Re: Reg vulnerability for Server State saving

Any thoughts on the below ? On Fri, Jan 27, 2017 at 10:57 AM, karthik kn wrote: > Hi All, > We were able to update the jsf version to the lates and randomly generate > the enc key as mentioned in > https://wiki.apache.org/myfaces/Secure_Your_Application > > However, the

Re: Reg vulnerability for Server State saving

Hi It is in the wiki page. See org.apache.myfaces.ALGORITHM.IV web config param for details. If you want to take a look at the class where the encryption happens, see org.apache.myfaces.shared.util.StateUtils in