I've verified that if you set the cipher & MAC keys in web.xml, myfaces works reliably on gae w/ client-side state saving. I've appended sample settings.
http://wiki.apache.org/myfaces/Secure_Your_Application "encryption* must be used in production* environments and disable it could only be valid on testing/development environments." myfaces doesn't enforce this. Even if password field value isn't stored in ViewState or ViewState is encrypted, password is sent in cleartext and thus vulnerable to MITM. That's easier than rev-engr ViewState. If a black hat has physical access to the browser, stealing a cookie is easier than rev-engr ViewState. Am I over-simplifying? <!-- http://wiki.apache.org/myfaces/Secure_Your_Application --> <context-param> <param-name>org.apache.myfaces.USE_ENCRYPTION</param-name> <param-value>true</param-value> </context-param> <!-- http://svn.apache.org/repos/asf/myfaces/shared/trunk/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java public static final String DEFAULT_ALGORITHM = "DES"; public static final String DEFAULT_ALGORITHM_PARAMS = "ECB/PKCS5Padding"; --> <!-- Indicate the encryption algorithm used for encrypt the view state. --> <context-param> <param-name>org.apache.myfaces.ALGORITHM</param-name> <!-- See http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html for details --> <param-value>DES</param-value> </context-param> <!-- Defines the default mode and padding used for the encryption algorithm --> <context-param> <param-name>org.apache.myfaces.ALGORITHM.PARAMETERS</param-name> <param-value>ECB/PKCS5Padding</param-value> </context-param> <!-- 128b / 6b = 21.3... digits 56b / 6b = 9.3... digits (DES) --> <context-param> <param-name>org.apache.myfaces.SECRET</param-name> <param-value>01234567890==</param-value> </context-param> <!-- Indicate the algorithm used to calculate the Message Authentication Code that is added to the view state. --> <context-param> <param-name>org.apache.myfaces.MAC_ALGORITHM</param-name> <param-value>HmacSHA1</param-value> </context-param> <!-- Define the initialization code (Bas64 encoded) that are used to initialize the secret key used on the Message Authentication Code algorithm. The size of it depends on the algorithm used for mac calculation 64b key /6b = 10.6... digits --> <context-param> <param-name>org.apache.myfaces.MAC_SECRET</param-name> <param-value>01234567890=</param-value> </context-param> <context-param> <param-name>javax.faces.STATE_SAVING_METHOD</param-name> <param-value>client</param-value> </context-param>
