Looks good, I would just make sure that the ByteArrayGuard is only
generating the encryption key once for all threads, in my tests for
work, generating those keys and creating the factories is expensive
enough to avoid repeating after initialization.
-- jhook
Ed Burns <ed.burns_at_sun.com> wrote on 12/23/2005, 08:11:55 PM:
> https://javaserverfaces.dev.java.net/issues/show_bug.cgi?id=211
>
> Issue: 211
>
> Add init parameter for client side state password.
>
> SECTION: Impl Changes
>
> M jsf-ri/src/com/sun/faces/RIConstants.java
>
> - new constant
>
> M jsf-ri/src/com/sun/faces/renderkit/ByteArrayGuard.java
>
> - leverage new constant
>
> M jsf-ri/systest-per-webapp/command-link-back-button/web/WEB-INF/web.xml
>
> - make this test run with client side state saving and the password
> set as a way to exercise this new feature.
>
> SECTION: Impl Diffs
>
> Index: jsf-ri/src/com/sun/faces/RIConstants.java
> ===================================================================
> RCS file: /cvs/javaserverfaces-sources/jsf-ri/src/com/sun/faces/RIConstants.java,v
> retrieving revision 1.77
> diff -u -r1.77 RIConstants.java
> --- jsf-ri/src/com/sun/faces/RIConstants.java 26 Aug 2005 15:26:56 -0000 1.77
> +++ jsf-ri/src/com/sun/faces/RIConstants.java 23 Dec 2005 18:47:40 -0000
> @@ -157,5 +157,7 @@
>
> }
>
> + public static final String CLIENT_STATE_PASSWORD = FACES_PREFIX + "ClientStatePassword";
> +
>
> }
> Index: jsf-ri/src/com/sun/faces/renderkit/ByteArrayGuard.java
> ===================================================================
> RCS file: /cvs/javaserverfaces-sources/jsf-ri/src/com/sun/faces/renderkit/ByteArrayGuard.java,v
> retrieving revision 1.8
> diff -u -r1.8 ByteArrayGuard.java
> --- jsf-ri/src/com/sun/faces/renderkit/ByteArrayGuard.java 26 Aug 2005 15:27:09 -0000 1.8
> +++ jsf-ri/src/com/sun/faces/renderkit/ByteArrayGuard.java 23 Dec 2005 18:47:40 -0000
> @@ -29,6 +29,7 @@
>
> package com.sun.faces.renderkit;
>
> +import com.sun.faces.RIConstants;
> import java.io.IOException;
> import java.security.Key;
> import java.security.MessageDigest;
> @@ -93,6 +94,11 @@
> this.ivLength = ivLength;
>
> // generate random password in memory
> + FacesContext context = FacesContext.getCurrentInstance();
> + assert(null != context); // This ctor should happen lazily on the first
> + // run through the lifecycle. Therefore, we must have a FacesContext
> + passwordFromConfig = context.getExternalContext().
> + getInitParameter(RIConstants.CLIENT_STATE_PASSWORD);
> this.password = getRandomString(DEFAULT_PASSWORD_LENGTH);
> }
>
> @@ -211,6 +217,9 @@
> *
> */
> private String getPasswordToSecureState(FacesContext context) {
> + if (null != passwordFromConfig) {
> + return passwordFromConfig;
> + }
> // default is to use application scoped password
> String statePwd = this.password;
>
> @@ -379,5 +388,6 @@
> private final int macLength;
> private final int ivLength;
> private final String password;
> + private final String passwordFromConfig;
> private static SecureRandom prng = null;
> }
> Index: jsf-ri/systest-per-webapp/command-link-back-button/web/WEB-INF/web.xml
> ===================================================================
> RCS file: /cvs/javaserverfaces-sources/jsf-ri/systest-per-webapp/command-link-back-button/web/WEB-INF/web.xml,v
> retrieving revision 1.3
> diff -u -r1.3 web.xml
> --- jsf-ri/systest-per-webapp/command-link-back-button/web/WEB-INF/web.xml 22 Aug 2005 22:10:48 -0000 1.3
> +++ jsf-ri/systest-per-webapp/command-link-back-button/web/WEB-INF/web.xml 23 Dec 2005 18:47:41 -0000
> @@ -49,6 +49,10 @@
> javax.faces.STATE_SAVING_METHOD
> client
>
> +
> + com.sun.faces.ClientStatePassword
> + command-link-back-button
> +
>
>
>
>
> --
> | ed.burns_at_sun.com | {home: 407 869 9587, office: 408 884 9519 OR x31640}
> | homepage: | http://purl.oclc.org/NET/edburns/
> | aim: edburns0sunw | iim: ed.burns_at_sun.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_javaserverfaces.dev.java.net
> For additional commands, e-mail: dev-help_at_javaserverfaces.dev.java.net