You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Daniel Meier (Jira)" <ji...@apache.org> on 2021/08/05 14:08:00 UTC
[jira] [Comment Edited] (WICKET-6912) PasswordTextField should not
use Strings
[ https://issues.apache.org/jira/browse/WICKET-6912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17393773#comment-17393773 ]
Daniel Meier edited comment on WICKET-6912 at 8/5/21, 2:07 PM:
---------------------------------------------------------------
Hi Sven, thanks for the quick answer.
The problem is that passwords should never be stored in Strings, not even temporarily, since they cannot be cleared in memory because a String is completely immutable. A look into the sources revealed that the raw input in a {{FormComponent}} already is a String, which should not be used when the component stores passwords.
Using Character Arrays (like JCA) or {{CharSequence}} s (like Spring Security) for passwords as soon as possible would be a good improvement.
was (Author: dnl):
Hi Sven, thanks for the quick answer.
The problem is that passwords should never be stored in Strings, not even temporarily, since they cannot be cleared in memory because a String is completely immutable. A look into the sources revealed that the raw input in a {{FormComponent}} already is a String, which should not be used when the component stores passwords.
Using Character Arrays (like JCA) or {{CharSequence}}s (like Spring Security) for passwords as soon as possible would be a good improvement.
> PasswordTextField should not use Strings
> ----------------------------------------
>
> Key: WICKET-6912
> URL: https://issues.apache.org/jira/browse/WICKET-6912
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Reporter: Daniel Meier
> Assignee: Sven Meier
> Priority: Minor
>
> According to the [Java Cryptography Architecture Reference Guide|https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#PBEEx], passwords should not be stored in {{java.lang.String}} Objects. Wicket's {{PasswordTextField}} however uses {{String}} Models, which can be a security vulnerability.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)