I've been thinking about the security implications of storing the JSF state on the client. It looks like MyFaces is serialzing, encoding and then zipping.
My question is, if you had the serialized bytes for some java classes, how hard would it be to learn anything about the classes? I know this assumes advanced java knowledge and a lot of determination. But is it possible to deserialize java classes from the bytes if you don't know the classes underlying them. I'm thinking abot some encryption features that I might volunteer at some point to MyFaces. But for now I'm just wondering if its really feasible. I suppose you might be able to look for values that you might recognize in the byte stream (like a username or account balance or something) and manipulate that without even deserializing ... Thoughts, sean
