Return-Path: Delivered-To: apmail-myfaces-users-archive@www.apache.org Received: (qmail 98004 invoked from network); 12 Dec 2010 10:50:38 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 12 Dec 2010 10:50:38 -0000 Received: (qmail 97097 invoked by uid 500); 12 Dec 2010 10:50:37 -0000 Delivered-To: apmail-myfaces-users-archive@myfaces.apache.org Received: (qmail 96715 invoked by uid 500); 12 Dec 2010 10:50:35 -0000 Mailing-List: contact users-help@myfaces.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "MyFaces Discussion" Delivered-To: mailing list users@myfaces.apache.org Received: (qmail 96707 invoked by uid 99); 12 Dec 2010 10:50:35 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Dec 2010 10:50:34 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=FREEMAIL_FROM,SPF_HELO_PASS,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of gcjmu-myfaces-user@m.gmane.org designates 80.91.229.12 as permitted sender) Received: from [80.91.229.12] (HELO lo.gmane.org) (80.91.229.12) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Dec 2010 10:50:25 +0000 Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1PRjVE-0005v9-GN for users@myfaces.apache.org; Sun, 12 Dec 2010 11:50:04 +0100 Received: from cm206-4.liwest.at ([81.10.206.4]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 12 Dec 2010 11:50:04 +0100 Received: from werner.punz by cm206-4.liwest.at with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 12 Dec 2010 11:50:04 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: users@myfaces.apache.org From: Werner Punz Subject: Re: java.io.InvalidObjectException: enum constant attributes does not exist in class javax.faces.component.UIComponent$PropertyKeys Date: Sun, 12 Dec 2010 11:45:30 +0100 Lines: 101 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: cm206-4.liwest.at User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 In-Reply-To: X-Virus-Checked: Checked by ClamAV on apache.org Btw. generally server side state saving is way faster than client side, although the difference has been somewhat reduced thanks to delta state saving. The reason simply is you transmit way less data over the line with the server side state saving on. Werner Am 12.12.10 11:38, schrieb Werner Punz: > Hi Ken die purpose of the encryption is a security problem, if you do > not encrypt the viewstate on the client side then it is reverse > engineerable from a third party. > We had to introduce that to fix that hole. > For server side state saving the encryption is not really needed unless > you do not trust the third party you host the state with. > > > Werner > > > Am 11.12.10 00:31, schrieb ken keller: >> I disabled encryption (see below), redeployed,& everything >> works--seemingly >> it is much more responsive too. >> >> What's the purpose of the encryption? When I View Source, ViewState field >> looks like a long, hex string. Even if it can be reverse-engineered, the >> values are likely to be the same ones sent in the http request. These are >> vulnerable to MITM attack unless one uses https. Is JSF smart enough to >> exclude a password field's value from ViewState? >> >> >> org.apache.myfaces.USE_ENCRYPTION >> false >> >> >> >> javax.faces.STATE_SAVING_METHOD >> client >> >> >> On Fri, Dec 10, 2010 at 2:40 PM, Leonardo Uribe wrote: >> >>> Hi >>> >>> One last note, to make client side state saving work try configure >>> this two >>> params: >>> >>> >>> org.apache.myfaces.SECRET >>> >>> org.apache.myfaces.MAC_SECRET >>> >>> >>> It is probably that the ViewExpiredException is thrown because you >>> are not >>> configured the mac secret. >>> >>> See http://wiki.apache.org/myfaces/Secure_Your_Application for details. >>> >>> regards, >>> >>> Leonardo Uribe >>> >>> 2010/12/10 Leonardo Uribe >>> >>>> Hi >>>> >>>> Is there any way to see the app log? In theory, when a >>> ViewExpiredException >>>> is thrown, the reason is logged there, but there is not on the browser. >>>> >>>> >>>> I readed your previous emails related to this one and one possibility >>> that >>>> comes to my mind is we are storing something on session without >>>> implement >>>> Serializable interface. If that so, as soon as GAE serialize the >>>> session >>> to >>>> disk, that code causes an Exception and when MyFaces try to restore the >>>> state it just has dissapeared (servlet session is invalid, so a new one >>> is >>>> created and our value in javax.faces.ViewState request parameter is not >>>> found, so a ViewExpiredException is thrown). >>>> >>>> The solution if that is the case is check all lines that do something >>> with >>>> session map and check if it is possible to serialize to disk. >>>> >>>> regards, >>>> >>>> Leonardo >>>> >>> >> > > >