.SecretKeySpec implements Serializable. There are of course risks w/ a key being stored in serialized sessions. I'd also

Re: t:saveState server/client ... or request/session

2005-10-12 Thread Mike Kienenberger
Yeah, that's a good point. I'm going to enhance whatever you come up with to add the ip address into the state and validation. Maybe you can leave in a hook for adding other authentication info into the mix. Or I suppose I can create my own delegating StateManager to do it. Might be better

Re: t:saveState server/client ... or request/session

2005-10-12 Thread Dennis Byrne
Good, I'll just email it to your gmail account before I even open the issue. Original message Date: Wed, 12 Oct 2005 14:51:38 -0400 From: Mike Kienenberger [EMAIL PROTECTED] Subject: Re: t:saveState server/client ... or request/session To: MyFaces Discussion users

Re: t:saveState server/client ... or request/session

2005-10-12 Thread Mike Kienenberger
: Mike Kienenberger [EMAIL PROTECTED] Subject: Re: t:saveState server/client ... or request/session To: MyFaces Discussion users@myfaces.apache.org Yeah, that's a good point. I'm going to enhance whatever you come up with to add the ip address into the state and validation. Maybe you can

Re: t:saveState server/client ... or request/session

2005-10-12 Thread Dennis Byrne
Hmmm ... I was not aware of this secret gathering. I'm dennisbyrne for sf. Original message Date: Wed, 12 Oct 2005 15:19:04 -0400 From: Mike Kienenberger [EMAIL PROTECTED] Subject: Re: t:saveState server/client ... or request/session To: MyFaces Discussion users

Re: t:saveState server/client ... or request/session

2005-10-12 Thread Werner Punz
I do not think encryption is that important, signing probably yes, but if you want encryption you always can switch to a ssl layer which is easier to handle. Mike Kienenberger wrote: I did a search on the JSF 1.2 spec, and the four references to encrypting are all vague and general (It is

Re: t:saveState server/client ... or request/session

2005-10-12 Thread Mike Kienenberger
Werner, We're talking about encryption of the client state data at the client, not of the data channel between the client and the server. Right now, an end-user can do a view-source, then Base64 decode the state tree field to see all stored data. Depending on what the application is doing,

Re: t:saveState server/client ... or request/session

2005-10-12 Thread Dennis Byrne
: t:saveState server/client ... or request/session To: users@myfaces.apache.org Ok sorry did not think of that anymore, understandable after 13 hours of coding ;-) Werner Mike Kienenberger wrote: Werner, We're talking about encryption of the client state data at the client, not of the data channel

Re: t:saveState server/client ... or request/session

2005-10-11 Thread Mike Kienenberger
in my project over a week or two, are you interested? Original message Date: Wed, 5 Oct 2005 09:30:21 +0200 From: Martin Marinschek [EMAIL PROTECTED] Subject: Re: t:saveState server/client ... or request/session To: MyFaces Discussion users@myfaces.apache.org Ok, to shed some

Re: t:saveState server/client ... or request/session

2005-10-11 Thread Dennis Byrne
, faces-config ? I really don't care ;) Original message Date: Tue, 11 Oct 2005 16:29:21 -0400 From: Mike Kienenberger [EMAIL PROTECTED] Subject: Re: t:saveState server/client ... or request/session To: MyFaces Discussion users@myfaces.apache.org Hey Dennis, Rather than try

Re: t:saveState server/client ... or request/session

2005-10-06 Thread Dennis Byrne
in my project over a week or two, are you interested? Original message Date: Wed, 5 Oct 2005 09:30:21 +0200 From: Martin Marinschek [EMAIL PROTECTED] Subject: Re: t:saveState server/client ... or request/session To: MyFaces Discussion users@myfaces.apache.org Ok, to shed some light

Re: t:saveState server/client ... or request/session

2005-10-05 Thread Martin Marinschek
Ok, to shed some light on this: - in the JSF RI, there is encryption on the client side - we have not implemented it so far, (this was after 1.1) cause we have no one here with too much time and experience in this. It should be not too hard though with the RI as an example and the java security

Re: t:saveState server/client ... or request/session

2005-10-05 Thread Simon Kitching
Martin Marinschek wrote: Ok, to shed some light on this: Thanks for all the info! - in the JSF RI, there is encryption on the client side - we have not implemented it so far, (this was after 1.1) cause we have no one here with too much time and experience in this. It should be not too hard

Re: t:saveState server/client ... or request/session

2005-10-05 Thread Martin Marinschek
You may not use it as a reference, but as an example! regards, Martin On 10/5/05, Simon Kitching [EMAIL PROTECTED] wrote: Martin Marinschek wrote: Ok, to shed some light on this: Thanks for all the info! - in the JSF RI, there is encryption on the client side - we have not

t:saveState server/client ... or request/session

2005-10-04 Thread Dennis Byrne
Regarding subtle differences when changing javax.faces.STATE_SAVING_METHOD to 'server' vs. 'client' . These differences appear to be forcing me to choose between two requirements : producing an application w/ 'context complete' requests and producing an app that is secure. With 'client' side

Re: t:saveState server/client ... or request/session

2005-10-04 Thread Simon Kitching
Dennis Byrne wrote: Regarding subtle differences when changing javax.faces.STATE_SAVING_METHOD to 'server' vs. 'client' . These differences appear to be forcing me to choose between two requirements : producing an application w/ 'context complete' requests and producing an app that is secure.

Re: t:saveState server/client ... or request/session

2005-10-04 Thread Dennis Byrne
I guess it would be possible to implement a custom state-saving/state-restoring mechanism that encrypts the data using a key stored in the user session. ... or use a converter that did the encryption/decryption ? Why would the objects stored in the user session on the server be serialized