Hi, Currently we are not in a position to update to 1.1.8 as the change would require a upgrade of legacy software.
With just 1.1.5,based on the below, it has been mentioned that it is ok to use "Server" for state saving. Based on this, can you clarify that encryption is not required for server state saving. However, in the wiki I see the following Security configuration for Myfaces Core 1.1.7, 1.2.8, 2.0.0 and earlier When using client side state saving, the UI object model is serialized and rendered with the response. This is behavior controlled by the following context parameter. <context-param> <param-name>javax.faces.STATE_SAVING_METHOD</param-name> <param-value>client</param-value> </context-param> One consequence of client side state saving is that anyone with a decoder and some time to kill can reconstruct the UI object model on the client side. This can be a problem for those of us who make use of the excellent t:saveState <http://myfaces.apache.org/tomahawk/uiSaveState.html> tag. *Users of myfaces core version 1.1.7, 1.2.8, 2.0.0 and earlier MUST use server side state saving instead to prevent padding oracle attack on view state.* Enabling encryption is as easy as putting the following context parameter in your deployment descriptor. There are two things to note here. First, this uses the default encryption algorithm, DES <http://www.itl.nist.gov/fipspubs/fip46-2.htm>, so the secret must have a size of eight. Second, although the secret is actually "76543210", we do not put this directly in the deployment descriptor. Instead, we place it's base 64 encoded value. This annoying extra step in the process is required so that secrets are not limited to printable character values. On Mon, Dec 19, 2016 at 10:05 PM, Leonardo Uribe <lu4...@gmail.com> wrote: > Hi > > 1.1.5 is too old. Please update to 1.1.8 or upper versions. > > See https://wiki.apache.org/myfaces/Secure_Your_Application for details. > > regards, > > Leonardo Uribe > > 2016-12-19 5:44 GMT-05:00 karthik kn <keyan...@gmail.com>: > > > Hi, > > I am using myfaces-1.1.5 and using the following state saving method > > > > <context-param><param-name>javax.faces.STATE_SAVING_ > > METHOD</param-name><param-value>server</param-value></context-param> > > > > However,i see that the object identifier is being sent to the server as > > following > > > > <input type="hidden" name="javax.faces.ViewState" > > id="javax.faces.ViewState" > > value="rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAN0 > > AAEzcHQAJi9qc3AvaGxyL2FjX3N1YnNjcmliZXIvY3J0U2luZ2xlQUMuanNw" > > /></form> > > > > This is the serialized object identifier sent over the network > > > > We are using only https and not http. > > > > Does sending this serialized object identifier without encrypting open > any > > vulnerability which the attacker could use to his/her advantage ? > > > > -- > > ------------------------- > > Thanks & Regards > > > > Karthik.K.N > > > -- ------------------------- Thanks & Regards Karthik.K.N