Package org.apache.myfaces.application.viewstate

Class StateUtils

  • public final class StateUtils
extends Object

    This Class exposes a handful of methods related to encryption, compression and serialization of the view state.

    • ISO-8859-1 is the character set used.
    • GZIP is used for all compression/decompression.
    • Base64 is used for all encoding and decoding.
    • AES is the default encryption algorithm
    • ECB is the default mode
    • PKCS5Padding is the default padding
    • HmacSHA256 is the default MAC algorithm
    • The default algorithm can be overridden using the org.apache.myfaces.ALGORITHM parameter
    • The default mode and padding can be overridden using the org.apache.myfaces.ALGORITHM.PARAMETERS parameter
    • This class has not been tested with modes other than ECB and CBC
    • An initialization vector can be specified via the org.apache.myfaces.ALGORITHM.IV parameter
    • The default MAC algorithm can be overridden using the org.apache.myfaces.MAC_ALGORITHM parameter

    The secret is interpreted as base 64 encoded. In other words, if your secret is "76543210", you would put "NzY1NDMyMTA=" in the deployment descriptor. This is needed so that key values are not limited to just values composed of printable characters.

    If you are using CBC mode encryption, you must specify an initialization vector.

    If you are using the AES algorithm and getting a SecurityException complaining about keysize, you most likely need to get the unlimited strength jurisdiction policy files from a place like http://java.sun.com/j2se/1.4.2/download.html .
    Since https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8170157 unlimited cryptographic policy is enabled by default.

    See org.apache.myfaces.webapp.StartupServletContextListener

    • Field Detail

      • USE_ENCRYPTION

        @JSFWebConfigParam(name="org.apache.myfaces.USE_ENCRYPTION",
                   since="1.1",
                   defaultValue="true",
                   expectedValues="true,false",
                   group="state")
public static final String USE_ENCRYPTION
        Indicate if the view state is encrypted or not. By default, encryption is enabled.
        See Also:
        Constant Field Values

      • INIT_SECRET

        @JSFWebConfigParam(name="org.apache.myfaces.SECRET",
                   since="1.1",
                   group="state")
public static final String INIT_SECRET
        Defines the secret (Base64 encoded) used to initialize the secret key for encryption algorithm. See MyFaces wiki/web site documentation for instructions on how to configure an application for different encryption strengths.
        See Also:
        Constant Field Values

      • INIT_ALGORITHM

        @JSFWebConfigParam(name="org.apache.myfaces.ALGORITHM",
                   since="1.1",
                   defaultValue="AES",
                   group="state",
                   tags="performance")
public static final String INIT_ALGORITHM
        Indicate the encryption algorithm used for encrypt the view state.
        See Also:
        Constant Field Values

      • INIT_SECRET_KEY_CACHE

        @JSFWebConfigParam(name="org.apache.myfaces.SECRET.CACHE",
                   since="1.1",
                   group="state")
public static final String INIT_SECRET_KEY_CACHE
        If is set to "false", the secret key used for encryption algorithm is not cached. This is used when the returned SecretKey for encryption algorithm is not thread safe.
        See Also:
        Constant Field Values

      • INIT_ALGORITHM_IV

        @JSFWebConfigParam(name="org.apache.myfaces.ALGORITHM.IV",
                   since="1.1",
                   group="state")
public static final String INIT_ALGORITHM_IV
        Defines the initialization vector (Base64 encoded) used for the encryption algorithm
        See Also:
        Constant Field Values

      • INIT_ALGORITHM_PARAM

        @JSFWebConfigParam(name="org.apache.myfaces.ALGORITHM.PARAMETERS",
                   since="1.1",
                   defaultValue="ECB/PKCS5Padding",
                   group="state")
public static final String INIT_ALGORITHM_PARAM
        Defines the default mode and padding used for the encryption algorithm
        See Also:
        Constant Field Values

      • SERIAL_FACTORY

        @JSFWebConfigParam(name="org.apache.myfaces.SERIAL_FACTORY",
                   since="1.1",
                   group="state",
                   tags="performance")
public static final String SERIAL_FACTORY
        Defines the factory class name using for serialize/deserialize the view state returned by state manager into a byte array. The expected class must implement SerialFactory interface.
        See Also:
        Constant Field Values

      • COMPRESS_STATE_IN_CLIENT

        @JSFWebConfigParam(name="org.apache.myfaces.COMPRESS_STATE_IN_CLIENT",
                   since="1.1",
                   defaultValue="false",
                   expectedValues="true,false",
                   group="state",
                   tags="performance")
public static final String COMPRESS_STATE_IN_CLIENT
        Indicate if the view state should be compressed before encrypted(optional) and encoded
        See Also:
        Constant Field Values

      • INIT_MAC_ALGORITHM

        @JSFWebConfigParam(name="org.apache.myfaces.MAC_ALGORITHM",
                   defaultValue="HmacSHA256",
                   group="state",
                   tags="performance")
public static final String INIT_MAC_ALGORITHM
        Indicate the algorithm used to calculate the Message Authentication Code that is added to the view state.
        See Also:
        Constant Field Values

      • INIT_MAC_SECRET

        @JSFWebConfigParam(name="org.apache.myfaces.MAC_SECRET",
                   group="state")
public static final String INIT_MAC_SECRET
        Define the initialization code that are used to initialize the secret key used on the Message Authentication Code algorithm
        See Also:
        Constant Field Values

      • INIT_MAC_SECRET_KEY_CACHE

        @JSFWebConfigParam(name="org.apache.myfaces.MAC_SECRET.CACHE",
                   group="state")
public static final String INIT_MAC_SECRET_KEY_CACHE
        If is set to "false", the secret key used for MAC algorithm is not cached. This is used when the returned SecretKey for mac algorithm is not thread safe.
        See Also:
        Constant Field Values

    • Method Detail

      • enableCompression

        public static boolean enableCompression​(ExternalContext externalContext)

      • isSecure

        public static boolean isSecure​(ExternalContext externalContext)

      • construct

        public static final String construct​(Object object,
                                     ExternalContext ctx)
        This fires during the Render Response phase, saving state.

      • getAsByteArray

        public static final byte[] getAsByteArray​(Object object,
                                          ExternalContext ctx)
        Performs serialization with the serialization provider created by the SerialFactory.
        Parameters:
        object -
        ctx -
        Returns:

      • encrypt

        public static byte[] encrypt​(byte[] insecure,
                             ExternalContext externalContext)

      • compress

        public static final byte[] compress​(byte[] bytes)

      • encode

        public static final byte[] encode​(byte[] bytes)

      • reconstruct

        public static final Object reconstruct​(String string,
                                       ExternalContext ctx)
        This fires during the Restore View phase, restoring state.

      • decode

        public static final byte[] decode​(byte[] bytes)

      • decompress

        public static final byte[] decompress​(byte[] bytes)

      • decrypt

        public static byte[] decrypt​(byte[] secure,
                             ExternalContext externalContext)

      • getAsObject

        public static final Object getAsObject​(byte[] bytes,
                                       ExternalContext ctx)
        Performs deserialization with the serialization provider created from the SerialFactory.
        Parameters:
        bytes -
        ctx -
        Returns:

      • initSecret

        public static void initSecret​(jakarta.servlet.ServletContext servletContext)
        Does nothing if the user has disabled the SecretKey cache. This is useful when dealing with a JCA provider whose SecretKey implementation is not thread safe. Instantiates a SecretKey instance based upon what the user has specified in the deployment descriptor. The SecretKey is then stored in application scope where it can be used for all requests.