background image

Encrypting Client State

<< Specifying Where State Is Saved | Turning On Validation of XML Files >>
<< Specifying Where State Is Saved | Turning On Validation of XML Files >>

Encrypting Client State

Encrypting Client State
When you are choosing to save state on the client, you are essentially saying that you want state
to be sent over the wire and saved on the client in a hidden field. Clearly, this opens the door to
potential tampering with the state information. To prevent this from happening, you can
specify that the state must be encrypted before it is transmitted to the client.
To specify that state must be encrypted using NetBeans IDE, do the following:
1. Expand the node of your project in the Projects pane.
2. Expand the Web Pages and WEB-INF nodes that are under the project node.
3. Double-click web.xml.
4. After the web.xml file appears in the editor pane, click References at the top of the editor
pane.
5. Expand the Environment Entries node.
6. Click Add.
7. In the Add Environment Entry dialog:
a. Enter com.sun.faces.ClientStateSavingPassword in the Entry Name field.
b. Select java.lang.String from the Entry Type menu.
c. Click OK.
To specify that state must be encrypted by editing the deployment descriptor directly, do the
following:
1. Add an env-entry element to your deployment descriptor.
2. Add an env-entry-name element to the env-entry element and give it the name
com.sun.faces.ClientStateSavingPassword
.
3. Add an env-entry-value element to the env-entry element, and give it your password.
The password that you provide is used to generate keys and ciphers for encryption.
4. Add an env-entry-type element and give it the type of your password, which must be
java.lang.String
.
If your deployment descriptor does not contain this environment entry then no encryption of
client-side state will occur.
Restricting Access to JavaServer Faces Components
In addition to identifying the FacesServlet instance and providing a mapping to it, you should
also ensure that all applications use FacesServlet to process JavaServer Faces components.
You do this by setting a security constraint.
Basic Requirements of a JavaServer Faces Application
Chapter 14 · Configuring JavaServer Faces Applications
463