Hi Howard, If your application requires session state to function, it would error out regardless. Perhaps the random approach is better for session-heavy applications and the fixed/stable approach is better for session-free applications?
Thanks, mrg On Sun, Oct 14, 2012 at 1:39 PM, Howard Lewis Ship <hls...@gmail.com> wrote: > On Sat, Oct 13, 2012 at 4:22 AM, Bob Harner <bobhar...@gmail.com> wrote: >> Use any long, random, private string of characters, just like you'd >> use for a secure password or pass phrase. >> >> From Wikipedia: "The cryptographic strength of the HMAC depends upon >> the size of the secret key that is used. The most common attack >> against HMACs is brute force to uncover the secret key." >> >> If your app is is not clustered (or is clustered, but uses sticky >> sessions), you can just generate a random string: >> >> // Set a random HMAC key for form signing (not cluster safe) >> configuration.add(SymbolConstants.HMAC_PASSPHRASE, >> new BigInteger(130, new >> SecureRandom()).toString(32)); >> > > I would not advise this approach. > > If a page renders a form, it is using the hmac passphrase. > > If the server restarts before the form is submitted, you will see a > server-side error about the HMAC being invalid when the form is > submitted. > > The passphrase should be more stable; I would not change it very > often, if at all, once created. > >> Disclaimer: the assessment of the security implications of this are up >> to you. I claim no particular expertise here. >> >> On Fri, Oct 12, 2012 at 11:15 PM, angelochen <angelochen...@yahoo.com.hk> >> wrote: >>> Hi, >>> >>> got this error when upgrading to 5.3.6, any sample to set this? >>> >>> ClientDataEncoder The symbol 'tapestry.hmac-passphrase' has not been >>> configured. >>> >>> Thanks, >>> >>> >>> >>> -- >>> View this message in context: >>> http://tapestry.1045711.n5.nabble.com/hmac-sample-tp5716873.html >>> Sent from the Tapestry - User mailing list archive at Nabble.com. >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> > > > > -- > Howard M. Lewis Ship > > Creator of Apache Tapestry > > The source for Tapestry training, mentoring and support. Contact me to > learn how I can get you up and productive in Tapestry fast! > > (971) 678-5210 > http://howardlewisship.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
