I received an email from core Mojarra team member Jim Driscoll, who was inexplicably laid off from Sun after its recent acquisition by Oracle, about a talk at next week’s BlackHat Conference in Arlington, VA, U.S.A.. Jim pointed out that two security luminaries from the elite SpiderLabs team from Trustwave are giving a talk at BlackHat about view state security, specifically focusing on Mojarra and MyFaces.

Cursory research on the talk found two articles: one by Kelly Jackson Higgins at DarkReading, and another (which appears to be based on the first) at SC Magazine. The talk will be given by David Byrne (the guy who released grendel, not the guy from Talking Heads), and Rohini Sulatycki. For my money, the most important quote in the former article is, “There’s no patch to fix these flaws, either. ‘All developers have to do is perform a configuration change,’ he says, and encrypt view state.”

I haven’t seen their presentation yet, but for Mojarra, you can put lines 16 - 24 of the following web.xml into your web.xml to ensure that client state will be encrypted.

  1. <?xml version="1.0" encoding="UTF-8"?>
  2.     <servlet>
  3.         <servlet-name>Faces Servlet</servlet-name>
  4.         <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
  5.         <load-on-startup>1</load-on-startup>
  6.     </servlet>
  7.     <servlet-mapping>
  8.         <servlet-name>Faces Servlet</servlet-name>
  9.         <url-pattern>/faces/*</url-pattern>
  10.     </servlet-mapping>
  11.     <welcome-file-list>
  12.         <welcome-file>faces/index.xhtml</welcome-file>
  13.     </welcome-file-list>
  14.  
  15.     <context-param>
  16.         <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
  17.         <param-value>client</param-value>
  18.     </context-param>
  19.     <env-entry>
  20.         <env-entry-name>ClientStateSavingPassword</env-entry-name>
  21.         <env-entry-type>java.lang.String</env-entry-type>
  22.         <env-entry-value>driscoll</env-entry-value>
  23.     </env-entry>
  24. </web-app>
  25.  

A zipped netbeans project that does this is available at <http://mediacast.sun.com/users/edburns00/media/TestClientStatePassword.zip>