On Sat, Oct 13, 2012 at 4:22 AM, Bob Harner <bobhar...@gmail.com> wrote: > Use any long, random, private string of characters, just like you'd > use for a secure password or pass phrase. > > From Wikipedia: "The cryptographic strength of the HMAC depends upon > the size of the secret key that is used. The most common attack > against HMACs is brute force to uncover the secret key." > > If your app is is not clustered (or is clustered, but uses sticky > sessions), you can just generate a random string: > > // Set a random HMAC key for form signing (not cluster safe) > configuration.add(SymbolConstants.HMAC_PASSPHRASE, > new BigInteger(130, new SecureRandom()).toString(32)); >
I would not advise this approach. If a page renders a form, it is using the hmac passphrase. If the server restarts before the form is submitted, you will see a server-side error about the HMAC being invalid when the form is submitted. The passphrase should be more stable; I would not change it very often, if at all, once created. > Disclaimer: the assessment of the security implications of this are up > to you. I claim no particular expertise here. > > On Fri, Oct 12, 2012 at 11:15 PM, angelochen <angelochen...@yahoo.com.hk> > wrote: >> Hi, >> >> got this error when upgrading to 5.3.6, any sample to set this? >> >> ClientDataEncoder The symbol 'tapestry.hmac-passphrase' has not been >> configured. >> >> Thanks, >> >> >> >> -- >> View this message in context: >> http://tapestry.1045711.n5.nabble.com/hmac-sample-tp5716873.html >> Sent from the Tapestry - User mailing list archive at Nabble.com. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > -- Howard M. Lewis Ship Creator of Apache Tapestry The source for Tapestry training, mentoring and support. Contact me to learn how I can get you up and productive in Tapestry fast! (971) 678-5210 http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
