I'm not in front of the code but if I recall spring webflow just cares about the parsed values. Which is why we encrypt them. I can double check when I am at a computer. On Apr 7, 2011 8:33 AM, "Marvin Addison" <[email protected]> wrote: >> It's the only way to prevent exposing the execution and snapshot ids. > > Why are we trying to protect those again? The data they point to are > bound to the session, so you'd have to compromise the session to > access anything meaningful. We're protocol compliant without > encryption as Jon noted, so I think it's important to justify the > security requirement for encryption. > >> We have a constructor that takes a provided secret key rather than the >> generated one. > > Providing the key is the key management headache I referred to for > clustered deployments. > > M > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
