Hi,
I am using myfaces-1.1.5 and using the following state saving method
javax.faces.STATE_SAVING_METHODserver
However,i see that the object identifier is being sent to the server as
following
This is the serialized object identifier sent over the network
We are using only https and not http.
date to 1.1.8 or upper versions.
>
> See https://wiki.apache.org/myfaces/Secure_Your_Application for details.
>
> regards,
>
> Leonardo Uribe
>
> 2016-12-19 5:44 GMT-05:00 karthik kn :
>
> > Hi,
> > I am using myfaces-1.1.5 and using the following state saving met
Hi,
Thank you for clarification. Using the secret mentioned in the below page
would suffice or there is some mechanism to generate the SECRET ?
https://wiki.apache.org/myfaces/Secure_Your_Application
org.apache.myfaces.SECRET
MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz
org.apache.myfaces.ALGORITHM
AES
Hi,
If i use a new key in web.xml as SECRET, it could be still exposed to the
Administrator on accessing the system.
Wont this cause a vulnerability ? Is there any other mechanism of storing
the secret ?
On Tue, Dec 20, 2016 at 6:52 PM, Moritz Bechler wrote:
> Hi,
>
> > Thank you for clarifica
Hi All,
Any thoughts on the below ?
On Wed, Dec 21, 2016 at 10:22 AM, karthik kn wrote:
> Hi,
> If i use a new key in web.xml as SECRET, it could be still exposed to the
> Administrator on accessing the system.
>
> Wont this cause a vulnerability ? Is there any other mechanism o
check the sources: http://svn.apache.org/viewvc/
> myfaces/core/branches/1.1.x/
>
> Regards,
> Thomas
>
> 2016-12-23 11:21 GMT+01:00 karthik kn :
>
> > Hi All,
> > Any thoughts on the below ?
> >
> > On Wed, Dec 21, 2016 at 10:22 AM, karthik kn wrote:
> >
Any thoughts on the below ?
On Fri, Jan 27, 2017 at 10:57 AM, karthik kn wrote:
> Hi All,
> We were able to update the jsf version to the lates and randomly generate
> the enc key as mentioned in
> https://wiki.apache.org/myfaces/Secure_Your_Application
>
> However, the Ini
7 matches
Mail list logo
