You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "W.Mazur (JIRA)" <ji...@apache.org> on 2012/08/16 11:57:38 UTC

[jira] [Created] (WICKET-4713) Do not pass passwords as String

W.Mazur created WICKET-4713:
-------------------------------

             Summary: Do not pass passwords as String
                 Key: WICKET-4713
                 URL: https://issues.apache.org/jira/browse/WICKET-4713
             Project: Wicket
          Issue Type: Improvement
          Components: wicket
    Affects Versions: 6.0.0-beta3, 1.5.7
         Environment: N/A
            Reporter: W.Mazur


Security conscious user may not like passing passwords as String. I would prefer to pass password as byte[] (so I can overwrite it with zeros when I don't need it - you cannot do it with String since it's immutable). 

Detailed issue description may be found here: http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords.

Affected classes: WebSession.java, PasswordTextField...



--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (WICKET-4713) Do not pass passwords as String

Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/WICKET-4713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13436574#comment-13436574 ] 

Martin Grigorov commented on WICKET-4713:
-----------------------------------------

How WebSession is affected ?
And how would you enter your password as byte array in the HTML input field ?

We need to transfer it from the browser to the server as String and then convert it to byte[] for PasswordTextField but this wont solve your concern because the String will be still in the memory and dumping it will show it.
                
> Do not pass passwords as String
> -------------------------------
>
>                 Key: WICKET-4713
>                 URL: https://issues.apache.org/jira/browse/WICKET-4713
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 1.5.7, 6.0.0-beta3
>         Environment: N/A
>            Reporter: W.Mazur
>              Labels: security
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Security conscious user may not like passing passwords as String. I would prefer to pass password as byte[] (so I can overwrite it with zeros when I don't need it - you cannot do it with String since it's immutable). 
> Detailed issue description may be found here: http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords.
> Affected classes: WebSession.java, PasswordTextField...

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Resolved] (WICKET-4713) Do not pass passwords as String

Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/WICKET-4713?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Grigorov resolved WICKET-4713.
-------------------------------------

    Resolution: Won't Fix

Wicket uses Servlet APIs to read the request parameters, thus the values are String.
These String instances are short lived, though. The Garbage Collector will collect them soon after the request processing. Unless you intern them. In that case they will be stored in the PermGen space.
If you make a memory dump of a Java process you will see that there are hundreds of thousands of char[] instances. This should make it very hard to extract just the ones which are passwords.
Additionally you should make it harder for an attacker to get access to your server to be able to make memory dumps of a process.
                
> Do not pass passwords as String
> -------------------------------
>
>                 Key: WICKET-4713
>                 URL: https://issues.apache.org/jira/browse/WICKET-4713
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 1.5.7, 6.0.0-beta3
>         Environment: N/A
>            Reporter: W.Mazur
>              Labels: security
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Security conscious user may not like passing passwords as String. I would prefer to pass password as byte[] (so I can overwrite it with zeros when I don't need it - you cannot do it with String since it's immutable). 
> Detailed issue description may be found here: http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords.
> Affected classes: WebSession.java, PasswordTextField...

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (WICKET-4713) Do not pass passwords as String

Posted by "Sven Meier (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/WICKET-4713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13436598#comment-13436598 ] 

Sven Meier commented on WICKET-4713:
------------------------------------

IMHO we should deprecate WebSession#authenticate() anyway. It seems to be there for wicket-auth-roles only, throwing an exception if not overridden.
                
> Do not pass passwords as String
> -------------------------------
>
>                 Key: WICKET-4713
>                 URL: https://issues.apache.org/jira/browse/WICKET-4713
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 1.5.7, 6.0.0-beta3
>         Environment: N/A
>            Reporter: W.Mazur
>              Labels: security
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Security conscious user may not like passing passwords as String. I would prefer to pass password as byte[] (so I can overwrite it with zeros when I don't need it - you cannot do it with String since it's immutable). 
> Detailed issue description may be found here: http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords.
> Affected classes: WebSession.java, PasswordTextField...

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (WICKET-4713) Do not pass passwords as String

Posted by "W.Mazur (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/WICKET-4713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13436591#comment-13436591 ] 

W.Mazur commented on WICKET-4713:
---------------------------------

I've decided to note WebSession class as an entry point for further rework - I was thinking about authenticate() method.

I don't know Wicket internals, so I expected that at very low level Wicket receives a stream, not String. If it's String - well - it's too late to worry, as you mentioned.

On the other hand - if it's stream - I know that rework would be painfully expensive - but adding security features to mature project is major pain in most of the cases.

Regards.
                
> Do not pass passwords as String
> -------------------------------
>
>                 Key: WICKET-4713
>                 URL: https://issues.apache.org/jira/browse/WICKET-4713
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 1.5.7, 6.0.0-beta3
>         Environment: N/A
>            Reporter: W.Mazur
>              Labels: security
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Security conscious user may not like passing passwords as String. I would prefer to pass password as byte[] (so I can overwrite it with zeros when I don't need it - you cannot do it with String since it's immutable). 
> Detailed issue description may be found here: http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords.
> Affected classes: WebSession.java, PasswordTextField...

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira