Try making a simple class and serializing it to a file. You'd be surprised at what it spits out.
It is somewhat possible to learn about the values within a class and encripting the session is probably not a bad idea. On Tue, 18 Jan 2005 16:31:14 -0500, Sean Schofield <[EMAIL PROTECTED]> wrote: > I've been thinking about the security implications of storing the JSF > state on the client. It looks like MyFaces is serialzing, encoding > and then zipping. > > My question is, if you had the serialized bytes for some java classes, > how hard would it be to learn anything about the classes? I know this > assumes advanced java knowledge and a lot of determination. But is it > possible to deserialize java classes from the bytes if you don't know > the classes underlying them. > > I'm thinking abot some encryption features that I might volunteer at > some point to MyFaces. But for now I'm just wondering if its really > feasible. > > I suppose you might be able to look for values that you might > recognize in the byte stream (like a username or account balance or > something) and manipulate that without even deserializing ... > > Thoughts, > > sean > -- -Heath Borders-Wing [EMAIL PROTECTED]
