Re: java.io.InvalidObjectException: enum constant attributes does not exist in class javax.faces.component.UIComponent$PropertyKeys

Fri, 10 Dec 2010 15:32:37 -0800 

I disabled encryption (see below), redeployed, & everything works--seemingly
it is much more responsive too.

What's the purpose of the encryption? When I View Source, ViewState field
looks like a long, hex string. Even if it can be reverse-engineered, the
values are likely to be the same ones sent in the http request. These are
vulnerable to MITM attack unless one uses https. Is JSF smart enough to
exclude a password field's value from ViewState?

<context-param>
        <param-name>org.apache.myfaces.USE_ENCRYPTION</param-name>
        <param-value>false</param-value>
     </context-param>

  <context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
  </context-param>

On Fri, Dec 10, 2010 at 2:40 PM, Leonardo Uribe <[email protected]> wrote:

> Hi
>
> One last note, to make client side state saving work try configure this two
> params:
>
>
> org.apache.myfaces.SECRET
>
> org.apache.myfaces.MAC_SECRET
>
>
> It is probably that the ViewExpiredException is thrown because you are not
> configured the mac secret.
>
> See http://wiki.apache.org/myfaces/Secure_Your_Application  for details.
>
> regards,
>
> Leonardo Uribe
>
> 2010/12/10 Leonardo Uribe <[email protected]>
>
> > Hi
> >
> > Is there any way to see the app log? In theory, when a
> ViewExpiredException
> > is thrown, the reason is logged there, but there is not on the browser.
> >
> >
> > I readed your previous emails related to this one and one possibility
> that
> > comes to my mind is we are storing something on session without implement
> > Serializable interface. If that so, as soon as GAE serialize the session
> to
> > disk, that code causes an Exception and when MyFaces try to restore the
> > state it just has dissapeared (servlet session is invalid, so a new one
> is
> > created and our value in javax.faces.ViewState request parameter is not
> > found, so a ViewExpiredException is thrown).
> >
> > The solution if that is the case is check all lines that do something
> with
> > session map and check if it is possible to serialize to disk.
> >
> > regards,
> >
> > Leonardo
> >
>

Reply via email to