myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leonardo Uribe (JIRA)" <...@myfaces.apache.org>
Subject [jira] Created: (MYFACES-2749) Encrypted View State does not include Message Authentication Code (MAC)
Date Thu, 10 Jun 2010 20:51:36 GMT
Encrypted View State does not include Message Authentication Code (MAC)
-----------------------------------------------------------------------

                 Key: MYFACES-2749
                 URL: https://issues.apache.org/jira/browse/MYFACES-2749
             Project: MyFaces Core
          Issue Type: Bug
    Affects Versions: 2.0.0, 1.2.8, 1.1.7
            Reporter: Leonardo Uribe
            Assignee: Leonardo Uribe


Both myfaces and mojarra only encrypt the state. What is missing is add a message authentication
code (MAC) to the encryption to prevent padding oracle attack. The objective is detect if
the received view state has been modified and do not process it, throwing ViewExpiredException.

The problem can be solved if users change to server side state saving, because on the view
state only a identifier is sent and no changes on the component tree could be done with this
configuration.

The proposed solution was add this new web-config params:

org.apache.myfaces.MAC_ALGORITHM : Indicate the algorithm used to calculate the Message Authentication
Code that is added to the view state.

org.apache.myfaces.MAC_SECRET : Define the initialization code that are used to initialize
the secret key used on the Message Authentication Code algorithm.

org.apache.myfaces.MAC_SECRET.CACHE : If is set to "false", the secret key used for MAC algorithm
is not cached. This is used when the returned SecretKey for mac algorithm is not thread safe.


It was unified security configuration in all branches to works the same. That means, it was
included in 1.1.x the property org.apache.myfaces.USE_ENCRYPTION.

Now, if an error occur when the state is encrypted/decrypted, a ViewExpiredException is thrown,
but the real exception is logged, to hide information that could be useful to non developers.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message