com.sun.faces.ClientStateSavingPassword - recommendations for actual password?
In all of the reference pages I've found with regards to encrypting the ViewState, the only comment on the password is "your password here". Are there any recommendations regarding the length / complexity of the password that we should use? Depends on Mojarra version. It had several flaws/fails in earlier versions. In Mojarra 1.2.x - 2.1.18 , it was never actually used. The JNDI entry name was namely incorrectly documented. It was documented as com.sun.faces.ClientStateSavingPassword (with same prefix as Mojarra's other web.xml context parameters ), but the code actually checks for