Class StateUtils
- java.lang.Object
-
- org.apache.myfaces.application.viewstate.StateUtils
-
public final class StateUtils extends Object
This Class exposes a handful of methods related to encryption, compression and serialization of the view state.
- ISO-8859-1 is the character set used.
- GZIP is used for all compression/decompression.
- Base64 is used for all encoding and decoding.
- AES is the default encryption algorithm
- ECB is the default mode
- PKCS5Padding is the default padding
- HmacSHA256 is the default MAC algorithm
- The default algorithm can be overridden using the org.apache.myfaces.ALGORITHM parameter
- The default mode and padding can be overridden using the org.apache.myfaces.ALGORITHM.PARAMETERS parameter
- This class has not been tested with modes other than ECB and CBC
- An initialization vector can be specified via the org.apache.myfaces.ALGORITHM.IV parameter
- The default MAC algorithm can be overridden using the org.apache.myfaces.MAC_ALGORITHM parameter
The secret is interpreted as base 64 encoded. In other words, if your secret is "76543210", you would put "NzY1NDMyMTA=" in the deployment descriptor. This is needed so that key values are not limited to just values composed of printable characters.
If you are using CBC mode encryption, you must specify an initialization vector.
If you are using the AES algorithm and getting a SecurityException complaining about keysize, you most likely need to get the unlimited strength jurisdiction policy files from a place like http://java.sun.com/j2se/1.4.2/download.html . Since https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8170157 unlimited cryptographic policy is enabled by default.
See org.apache.myfaces.webapp.StartupServletContextListener
-
-
Field Summary
Fields Modifier and Type Field Description static String
COMPRESS_STATE_IN_CLIENT
Indicate if the view state should be compressed before encrypted(optional) and encodedstatic String
DEFAULT_ALGORITHM
static String
DEFAULT_ALGORITHM_PARAMS
static String
DEFAULT_MAC_ALGORITHM
static String
INIT_ALGORITHM
Indicate the encryption algorithm used for encrypt the view state.static String
INIT_ALGORITHM_IV
Defines the initialization vector (Base64 encoded) used for the encryption algorithmstatic String
INIT_ALGORITHM_PARAM
Defines the default mode and padding used for the encryption algorithmstatic String
INIT_MAC_ALGORITHM
Indicate the algorithm used to calculate the Message Authentication Code that is added to the view state.static String
INIT_MAC_SECRET
Define the initialization code that are used to initialize the secret key used on the Message Authentication Code algorithmstatic String
INIT_MAC_SECRET_KEY_CACHE
If is set to "false", the secret key used for MAC algorithm is not cached.static String
INIT_PREFIX
static String
INIT_SECRET
Defines the secret (Base64 encoded) used to initialize the secret key for encryption algorithm.static String
INIT_SECRET_KEY_CACHE
If is set to "false", the secret key used for encryption algorithm is not cached.static String
SERIAL_FACTORY
Defines the factory class name using for serialize/deserialize the view state returned by state manager into a byte array.static String
USE_ENCRYPTION
Indicate if the view state is encrypted or not.static String
ZIP_CHARSET
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static byte[]
compress(byte[] bytes)
static String
construct(Object object, ExternalContext ctx)
This fires during the Render Response phase, saving state.static Cipher
createCipher(ExternalContext externalContext, int mode)
static Mac
createMac(ExternalContext externalContext)
static byte[]
decode(byte[] bytes)
static byte[]
decompress(byte[] bytes)
static byte[]
decrypt(byte[] secure, ExternalContext externalContext)
static boolean
enableCompression(ExternalContext externalContext)
static byte[]
encode(byte[] bytes)
static byte[]
encrypt(byte[] insecure, ExternalContext externalContext)
static byte[]
getAsByteArray(Object object, ExternalContext ctx)
Performs serialization with the serialization provider created by the SerialFactory.static Object
getAsObject(byte[] bytes, ExternalContext ctx)
Performs deserialization with the serialization provider created from the SerialFactory.static void
initSecret(jakarta.servlet.ServletContext servletContext)
Does nothing if the user has disabled the SecretKey cache.static boolean
isSecure(ExternalContext externalContext)
static void
main(String[] args)
Utility method for generating base 64 encoded strings.static Object
reconstruct(String string, ExternalContext ctx)
This fires during the Restore View phase, restoring state.
