On Wed, Oct 17, 2012 at 7:11 AM, Bob Harner <bobhar...@gmail.com> wrote: > I think Mike is talking more about the session state that comes from > the apps themselves, not how Tapestry stores its own bookkeeping data. > My guess is that the vast majority of real-world Tapestry apps have > considerable session state (mostly from over-use of @Persist, > @SessionState and @SessionAttribute) and do not use session > replication. After all, the Tapestry Tutorial itself uses @Persist, > and that's how most people learn how to use forms with Tapestry. > > Also, another HMAC issue just occurred to me: Probably many (most?) > apps that have been around for a couple years have not yet fully > converted to the AlertManager way of displaying messages. For those > apps, the conversion to 5.3.6 means they'll have a hard-to-notice > error in the logs and nothing else. I'm not sure what can be done > about that, but I guess a lot of people will be puzzled if they don't > read the release notes carefully.
This is why I generally do not like warnings .. they just get lost or ignored. Perhaps we need to create a DeveloperAlert system that can "force" client-side alerts (possibly some form of pop-up or floating div) that can't be ignored. I had a discussion a couple of years back about a development mode console that could, for example, capture server-side request processing details (for example, SQL queries and timings, etc.). I think that would be neat. > > On Mon, Oct 15, 2012 at 12:33 PM, Howard Lewis Ship <hls...@gmail.com> wrote: >> On Mon, Oct 15, 2012 at 8:11 AM, Michael Gentry <mgen...@masslight.net> >> wrote: >>> Hi Howard, >>> >>> If your application requires session state to function, it would error >>> out regardless. Perhaps the random approach is better for >>> session-heavy applications and the fixed/stable approach is better for >>> session-free applications? >> >> Especially in 5.4, it will be much more likely that all necessary >> state will be encoded into the form, as the f:formdata hidden field. >> A restart of the server (when the passphrase is randomly generated) >> will invalidate that hidden data, causing an ugly runtime exception, >> even if it is not dependent on server-side state. >> >> As a side note; in 5.4, a validation error on a form causes the page >> to be re-rendered immediately, as part of the same POST request. In >> 5.3 and earlier, a validation error on a form would cause a redirect >> back to the page. Because of this, the ValidationTracker object (which >> captures field inputs and errors) does not have to be stored in the >> session (to survive until the redirect), and that's the primary way >> that a session gets created. >> >>> >>> Thanks, >>> >>> mrg >>> >>> >>> On Sun, Oct 14, 2012 at 1:39 PM, Howard Lewis Ship <hls...@gmail.com> wrote: >>>> On Sat, Oct 13, 2012 at 4:22 AM, Bob Harner <bobhar...@gmail.com> wrote: >>>>> Use any long, random, private string of characters, just like you'd >>>>> use for a secure password or pass phrase. >>>>> >>>>> From Wikipedia: "The cryptographic strength of the HMAC depends upon >>>>> the size of the secret key that is used. The most common attack >>>>> against HMACs is brute force to uncover the secret key." >>>>> >>>>> If your app is is not clustered (or is clustered, but uses sticky >>>>> sessions), you can just generate a random string: >>>>> >>>>> // Set a random HMAC key for form signing (not cluster safe) >>>>> configuration.add(SymbolConstants.HMAC_PASSPHRASE, >>>>> new BigInteger(130, new >>>>> SecureRandom()).toString(32)); >>>>> >>>> >>>> I would not advise this approach. >>>> >>>> If a page renders a form, it is using the hmac passphrase. >>>> >>>> If the server restarts before the form is submitted, you will see a >>>> server-side error about the HMAC being invalid when the form is >>>> submitted. >>>> >>>> The passphrase should be more stable; I would not change it very >>>> often, if at all, once created. >>>> >>>>> Disclaimer: the assessment of the security implications of this are up >>>>> to you. I claim no particular expertise here. >>>>> >>>>> On Fri, Oct 12, 2012 at 11:15 PM, angelochen <angelochen...@yahoo.com.hk> >>>>> wrote: >>>>>> Hi, >>>>>> >>>>>> got this error when upgrading to 5.3.6, any sample to set this? >>>>>> >>>>>> ClientDataEncoder The symbol 'tapestry.hmac-passphrase' has not been >>>>>> configured. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> View this message in context: >>>>>> http://tapestry.1045711.n5.nabble.com/hmac-sample-tp5716873.html >>>>>> Sent from the Tapestry - User mailing list archive at Nabble.com. >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>>> >>>> >>>> >>>> >>>> -- >>>> Howard M. Lewis Ship >>>> >>>> Creator of Apache Tapestry >>>> >>>> The source for Tapestry training, mentoring and support. Contact me to >>>> learn how I can get you up and productive in Tapestry fast! >>>> >>>> (971) 678-5210 >>>> http://howardlewisship.com >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >> >> >> >> -- >> Howard M. Lewis Ship >> >> Creator of Apache Tapestry >> >> The source for Tapestry training, mentoring and support. Contact me to >> learn how I can get you up and productive in Tapestry fast! >> >> (971) 678-5210 >> http://howardlewisship.com >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > -- Howard M. Lewis Ship Creator of Apache Tapestry The source for Tapestry training, mentoring and support. Contact me to learn how I can get you up and productive in Tapestry fast! (971) 678-5210 http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
