I think Mike is talking more about the session state that comes from the apps themselves, not how Tapestry stores its own bookkeeping data. My guess is that the vast majority of real-world Tapestry apps have considerable session state (mostly from over-use of @Persist, @SessionState and @SessionAttribute) and do not use session replication. After all, the Tapestry Tutorial itself uses @Persist, and that's how most people learn how to use forms with Tapestry.
Also, another HMAC issue just occurred to me: Probably many (most?) apps that have been around for a couple years have not yet fully converted to the AlertManager way of displaying messages. For those apps, the conversion to 5.3.6 means they'll have a hard-to-notice error in the logs and nothing else. I'm not sure what can be done about that, but I guess a lot of people will be puzzled if they don't read the release notes carefully. On Mon, Oct 15, 2012 at 12:33 PM, Howard Lewis Ship <hls...@gmail.com> wrote: > On Mon, Oct 15, 2012 at 8:11 AM, Michael Gentry <mgen...@masslight.net> wrote: >> Hi Howard, >> >> If your application requires session state to function, it would error >> out regardless. Perhaps the random approach is better for >> session-heavy applications and the fixed/stable approach is better for >> session-free applications? > > Especially in 5.4, it will be much more likely that all necessary > state will be encoded into the form, as the f:formdata hidden field. > A restart of the server (when the passphrase is randomly generated) > will invalidate that hidden data, causing an ugly runtime exception, > even if it is not dependent on server-side state. > > As a side note; in 5.4, a validation error on a form causes the page > to be re-rendered immediately, as part of the same POST request. In > 5.3 and earlier, a validation error on a form would cause a redirect > back to the page. Because of this, the ValidationTracker object (which > captures field inputs and errors) does not have to be stored in the > session (to survive until the redirect), and that's the primary way > that a session gets created. > >> >> Thanks, >> >> mrg >> >> >> On Sun, Oct 14, 2012 at 1:39 PM, Howard Lewis Ship <hls...@gmail.com> wrote: >>> On Sat, Oct 13, 2012 at 4:22 AM, Bob Harner <bobhar...@gmail.com> wrote: >>>> Use any long, random, private string of characters, just like you'd >>>> use for a secure password or pass phrase. >>>> >>>> From Wikipedia: "The cryptographic strength of the HMAC depends upon >>>> the size of the secret key that is used. The most common attack >>>> against HMACs is brute force to uncover the secret key." >>>> >>>> If your app is is not clustered (or is clustered, but uses sticky >>>> sessions), you can just generate a random string: >>>> >>>> // Set a random HMAC key for form signing (not cluster safe) >>>> configuration.add(SymbolConstants.HMAC_PASSPHRASE, >>>> new BigInteger(130, new >>>> SecureRandom()).toString(32)); >>>> >>> >>> I would not advise this approach. >>> >>> If a page renders a form, it is using the hmac passphrase. >>> >>> If the server restarts before the form is submitted, you will see a >>> server-side error about the HMAC being invalid when the form is >>> submitted. >>> >>> The passphrase should be more stable; I would not change it very >>> often, if at all, once created. >>> >>>> Disclaimer: the assessment of the security implications of this are up >>>> to you. I claim no particular expertise here. >>>> >>>> On Fri, Oct 12, 2012 at 11:15 PM, angelochen <angelochen...@yahoo.com.hk> >>>> wrote: >>>>> Hi, >>>>> >>>>> got this error when upgrading to 5.3.6, any sample to set this? >>>>> >>>>> ClientDataEncoder The symbol 'tapestry.hmac-passphrase' has not been >>>>> configured. >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> >>>>> -- >>>>> View this message in context: >>>>> http://tapestry.1045711.n5.nabble.com/hmac-sample-tp5716873.html >>>>> Sent from the Tapestry - User mailing list archive at Nabble.com. >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>> >>> >>> >>> >>> -- >>> Howard M. Lewis Ship >>> >>> Creator of Apache Tapestry >>> >>> The source for Tapestry training, mentoring and support. Contact me to >>> learn how I can get you up and productive in Tapestry fast! >>> >>> (971) 678-5210 >>> http://howardlewisship.com >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> > > > > -- > Howard M. Lewis Ship > > Creator of Apache Tapestry > > The source for Tapestry training, mentoring and support. Contact me to > learn how I can get you up and productive in Tapestry fast! > > (971) 678-5210 > http://howardlewisship.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
