My take on this is that we should leave the choice of persistence up to the end user. The HttpState is not a JavaBean or adhere to any of the other bean contracts so I don't see any need to make it serializable. I think it would be great to see a class that extends HttpState to make it serializable, particularly if it did so in a way that it encrypted the passwords etc, however I believe that should wind up in the contrib directory.
Serialization is way outside of HttpClient's usual use cases so if there are concerns about how it should be done, it should be left to the user, it's a fairly trivial change for users to make.
The other problem is that if we mark HttpState as serializable we have to start worrying about making it backwards compatible and not breaking the ability to serialize, I'm not sure that's something we want to take on.
The idea is nice on the surface though - shame about the detail. :)
Adrian Sutton.
On Thursday, June 12, 2003, at 09:34 PM, Kalnichevski, Oleg wrote:
Ralph and the HttpClient folks out there
Initially I thought that HttpState class should have been made serializeable per default. Later I realized that there was a catch, however. The HttpState class besides cookies also contains credentials for target servers and proxy servers. From the security standpoint, it would not be desirable to store such sensitive information in clear text or to give the user a wrong impression that the security aspects of password persistence have been taken care of. So, we basically end up with two options: 1) making HttpState serializeable but marking credentials sets as transient 2) leave the choice of the persistence mechanism up to the user (as it is today)
If we reach a consensus that the first option makes more sense, I will file a bug report and target it for 2.1 release
Cheers
Oleg
-----Original Message----- From: Ralph Goers [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 01:01 To: [EMAIL PROTECTED] Subject: HttpState not serializable
I am trying to save the HttpState object in the session and am getting a message from Weblogic Server saying the attribute is not serializable and will be lost upon redeployment. How can I address this?
Ralph
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