-
-
-
Field Detail
-
ZIP_CHARSET
public static final String ZIP_CHARSET
- See Also:
- Constant Field Values
-
DEFAULT_ALGORITHM
public static final String DEFAULT_ALGORITHM
- See Also:
- Constant Field Values
-
DEFAULT_ALGORITHM_PARAMS
public static final String DEFAULT_ALGORITHM_PARAMS
- See Also:
- Constant Field Values
-
INIT_PREFIX
public static final String INIT_PREFIX
- See Also:
- Constant Field Values
-
USE_ENCRYPTION
@JSFWebConfigParam(name="org.apache.myfaces.USE_ENCRYPTION", since="1.1", defaultValue="true", expectedValues="true,false", group="state") public static final String USE_ENCRYPTION
Indicate if the view state is encrypted or not. By default, encryption is enabled.- See Also:
- Constant Field Values
-
INIT_SECRET
@JSFWebConfigParam(name="org.apache.myfaces.SECRET", since="1.1", group="state") public static final String INIT_SECRET
Defines the secret (Base64 encoded) used to initialize the secret key for encryption algorithm. See MyFaces wiki/web site documentation for instructions on how to configure an application for different encryption strengths.- See Also:
- Constant Field Values
-
INIT_ALGORITHM
@JSFWebConfigParam(name="org.apache.myfaces.ALGORITHM", since="1.1", defaultValue="AES", group="state", tags="performance") public static final String INIT_ALGORITHM
Indicate the encryption algorithm used for encrypt the view state.- See Also:
- Constant Field Values
-
INIT_SECRET_KEY_CACHE
@JSFWebConfigParam(name="org.apache.myfaces.SECRET.CACHE", since="1.1", group="state") public static final String INIT_SECRET_KEY_CACHE
If is set to "false", the secret key used for encryption algorithm is not cached. This is used when the returned SecretKey for encryption algorithm is not thread safe.- See Also:
- Constant Field Values
-
INIT_ALGORITHM_IV
@JSFWebConfigParam(name="org.apache.myfaces.ALGORITHM.IV", since="1.1", group="state") public static final String INIT_ALGORITHM_IV
Defines the initialization vector (Base64 encoded) used for the encryption algorithm- See Also:
- Constant Field Values
-
INIT_ALGORITHM_PARAM
@JSFWebConfigParam(name="org.apache.myfaces.ALGORITHM.PARAMETERS", since="1.1", defaultValue="ECB/PKCS5Padding", group="state") public static final String INIT_ALGORITHM_PARAM
Defines the default mode and padding used for the encryption algorithm- See Also:
- Constant Field Values
-
SERIAL_FACTORY
@JSFWebConfigParam(name="org.apache.myfaces.SERIAL_FACTORY", since="1.1", group="state", tags="performance") public static final String SERIAL_FACTORY
Defines the factory class name using for serialize/deserialize the view state returned by state manager into a byte array. The expected class must implementSerialFactory
interface.- See Also:
- Constant Field Values
-
COMPRESS_STATE_IN_CLIENT
@JSFWebConfigParam(name="org.apache.myfaces.COMPRESS_STATE_IN_CLIENT", since="1.1", defaultValue="false", expectedValues="true,false", group="state", tags="performance") public static final String COMPRESS_STATE_IN_CLIENT
Indicate if the view state should be compressed before encrypted(optional) and encoded- See Also:
- Constant Field Values
-
DEFAULT_MAC_ALGORITHM
public static final String DEFAULT_MAC_ALGORITHM
- See Also:
- Constant Field Values
-
INIT_MAC_ALGORITHM
@JSFWebConfigParam(name="org.apache.myfaces.MAC_ALGORITHM", defaultValue="HmacSHA256", group="state", tags="performance") public static final String INIT_MAC_ALGORITHM
Indicate the algorithm used to calculate the Message Authentication Code that is added to the view state.- See Also:
- Constant Field Values
-
INIT_MAC_SECRET
@JSFWebConfigParam(name="org.apache.myfaces.MAC_SECRET", group="state") public static final String INIT_MAC_SECRET
Define the initialization code that are used to initialize the secret key used on the Message Authentication Code algorithm- See Also:
- Constant Field Values
-
INIT_MAC_SECRET_KEY_CACHE
@JSFWebConfigParam(name="org.apache.myfaces.MAC_SECRET.CACHE", group="state") public static final String INIT_MAC_SECRET_KEY_CACHE
If is set to "false", the secret key used for MAC algorithm is not cached. This is used when the returned SecretKey for mac algorithm is not thread safe.- See Also:
- Constant Field Values
-
-
Method Detail
-
createCipher
public static Cipher createCipher(ExternalContext externalContext, int mode) throws Exception
- Throws:
Exception
-
createMac
public static Mac createMac(ExternalContext externalContext) throws Exception
- Throws:
Exception
-
enableCompression
public static boolean enableCompression(ExternalContext externalContext)
-
isSecure
public static boolean isSecure(ExternalContext externalContext)
-
construct
public static final String construct(Object object, ExternalContext ctx)
This fires during the Render Response phase, saving state.
-
getAsByteArray
public static final byte[] getAsByteArray(Object object, ExternalContext ctx)
Performs serialization with the serialization provider created by the SerialFactory.- Parameters:
object
-ctx
-- Returns:
-
encrypt
public static byte[] encrypt(byte[] insecure, ExternalContext externalContext)
-
compress
public static final byte[] compress(byte[] bytes)
-
encode
public static final byte[] encode(byte[] bytes)
-
reconstruct
public static final Object reconstruct(String string, ExternalContext ctx)
This fires during the Restore View phase, restoring state.
-
decode
public static final byte[] decode(byte[] bytes)
-
decompress
public static final byte[] decompress(byte[] bytes)
-
decrypt
public static byte[] decrypt(byte[] secure, ExternalContext externalContext)
-
getAsObject
public static final Object getAsObject(byte[] bytes, ExternalContext ctx)
Performs deserialization with the serialization provider created from the SerialFactory.- Parameters:
bytes
-ctx
-- Returns:
-
main
public static void main(String[] args) throws UnsupportedEncodingException
Utility method for generating base 64 encoded strings.- Parameters:
args
-- Throws:
UnsupportedEncodingException
-
initSecret
public static void initSecret(jakarta.servlet.ServletContext servletContext)
Does nothing if the user has disabled the SecretKey cache. This is useful when dealing with a JCA provider whose SecretKey implementation is not thread safe. Instantiates a SecretKey instance based upon what the user has specified in the deployment descriptor. The SecretKey is then stored in application scope where it can be used for all requests.
-
-