Implications of saving session on the client with javax.faces.STATE_SAVING_METHOD

99封情书 提交于 2020-01-10 20:10:35

问题


My first JSF page was throwing javax.faces.application.ViewExpiredException. while I searched I got this solution which solved my problem.

<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
</context-param>

But I am concerned about the security implication.


回答1:


This doesn't save the "session" in client side at all.

This only saves the JSF view state in client side. This is in JSF 2.2 always AES-encrypted with a key which is generated on application startup. This however invalidates once you restart the application, hereby causing all existing view states to become invalid. You can specify a fixed key as below in web.xml so that all existing view states keep valid across server restarts:

<env-entry>
    <env-entry-name>jsf/ClientSideSecretKey</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>[AES key in Base64 format]</env-entry-value>
</env-entry>

You can use this page to generate a random AES key in Base64 format.

See also:

  • javax.faces.application.ViewExpiredException: View could not be restored
  • com.sun.faces.ClientStateSavingPassword - recommendations for actual password?
  • How do servlets work? Instantiation, sessions, shared variables and multithreading (read this to learn what "session" actually is)


来源:https://stackoverflow.com/questions/29420182/implications-of-saving-session-on-the-client-with-javax-faces-state-saving-metho

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!