hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kalnichevski, Oleg" <oleg.kalnichev...@bearingpoint.com>
Subject RE: HttpState not serializable
Date Thu, 12 Jun 2003 11:34:16 GMT
Ralph and the HttpClient folks out there

Initially I thought that HttpState class should have been made serializeable per default.
Later I realized that there was a catch, however. The HttpState class besides cookies also
contains credentials for target servers and proxy servers. From the security standpoint, it
would not be desirable to store such sensitive information in clear text or to give the user
a wrong impression that the security aspects of password persistence have been taken care
of. So, we basically end up with two options: 1) making HttpState serializeable but marking
credentials sets as transient 2) leave the choice of the persistence mechanism up to the user
(as it is today)

If we reach a consensus that the first option makes more sense, I will file a bug report and
target it for 2.1 release

Cheers

Oleg
 

-----Original Message-----
From: Ralph Goers [mailto:rg1915@dslextreme.com]
Sent: Thursday, June 12, 2003 01:01
To: commons-httpclient-dev@jakarta.apache.org
Subject: HttpState not serializable


I am trying to save the HttpState object in the session and am getting a message from Weblogic
Server saying the attribute is not serializable and will be lost upon redeployment.  How can
I address this?

Ralph

Mime
View raw message