summaryrefslogtreecommitdiff
path: root/demos/quickstart
diff options
context:
space:
mode:
authorxue <>2006-02-11 21:46:15 +0000
committerxue <>2006-02-11 21:46:15 +0000
commit9c559fd4e87a208a460255703d9b050988e12775 (patch)
tree5a92cebe241b82000dfae5b9e3897a63f04e9c82 /demos/quickstart
parentc56b1bdb0065b752930f74eabe20f985722268ac (diff)
Updated quickstart tutorial to reflect the addition of TSecurityManager.
Diffstat (limited to 'demos/quickstart')
-rw-r--r--demos/quickstart/protected/pages/Security/ViewState.page21
1 files changed, 8 insertions, 13 deletions
diff --git a/demos/quickstart/protected/pages/Security/ViewState.page b/demos/quickstart/protected/pages/Security/ViewState.page
index 42499aae..1b79c272 100644
--- a/demos/quickstart/protected/pages/Security/ViewState.page
+++ b/demos/quickstart/protected/pages/Security/ViewState.page
@@ -8,24 +8,19 @@ Viewstate lies at the heart of PRADO. Viewstate represents data that can be used
It is extremely important to ensure that viewstate is not tampered by end users. Without protection, malicious users may inject harmful code into viewstate and unwanted instructions may be performed when page state is being restored on server side.
</p>
<p>
-To prevent viewstate from being tampered, PRADO enforces viewstate HMAC (Keyed-Hashing for Message Authentication) check before restoring viewstate. Such a check can detect if the viewstate has been tampered or not by end users. Should the viewstate modifies, PRADO simply stops restoring the viewstate and returns an error message.
+To prevent viewstate from being tampered, PRADO enforces viewstate HMAC (Keyed-Hashing for Message Authentication) check before restoring viewstate. Such a check can detect if the viewstate has been tampered or not by end users. Should the viewstate is modified, PRADO will stop restoring the viewstate and return an error message.
</p>
<p>
-HMAC check requires a private key that should be secret to end users. Developers can either manually specify a key or let PRADO automatically generate a key. Manually specified key is useful when the application runs on a server farm. To do so, configure <tt>TPageStatePersister</tt> in application configuration,
+HMAC check requires a private key that should be secret to end users. Developers can either manually specify a key or let PRADO automatically generate a key. Manually specified key is useful when the application runs on a server farm. To do so, configure <tt>TSecurityManager</tt> in application configuration,
</p>
<com:TTextHighlighter Language="xml" CssClass="source">
-&lt;service id="page" class="TPageService"&gt;
- &lt;modules&gt;
- &lt;module id="state"
- class="TPageStatePersister"
- PrivateKey="my private key" /&gt;
- &lt;/modules&gt;
-&lt;/service&gt;
+&lt;modules&gt;
+ &lt;module id="security"
+ class="TSecurityManager"
+ ValidationKey="my private key" /&gt;
+&lt;/modules&gt;
</com:TTextHighlighter>
<p>
-HMAC check does not prevent end users from reading the viewstate content. An added security measure is to encrypt the viewstate information so that end users cannot decipher it. Work on supporting viewstate encryption is ongoing.
-</p>
-<p>
-Another strategy to protect viewstate is to store it on server side rather than using hidden fields. The relevant work is also ongoing.
+HMAC check does not prevent end users from reading the viewstate content. An added security measure is to encrypt the viewstate information so that end users cannot decipher it. To enable viewstate encryption, set the <tt>EnableStateEncryption</tt> of pages to true. This can be done in <a href="?page=Configurations.PageConfig">page configurations</a> or in page code. Note, encrypting viewstate may degrade the application performance. A better strategy is to store viewstate on the server side, rather than the default hidden field.
</p>
</com:TContent> \ No newline at end of file