You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Frederic BAGES <fr...@in-fusio.com> on 2001/02/13 16:32:14 UTC
RE: html:password
I haven't try since the changes were made but i think it's because of the
way the session object is managed. You don't lose session information (your
form) until a timeout occur. It's the same on many web sites. If you close
your browser you won't be able to log in without your password. It's better
than seeing the password in plain text in the html source. But i don't know
why the password is not set to an empty string if you don't fill the
password field.
I forward this message in the dev list before the 1.0 release of struts.
Frederic.
-----Message d'origine-----
De : mmuchnik@brainwasher.iway.fr
[mailto:mmuchnik@brainwasher.iway.fr]De la part de Maya Muchnik
Envoyé : mardi 13 février 2001 15:36
À : struts-user@jakarta.apache.org
Objet : Re: html:password
OK, you do not display password as some amount of "*" and password is empty
field.
But then you change other field, not password, and push "Save". No problem.
Where
is security? If a user can see in the source all "*" string, I think, it is
not a
bigger problem, as see an empty string. I think it is important that
password will
not have getter method.
Frederic BAGES wrote:
> It was a request from myself. I didn't know that would annoy
anyone. The
> fact is that if you ask your browser to show you the html source you will
> see the password is embedded in it (case of '*'). It is not secure and we
> found that it's better not to fill back the password field.
>
> Frederic.
>
> -----Message d'origine-----
> De : hias@livinglogic.de [mailto:hias@livinglogic.de]De la part de
> Matthias Bauer
> Envoyé : mardi 13 février 2001 10:25
> À : struts-user@jakarta.apache.org
> Objet : html:password
>
> Hi,
>
> I just upgraded to struts 1.0 nightly build 20010212 from an earlier
version
> and
> found that the html:password tag does not work as in the earlier version I
> used
> (20010117): The password is no longer displayed as '*'s. Instead the
> password
> field is empty. This does not seem to be a feature, because it imposes
some
> difficulties, when I want to offer the user to edit his profile which
> contains a
> password, because now the user always has to reenter the password, also
when
> he
> only wants to change some other field of his profile.
>
> Has anybody seen the same behaviour?
>
> Thanks,
>
> --- Matthias
>
> Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++
> www.livinglogic.de
Re: html:password
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Frederic BAGES wrote:
> I haven't try since the changes were made but i think it's because of the
> way the session object is managed. You don't lose session information (your
> form) until a timeout occur. It's the same on many web sites. If you close
> your browser you won't be able to log in without your password. It's better
> than seeing the password in plain text in the html source. But i don't know
> why the password is not set to an empty string if you don't fill the
> password field.
>
This got changed about a week ago -- the password field no longer echoes the previous
contents into the source of the page. Try a recent nightly build.
>
> I forward this message in the dev list before the 1.0 release of struts.
>
> Frederic.
>
Craig
Re: Class BaseHandlerTag
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Josh wrote:
> I am trying to understand the BaseHandlerTag in the package
> org.apache.struts.taglib.html and in particular the events. For example when
> and how would one go about using "getOnclick()"?
You probably would not be using this, which is probably leading to your confusion
:-).
Technically, custom tags only need setter methods for their properties, because
that is all the JSP page compiler needs. I put getters in by programming habit,
and have found them to be useful in case of nested tags (a tag can find out who
its immediate parent is, and call property getters on that tag instance as if it
were a bean).
> I would think that there is
> some example code lying around which could answer many of my questions. I am
> running the struts-example program, which has been very helpful, however it
> does not seem to be utilizing any of the events in the BaseHandlerTag (or am I
> wrong?). I will continue to search for some example code to illustrate uses
> for these events, but in the meantime if people subscribe to this list could
> post any links to follow I would appreciate it.
>
If you wanted to pop up an alert box when a button was clicked, you might say
something like (I'm not a JavaScript maven, so forgive any incorrect syntax):
<html:button value="Click Me!"
onclick='alert("I was clicked!")'/>
which will cause an "onclick" event handler to be included on the generated button
tag. The same goes for all the other event handlers -- they just pass through
corresponding attributes on the generated HTML elements.
>
> Thanks,
> Josh
>
Craig
Class BaseHandlerTag
Posted by Josh <jr...@yahoo.com>.
I am trying to understand the BaseHandlerTag in the package
org.apache.struts.taglib.html and in particular the events. For example when
and how would one go about using "getOnclick()"? I would think that there is
some example code lying around which could answer many of my questions. I am
running the struts-example program, which has been very helpful, however it
does not seem to be utilizing any of the events in the BaseHandlerTag (or am I
wrong?). I will continue to search for some example code to illustrate uses
for these events, but in the meantime if people subscribe to this list could
post any links to follow I would appreciate it.
Thanks,
Josh
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
Re: html:password
Posted by Maya Muchnik <mm...@pumatech.com>.
