On Mon, Oct 15, 2012 at 8:11 AM, Michael Gentry <mgen...@masslight.net> wrote: > Hi Howard, > > If your application requires session state to function, it would error > out regardless. Perhaps the random approach is better for > session-heavy applications and the fixed/stable approach is better for > session-free applications?
Especially in 5.4, it will be much more likely that all necessary state will be encoded into the form, as the f:formdata hidden field. A restart of the server (when the passphrase is randomly generated) will invalidate that hidden data, causing an ugly runtime exception, even if it is not dependent on server-side state. As a side note; in 5.4, a validation error on a form causes the page to be re-rendered immediately, as part of the same POST request. In 5.3 and earlier, a validation error on a form would cause a redirect back to the page. Because of this, the ValidationTracker object (which captures field inputs and errors) does not have to be stored in the session (to survive until the redirect), and that's the primary way that a session gets created. > > Thanks, > > mrg > > > On Sun, Oct 14, 2012 at 1:39 PM, Howard Lewis Ship <hls...@gmail.com> wrote: >> On Sat, Oct 13, 2012 at 4:22 AM, Bob Harner <bobhar...@gmail.com> wrote: >>> Use any long, random, private string of characters, just like you'd >>> use for a secure password or pass phrase. >>> >>> From Wikipedia: "The cryptographic strength of the HMAC depends upon >>> the size of the secret key that is used. The most common attack >>> against HMACs is brute force to uncover the secret key." >>> >>> If your app is is not clustered (or is clustered, but uses sticky >>> sessions), you can just generate a random string: >>> >>> // Set a random HMAC key for form signing (not cluster safe) >>> configuration.add(SymbolConstants.HMAC_PASSPHRASE, >>> new BigInteger(130, new >>> SecureRandom()).toString(32)); >>> >> >> I would not advise this approach. >> >> If a page renders a form, it is using the hmac passphrase. >> >> If the server restarts before the form is submitted, you will see a >> server-side error about the HMAC being invalid when the form is >> submitted. >> >> The passphrase should be more stable; I would not change it very >> often, if at all, once created. >> >>> Disclaimer: the assessment of the security implications of this are up >>> to you. I claim no particular expertise here. >>> >>> On Fri, Oct 12, 2012 at 11:15 PM, angelochen <angelochen...@yahoo.com.hk> >>> wrote: >>>> Hi, >>>> >>>> got this error when upgrading to 5.3.6, any sample to set this? >>>> >>>> ClientDataEncoder The symbol 'tapestry.hmac-passphrase' has not been >>>> configured. >>>> >>>> Thanks, >>>> >>>> >>>> >>>> -- >>>> View this message in context: >>>> http://tapestry.1045711.n5.nabble.com/hmac-sample-tp5716873.html >>>> Sent from the Tapestry - User mailing list archive at Nabble.com. >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >> >> >> >> -- >> Howard M. Lewis Ship >> >> Creator of Apache Tapestry >> >> The source for Tapestry training, mentoring and support. Contact me to >> learn how I can get you up and productive in Tapestry fast! >> >> (971) 678-5210 >> http://howardlewisship.com >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > -- Howard M. Lewis Ship Creator of Apache Tapestry The source for Tapestry training, mentoring and support. Contact me to learn how I can get you up and productive in Tapestry fast! (971) 678-5210 http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
