Bug 1347845 - [GSS](6.4.z) JAVASERVERFACES-4137 - Enable CLIENTSTATESAVINGPASSWORD By Default In JSF 1.2
Summary: [GSS](6.4.z) JAVASERVERFACES-4137 - Enable CLIENTSTATESAVINGPASSWORD By Defau...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: JSF
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.10
Assignee: Radovan Netuka
QA Contact: Jan Kasik
URL:
Whiteboard:
Depends On:
Blocks: eap6410-payload 1347868
TreeView+ depends on / blocked
 
Reported: 2016-06-17 20:31 UTC by ivassile
Modified: 2019-11-14 08:26 UTC (History)
12 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-01-17 12:59:10 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description ivassile 2016-06-17 20:31:35 UTC 
Backport JAVASERVERFACES-4137 to our Mojarra 2.1.28 fork for EAP 6.4.x.
Comment 1 Farah Juma 2016-06-17 22:06:01 UTC 
The commit that needs to be backported is:

https://github.com/javaserverfaces/mojarra/commit/26b8c15dcab647fe8d2026453f80d060d2ebe46c
Comment 9 Farah Juma 2016-09-02 15:43:42 UTC 
Here's a description of this issue, as requested by Ilia:

ByteArrayGuard's usage of Mac instances is not thread-safe which can randomly result in "ERROR: MAC did not verify!" messages being output. JAVASERVERFACES-4137 fixes this problem by moving Mac instantiation and initialization to the encrypt/decrypt methods in ByteArrayGuard and enabling ViewState data encryption by default.
Comment 10 Michael Cada 2016-09-06 13:43:23 UTC 
Commit successfully backported. No regressions found. Verified with EAP 6.4.10.CP.CR2
Comment 11 Petr Penicka 2017-01-17 12:59:10 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.
Note You need to log in before you can comment on or make changes to this bug.