It's the only way to prevent exposing the execution and snapshot ids. We have a constructor that takes a provided secret key rather than the generated one. On Apr 7, 2011 6:56 AM, "Marvin Addison" <[email protected]> wrote: >> 1. Is the encryption of the web flow key really necessary, or is the >> addition of the random uuid to the key sufficient? > > I think your analysis is correct if we simply want protocol adherence, > but I believe the encryption was to support not being able to guess > the concatenated flow and execution IDs. That said, I don't believe > encryption offers any additional security value. > > I recommend we reconsider the symmetric encryption implementation due > to the complexity it creates for clustered deployments. Key > management is a drag on a single host; on multiple hosts it's a > headache. > > M > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user >
-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
