Geek Answers Handbook

Why does PasswordField use String instead of char [] in Vaadin?

The string is vulnerable to password values. I noticed that Vaadin PasswordField manages the password like String .

The following is the default constructor for PasswordField ,

 public PasswordField() { setValue(""); }

My questions:

  • Can I use PasswordField in Vaadin?
  • What does the internal API do for password security?
+6
source share
3 answers

TL DR Vaadin PasswordField is a simple TextField . Input is hidden only on the client side, on the server side it is transmitted in clear text.

Although you can use getConvertedValue() and setConvertedValue(Object value) to get / set the value in your own type. Please note that before using it you need to install setConverter(Converter<T,?> converter) .

Here you have an example of how to use the conversation correctly: Create your own converter to convert String - MyType

FULL EXPLANATION

Vaadin TextField , PasswordField and TextArea are all children of AbstractField<String> .

Vaadin Docs TextField

More details:

 java.lang.Object |_ com.vaadin.server.AbstractClientConnector |_ com.vaadin.ui.AbstractComponent |_ com.vaadin.ui.AbstractField<java.lang.String> |_ com.vaadin.ui.AbstractTextField

PasswordField works with String because of its parents, otherwise it had to implement AbstractField<char[]> .

Additionally, the PasswordField section of Vaadin Docs explicitly states:

It should be noted that PasswordField hides the entrance only from visual observation โ€œover the shoulderโ€ . If the connection to the server is not encrypted using a secure connection such as HTTPS, the input is transmitted in text format and can be intercepted by someone with low-level network access. Also, phishing attacks that intercept browser input may be possible by using JavaScript execution security holes in the browser.

Although AbstractField<T> has getConvertedValue() and setConvertedValue(Object value) which allow you to get / set the value in Object that you prefer. Please note that before using it you need to set setConverter(Converter<T,?> converter) .

Here you have an example of how to use the conversation correctly: Create your own converter to convert String - MyType

Briefly from the example:

Name is a simple POJO with the firstName and lastName fields and their recipient / installer.

Converter class

 public class StringToNameConverter implements Converter<String, Name> { public Name convertToModel(String text, Locale locale) { String[] parts = text.split(" "); return new Name(parts[0], parts[1]); } public String convertToPresentation(Name name, Locale locale) throws ConversionException { return name.getFirstName() + " " + name.getLastName(); } public Class<Name> getModelType() { return Name.class; } public Class<String> getPresentationType() { return String.class; } }

Main class

 Name name = new Name("Rudolph", "Reindeer"); final TextField textField = new TextField("Name"); textField.setConverter(new StringToNameConverter()); textField.setConvertedValue(name); addComponent(textField); addComponent(new Button("Submit value", new ClickListener() { public void buttonClick(ClickEvent event) { Name name = (Name) textField.getConvertedValue(); } }));

Full source

+6
source

A little late for this party, but I would like to add my 2 cents to what has already been discussed.

It can be pure confort and code reuse, because PasswordField simply extends AbstractTextField on the BE side, which is basically AbstractField<String> , so all logic is value manipulation, event handling, etc. already exists.

Otherwise, you probably have to implement AbstractField<char[]> and copy-paste almost everything, starting with AbstractTextField just for that. Or create an AbstractTextField or something similar ...

In any case, as already mentioned, the attacker will require access to the server in order to dump memory, in case you can have big problems, either from outside or inside the organization (there are probably cases when your own employees have been harmed for some reasons) :-)

As for FE, VPasswordField creates the input, enter the password , and security concerns regarding FE-BE communications have already been discussed in Paolo Forge's answer.

+3
source

When vaadin codes run in your web browser, it is no longer in the JVM, so using String in this case is fine. The password will be saved as a Java string on the server side, so an attacker must gain access to your server to access this String password.

You should see how this password field is handled in generated javascript.

+2
source

More articles:


All Articles