Btw. generally server side state saving is way faster than client side,
although the difference has been somewhat reduced thanks to delta state
saving. The reason simply is you transmit way less data over the line
with the server side state saving on.
Werner
Am 12.12.10 11:38, schrieb Werner Punz:
Hi Ken die purpose of the encryption is a security problem, if you do
not encrypt the viewstate on the client side then it is reverse
engineerable from a third party.
We had to introduce that to fix that hole.
For server side state saving the encryption is not really needed unless
you do not trust the third party you host the state with.
Werner
Am 11.12.10 00:31, schrieb ken keller:
I disabled encryption (see below), redeployed,& everything
works--seemingly
it is much more responsive too.
What's the purpose of the encryption? When I View Source, ViewState field
looks like a long, hex string. Even if it can be reverse-engineered, the
values are likely to be the same ones sent in the http request. These are
vulnerable to MITM attack unless one uses https. Is JSF smart enough to
exclude a password field's value from ViewState?
<context-param>
<param-name>org.apache.myfaces.USE_ENCRYPTION</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
On Fri, Dec 10, 2010 at 2:40 PM, Leonardo Uribe<[email protected]> wrote:
Hi
One last note, to make client side state saving work try configure
this two
params:
org.apache.myfaces.SECRET
org.apache.myfaces.MAC_SECRET
It is probably that the ViewExpiredException is thrown because you
are not
configured the mac secret.
See http://wiki.apache.org/myfaces/Secure_Your_Application for details.
regards,
Leonardo Uribe
2010/12/10 Leonardo Uribe<[email protected]>
Hi
Is there any way to see the app log? In theory, when a
ViewExpiredException
is thrown, the reason is logged there, but there is not on the browser.
I readed your previous emails related to this one and one possibility
that
comes to my mind is we are storing something on session without
implement
Serializable interface. If that so, as soon as GAE serialize the
session
to
disk, that code causes an Exception and when MyFaces try to restore the
state it just has dissapeared (servlet session is invalid, so a new one
is
created and our value in javax.faces.ViewState request parameter is not
found, so a ViewExpiredException is thrown).
The solution if that is the case is check all lines that do something
with
session map and check if it is possible to serialize to disk.
regards,
Leonardo
