Difference between revisions of "Talk:Java Server Faces"

From OWASP
Jump to: navigation, search
(New page: == EUxx discussion == I think the blog by EUxx missed some of the details of the implementation. Note that while the MAC and the IV are known, there is still a secret key known to the ser...)
 
(EUxx discussion)
Line 4: Line 4:
  
 
I think we should either take this section out, or expand on why its an issue.
 
I think we should either take this section out, or expand on why its an issue.
 +
[[User:Ebing|Ebing]] 14:30, 11 June 2007 (EDT)

Revision as of 13:30, 11 June 2007

EUxx discussion

I think the blog by EUxx missed some of the details of the implementation. Note that while the MAC and the IV are known, there is still a secret key known to the server used in the MAC that prevents the client from generating a new MAC. This is a fairly common pattern. You can see Inderjeet's response at: http://weblogs.java.net/blog/inder/archive/2005/05/securing_webapp.html

I think we should either take this section out, or expand on why its an issue. Ebing 14:30, 11 June 2007 (EDT)