You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Casper Bang <ca...@jbr.dk> on 2008/12/03 04:26:19 UTC
Why can't I initialize PasswordTextField?
I'm trying to implement credentials memory functionality for a login
form using cookies. I know there's an official example
(http://wicketstuff.org/wicket13/signin2/?x=7*:org.apache.wicket.examples.signin2.SignIn2)
however it simply delegates to some panel which is not available as
source on the page. So anyway, it should be simple, and all works great
except that I can not get the password field to get filled out upon page
load. In my constructor of my panel I do the following:
Cookie credentials =
((WebRequest)getRequestCycle().getRequest()).getCookie("credentials");
remember = credentials != null;
if(remember){
String[] credentialParts = credentials.getValue().split(":");
username = credentialParts[0];
password = credentialParts[1];
}
The fields username and password of the panel are bound to the form
using a CompoundPropertyModel. When I sniff request and response
headers, I can see that indeed the cookie info is sent around fine. I
guess it has to do with security somehow, but shouldn't this be possible
even if I am using a PasswordTextField?
Thanks in advance,
Casper
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Why can't I initialize PasswordTextField?
Posted by Casper Bang <ca...@jbr.dk>.
James Carman wrote:
> The browser's saved passwords support doesn't transmit your password over
> HTTP along with the rest of the markup, though. It just remembers it and
> auto-populates it for you once it receives the HTML from the site. So, it's
> as unsafe as your computer is (hopefully you use a password on your
> computer). :)
I guess I have a hard time seeing the security differences between
retrieving a cookie vs. submitting credentials in a POST - both are
insecure from man-in-the-middle attacks if not using SSL!? Anyway back
to my original issue, as Timo points out, HTML just works that way. I
guess what I see on java.net is browser functionality rather than
application/cookie functionality.
/Casper
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Why can't I initialize PasswordTextField?
Posted by kan <ka...@gmail.com>.
2008/12/3 James Carman <ja...@carmanconsulting.com>:
> The browser's saved passwords support doesn't transmit your password over
> HTTP along with the rest of the markup, though. It just remembers it and
> auto-populates it for you once it receives the HTML from the site. So, it's
> as unsafe as your computer is (hopefully you use a password on your
> computer). :)
Actually in this case site just sends back a value which browser has
sent in cookie. So, the site doesn't sent anything which browser
doesn't know.
--
WBR, kan.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Why can't I initialize PasswordTextField?
Posted by James Carman <ja...@carmanconsulting.com>.
On Wed, Dec 3, 2008 at 6:55 AM, Casper Bang <ca...@jbr.dk> wrote:
> Yeah I thought of the security issue, it seems though quite a few PHP sites
> works like that (not to mention, build-in browser functionality which does
> the same kind of unsafe client side caching).
>
The browser's saved passwords support doesn't transmit your password over
HTTP along with the rest of the markup, though. It just remembers it and
auto-populates it for you once it receives the HTML from the site. So, it's
as unsafe as your computer is (hopefully you use a password on your
computer). :)
Re: Why can't I initialize PasswordTextField?
Posted by Casper Bang <ca...@jbr.dk>.
Yeah I thought of the security issue, it seems though quite a few PHP
sites works like that (not to mention, build-in browser functionality
which does the same kind of unsafe client side caching).
In the idiom outlined in your source code, how can the server then
re-authorize without username and password. I assume the user table then
have to include a session field that is transferred and stored upon
initial login, and which is used to match up against on successive logins?
/Casper
Jeremy Thomerson wrote:
> May I answer your question with a question?
>
> Why would you want your password field to have the value pre-filled on the
> page? Then the password is in plain text available to the user (and
> assuming you're not on https, anyone in between). I've never seen an
> instance where this was a good idea.
