What you are serializing is not your application/form state, just the instructions/makeup of the page. See my last comment. This has lots of benefits with developing in a modular/reusable manner since you can drop a component in...]]> Fri, 20 May 2005 08:16:19 -0400 Fri, 20 May 2005 08:16:19 -0400 Fri, 20 May 2005 08:16:19 -0400 May 20, 2005 hookomjj 0 http://www.theserverside.com/discussions/thread.tss?thread_id=33991 What you are serializing is not your application/form state, just the instructions/makeup of the page. See my last comment. This has lots of benefits with developing in a modular/reusable manner since you can drop a component in a page...]]> Thu, 19 May 2005 19:12:12 -0400 Thu, 19 May 2005 19:12:12 -0400 Thu, 19 May 2005 19:12:12 -0400 May 19, 2005 Michael Jouravlev 1 http://www.theserverside.com/discussions/thread.tss?thread_id=33991
Your assertion is NOT correct. MAC algorithm does use a key for initialization. Here is a code sample from ByteArrayGuard class about how this is done:

byte[] rawKey =...]]> Thu, 19 May 2005 16:56:00 -0400 Thu, 19 May 2005 16:56:00 -0400 Thu, 19 May 2005 16:56:00 -0400 May 19, 2005 Inderjeet Singh 1 http://www.theserverside.com/discussions/thread.tss?thread_id=33991 blog]]> Thu, 19 May 2005 15:58:30 -0400 Thu, 19 May 2005 15:58:30 -0400 Thu, 19 May 2005 15:58:30 -0400 May 19, 2005 Dmitri Maximovich 0 http://www.theserverside.com/discussions/thread.tss?thread_id=33991 Eugene, Thanks for the detailed comments in your blog. I would like to clarify a few things since I dont think the security issues that you raise are valid: It is incorrect to say that knowing MAC and IVs compromises the security. In any...]]> Thu, 19 May 2005 15:23:30 -0400 Thu, 19 May 2005 15:23:30 -0400 Thu, 19 May 2005 15:23:30 -0400 May 19, 2005 Eugene Kuleshov 2 http://www.theserverside.com/discussions/thread.tss?thread_id=33991
Thanks for the detailed comments in your blog. I would like to clarify a few things since I dont think the security issues that you raise are valid:

It is incorrect to say that knowing MAC and IVs compromises the security. In any...]]> Thu, 19 May 2005 14:46:13 -0400 Thu, 19 May 2005 14:46:13 -0400 Thu, 19 May 2005 14:46:13 -0400 May 19, 2005 Inderjeet Singh 3 http://www.theserverside.com/discussions/thread.tss?thread_id=33991 In this tag, we already implement a secure solution. The Tag encrypts the state that is stored on the client. The key for encryption is NEVER stored on the client or sent on the wire. The encryption is done with strong cryto (3DES) and a...]]> Thu, 19 May 2005 10:54:02 -0400 Thu, 19 May 2005 10:54:02 -0400 Thu, 19 May 2005 10:54:02 -0400 May 19, 2005 Eugene Kuleshov 4 http://www.theserverside.com/discussions/thread.tss?thread_id=33991

That may sound 'moot', but the goal of the JSF framework is to consolidate controller/view behavior into pages. If you place an h:inputText value="#{login.name}" on 3 different pages, none of them are going to affect...]]> Thu, 19 May 2005 09:09:30 -0400 Thu, 19 May 2005 09:09:30 -0400 Thu, 19 May 2005 09:09:30 -0400 May 19, 2005 hookomjj 0 http://www.theserverside.com/discussions/thread.tss?thread_id=33991 and it sucked. I bet sun have probably patented this ...

-b

( although we didn't have these "taglib" whatdeycallitthingimejigs then )]]> Thu, 19 May 2005 04:20:03 -0400 Thu, 19 May 2005 04:20:03 -0400 Thu, 19 May 2005 04:20:03 -0400 May 19, 2005 sadfasdf asdadsf 0 http://www.theserverside.com/discussions/thread.tss?thread_id=33991 In this tag, we already implement a secure solution. The Tag encrypts the state that is stored on the client. The key for encryption is NEVER stored on the client or sent on the wire. The encryption is done with strong cryto (3DES) and a...]]> Thu, 19 May 2005 04:11:57 -0400 Thu, 19 May 2005 04:11:57 -0400 Thu, 19 May 2005 04:11:57 -0400 May 19, 2005 Martin Bromley 0 http://www.theserverside.com/discussions/thread.tss?thread_id=33991 That may sound 'moot', but the goal of the JSF framework is to consolidate controller/view behavior into pages. If you place an h:inputText value="#{login.name}" on 3 different pages, none of them are going to affect each...]]> Thu, 19 May 2005 04:11:07 -0400 Thu, 19 May 2005 04:11:07 -0400 Thu, 19 May 2005 04:11:07 -0400 May 19, 2005 Steve Zara 1 http://www.theserverside.com/discussions/thread.tss?thread_id=33991
I can not find a single topic to discuss anymore. You have given...]]> Thu, 19 May 2005 02:31:00 -0400 Thu, 19 May 2005 02:31:00 -0400 Thu, 19 May 2005 02:31:00 -0400 May 19, 2005 Rolf Tollerud 0 http://www.theserverside.com/discussions/thread.tss?thread_id=33991
http://www.javaworld.com/javaworld/jw-01-2001/jw-0126-servlets-p3.html]]> Wed, 18 May 2005 19:14:16 -0400 Wed, 18 May 2005 19:14:16 -0400 Wed, 18 May 2005 19:14:16 -0400 May 18, 2005 Malcolm Edgar 0 http://www.theserverside.com/discussions/thread.tss?thread_id=33991 Would there be any value in compressing it or would that add too much overhead?

Tapestry compresses the ObjectOutputStream and uses that, unless the uncompressed bytestream is smaller (which is often is).]]> Wed, 18 May 2005 18:51:51 -0400 Wed, 18 May 2005 18:51:51 -0400 Wed, 18 May 2005 18:51:51 -0400 May 18, 2005 Howard Lewis Ship 0