Menu
String is vulnerable for password values. I noticed that Vaadin PasswordField manipulates password as a String.
Following is default constructor of PasswordField,
public PasswordField() {
setValue("");
}
My questions :
PasswordField in Vaadin ?
804
The Console. readPassword() method allows the password to be returned as a sequence of characters rather than as a String object. Because the password is never interned as a String , it will not survive garbage collection even if it matches another string.
A password is a string of characters used to verify the identity of a user during the authentication process. Passwords are typically used in tandem with a username; they are designed to be known only to the user and allow that user to gain access to a device, application or website.
The JPasswordField class, a subclass of JTextField , provides specialized text fields for password entry.
Currently, the most secure way to store passwords is using Password Based Encryption (PBE), which provides functions (called Key Derivation Functions (KDFs)) that will convert low entropy user passwords into random, unpredictable, and most importantly one-way, irreversible bytes of data.
TL;DR Vaadin PasswordField is a simple TextField. The input is hidden just in client-side, in server-side is transmitted in clear text.
Although you can use getConvertedValue() and setConvertedValue(Object value) for getting/setting the value in your own type. Note that you have to set the setConverter(Converter<T,?> converter) before using it.
Here you have an example of how to use properly the conversation: Creating your own converter for String - MyType conversion
FULL EXPLANATION
Vaadin TextField, PasswordField and TextArea are all children of AbstractField<String>.
In detail:
java.lang.Object
|_ com.vaadin.server.AbstractClientConnector
|_ com.vaadin.ui.AbstractComponent
|_ com.vaadin.ui.AbstractField<java.lang.String>
|_ com.vaadin.ui.AbstractTextField
PasswordField works with String because of its parents, otherwise it should have implemented AbstractField<char[]>.
In addition in the PasswordField section from Vaadin Docs says explicitly:
You should note that the
PasswordFieldhides the input only from "over the shoulder" visual observation. Unless the server connection is encrypted with a secure connection, such as HTTPS, the input is transmitted in clear text and may be intercepted by anyone with low-level access to the network. Also phishing attacks that intercept the input in the browser may be possible by exploiting JavaScript execution security holes in the browser.
Although AbstractField<T> has getConvertedValue() and setConvertedValue(Object value) which allow to get/set the value in the Object you prefer. Note that before using it you need to set setConverter(Converter<T,?> converter).
Here you have an example of how to use properly the conversation: Creating your own converter for String - MyType conversion
In short from the example:
Name is a simple POJO with firstName and lastName fields and their getter/setter.
Converter class
public class StringToNameConverter implements Converter<String, Name> {
public Name convertToModel(String text, Locale locale) {
String[] parts = text.split(" ");
return new Name(parts[0], parts[1]);
}
public String convertToPresentation(Name name, Locale locale)
throws ConversionException {
return name.getFirstName() + " " + name.getLastName();
}
public Class<Name> getModelType() {
return Name.class;
}
public Class<String> getPresentationType() {
return String.class;
}
}
Main class
Name name = new Name("Rudolph", "Reindeer");
final TextField textField = new TextField("Name");
textField.setConverter(new StringToNameConverter());
textField.setConvertedValue(name);
addComponent(textField);
addComponent(new Button("Submit value", new ClickListener() {
public void buttonClick(ClickEvent event) {
Name name = (Name) textField.getConvertedValue();
}
}));
Full source
com.vaadin.ui.PasswordFieldcom.vaadin.ui.TextFieldcom.vaadin.ui.TextAreacom.vaadin.ui.AbstractField<T>com.vaadin.ui.AbstractField<T>#getConvertedValue()com.vaadin.ui.AbstractField<T>#setConvertedValue(Object value)com.vaadin.ui.AbstractField<T>#setConverter(Converter<T,?> converter)TextFieldPasswordField
52
A little late to this party, but I'd like to add my 2 cents to what's already been discussed.
It may be purely confort and code reuse, as PasswordField just extends AbstractTextField on the BE side which is basically an AbstractField<String> so all the value manipulation logic, event handling, etc is already there.
Otherwise one would probably have to implement an AbstractField<char[]> and copy-paste pretty much everything from AbstractTextField just for this. Or to generify AbstractTextField or something similar...
Either way, as already stated, an attacker would require access to the server to dump the memory, case in which you may have bigger problems, be it from outside or inside the organisation (there surely are cases in which own employees have done harm for some reasons) :-)
Regarding the FE, the VPasswordField counterpart creates an input of type password, and the security concerns in respect to the the FE-BE communication have already been discussed in Paolo Forgia's answer.
3
When vaadin codes runs in your web browser it is not in a JVM anymore, so using String is ok in this case. The password will be stored as Java String in the server side, so in order to access that password String, an attacker has to access your server.
You should be looking at how that password field is handled in the generated javascript.
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