>
> If you're trying to do an auto-login, you shouldn't show the login page at
> all. Pseudo code would be:
>
> if (getYourSession().isSignedIn() == false) {
> String token = getCookie(someCookieID);
> if (token not null and not empty) {
> User user = lookupUser(token);
> if (user != null) {
> getYourSession().signIn(user);
> } else {
> // only here would you show login page, without anything pre-filled
> because
> // they're not already signed in and they don't have a cookie to sign
> them in
> setResponsePage(YourLoginPage.class);
> }
> }
> }
>
> On Tue, Dec 2, 2008 at 9:26 PM, Casper Bang <ca...@jbr.dk> wrote:
>
>
>> I'm trying to implement credentials memory functionality for a login form
>> using cookies. I know there's an official example (
>> http://wicketstuff.org/wicket13/signin2/?x=7*:org.apache.wicket.examples.signin2.SignIn2)
>> however it simply delegates to some panel which is not available as source
>> on the page. So anyway, it should be simple, and all works great except that
>> I can not get the password field to get filled out upon page load. In my
>> constructor of my panel I do the following:
>>
>> Cookie credentials =
>> ((WebRequest)getRequestCycle().getRequest()).getCookie("credentials");
>> remember = credentials != null;
>> if(remember){
>> String[] credentialParts = credentials.getValue().split(":");
>> username = credentialParts[0];
>> password = credentialParts[1];
>> }
>>
>> The fields username and password of the panel are bound to the form using a
>> CompoundPropertyModel. When I sniff request and response headers, I can see
>> that indeed the cookie info is sent around fine. I guess it has to do with
>> security somehow, but shouldn't this be possible even if I am using a
>> PasswordTextField?
>>
>> Thanks in advance,
>> Casper
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Why can't I initialize PasswordTextField?
Posted by Jeremy Thomerson <je...@wickettraining.com>.
May I answer your question with a question?
Why would you want your password field to have the value pre-filled on the
page? Then the password is in plain text available to the user (and
assuming you're not on https, anyone in between). I've never seen an
instance where this was a good idea.
If you're trying to do an auto-login, you shouldn't show the login page at
all. Pseudo code would be:
if (getYourSession().isSignedIn() == false) {
String token = getCookie(someCookieID);
if (token not null and not empty) {
User user = lookupUser(token);
if (user != null) {
getYourSession().signIn(user);
} else {
// only here would you show login page, without anything pre-filled
because
// they're not already signed in and they don't have a cookie to sign
them in
setResponsePage(YourLoginPage.class);
}
}
}
On Tue, Dec 2, 2008 at 9:26 PM, Casper Bang <ca...@jbr.dk> wrote:
> I'm trying to implement credentials memory functionality for a login form
> using cookies. I know there's an official example (
> http://wicketstuff.org/wicket13/signin2/?x=7*:org.apache.wicket.examples.signin2.SignIn2)
> however it simply delegates to some panel which is not available as source
> on the page. So anyway, it should be simple, and all works great except that
> I can not get the password field to get filled out upon page load. In my
> constructor of my panel I do the following:
>
> Cookie credentials =
> ((WebRequest)getRequestCycle().getRequest()).getCookie("credentials");
> remember = credentials != null;
> if(remember){
> String[] credentialParts = credentials.getValue().split(":");
> username = credentialParts[0];
> password = credentialParts[1];
> }
>
> The fields username and password of the panel are bound to the form using a
> CompoundPropertyModel. When I sniff request and response headers, I can see
> that indeed the cookie info is sent around fine. I guess it has to do with
> security somehow, but shouldn't this be possible even if I am using a
> PasswordTextField?
>
> Thanks in advance,
> Casper
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
Jeremy Thomerson
http://www.wickettraining.com
Re: Why can't I initialize PasswordTextField?
Posted by Timo Rantalaiho <Ti...@ri.fi>.
On Wed, 03 Dec 2008, Casper Bang wrote:
> on the page. So anyway, it should be simple, and all works great except
> that I can not get the password field to get filled out upon page load.
HTML just works that way,
"Note that the current value is the text entered by the user, not the
text rendered by the user agent."
http://www.w3.org/TR/html401/interact/forms.html#h-17.4.1
you'll have to bypass the password check for autologin.
Best wishes,
Timo
--
Timo Rantalaiho
Reaktor Innovations Oy <URL: http://www.ri.fi/ >
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org