Frederic,
I agree, that nobody will "welcome" to get password back as a plain text. I am for
NO getter method for password (we are doing this on database level). When a user
sees an empty field in the form he / she is confusing: "Do I need to fill in or
not?" Specially for password.
Frederic BAGES wrote:
> I haven't try since the changes were made but i think it's because of the
> way the session object is managed. You don't lose session information (your
> form) until a timeout occur. It's the same on many web sites. If you close
> your browser you won't be able to log in without your password. It's better
> than seeing the password in plain text in the html source. But i don't know
> why the password is not set to an empty string if you don't fill the
> password field.
>
> I forward this message in the dev list before the 1.0 release of struts.
>
> Frederic.
>
> -----Message d'origine-----
> De : mmuchnik@brainwasher.iway.fr
> [mailto:mmuchnik@brainwasher.iway.fr]De la part de Maya Muchnik
> Envoyé : mardi 13 février 2001 15:36
> À : struts-user@jakarta.apache.org
> Objet : Re: html:password
>
> OK, you do not display password as some amount of "*" and password is empty
> field.
> But then you change other field, not password, and push "Save". No problem.
> Where
> is security? If a user can see in the source all "*" string, I think, it is
> not a
> bigger problem, as see an empty string. I think it is important that
> password will
> not have getter method.
>
> Frederic BAGES wrote:
>
> > It was a request from myself. I didn't know that would annoy
> anyone. The
> > fact is that if you ask your browser to show you the html source you will
> > see the password is embedded in it (case of '*'). It is not secure and we
> > found that it's better not to fill back the password field.
> >
> > Frederic.
> >
> > -----Message d'origine-----
> > De : hias@livinglogic.de [mailto:hias@livinglogic.de]De la part de
> > Matthias Bauer
> > Envoyé : mardi 13 février 2001 10:25
> > À : struts-user@jakarta.apache.org
> > Objet : html:password
> >
> > Hi,
> >
> > I just upgraded to struts 1.0 nightly build 20010212 from an earlier
> version
> > and
> > found that the html:password tag does not work as in the earlier version I
> > used
> > (20010117): The password is no longer displayed as '*'s. Instead the
> > password
> > field is empty. This does not seem to be a feature, because it imposes
> some
> > difficulties, when I want to offer the user to edit his profile which
> > contains a
> > password, because now the user always has to reenter the password, also
> when
> > he
> > only wants to change some other field of his profile.
> >
> > Has anybody seen the same behaviour?
> >
> > Thanks,
> >
> > --- Matthias
> >
> > Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++
> > www.livinglogic.de
Re: html:password
Posted by Maya Muchnik <mm...@pumatech.com>.
Frederic,
I agree, that nobody will "welcome" to get password back as a plain text. I am for
NO getter method for password (we are doing this on database level). When a user
sees an empty field in the form he / she is confusing: "Do I need to fill in or
not?" Specially for password.
Frederic BAGES wrote:
> I haven't try since the changes were made but i think it's because of the
> way the session object is managed. You don't lose session information (your
> form) until a timeout occur. It's the same on many web sites. If you close
> your browser you won't be able to log in without your password. It's better
> than seeing the password in plain text in the html source. But i don't know
> why the password is not set to an empty string if you don't fill the
> password field.
>
> I forward this message in the dev list before the 1.0 release of struts.
>
> Frederic.
>
> -----Message d'origine-----
> De : mmuchnik@brainwasher.iway.fr
> [mailto:mmuchnik@brainwasher.iway.fr]De la part de Maya Muchnik
> Envoyé : mardi 13 février 2001 15:36
> À : struts-user@jakarta.apache.org
> Objet : Re: html:password
>
> OK, you do not display password as some amount of "*" and password is empty
> field.
> But then you change other field, not password, and push "Save". No problem.
> Where
> is security? If a user can see in the source all "*" string, I think, it is
> not a
> bigger problem, as see an empty string. I think it is important that
> password will
> not have getter method.
>
> Frederic BAGES wrote:
>
> > It was a request from myself. I didn't know that would annoy
> anyone. The
> > fact is that if you ask your browser to show you the html source you will
> > see the password is embedded in it (case of '*'). It is not secure and we
> > found that it's better not to fill back the password field.
> >
> > Frederic.
> >
> > -----Message d'origine-----
> > De : hias@livinglogic.de [mailto:hias@livinglogic.de]De la part de
> > Matthias Bauer
> > Envoyé : mardi 13 février 2001 10:25
> > À : struts-user@jakarta.apache.org
> > Objet : html:password
> >
> > Hi,
> >
> > I just upgraded to struts 1.0 nightly build 20010212 from an earlier
> version
> > and
> > found that the html:password tag does not work as in the earlier version I
> > used
> > (20010117): The password is no longer displayed as '*'s. Instead the
> > password
> > field is empty. This does not seem to be a feature, because it imposes
> some
> > difficulties, when I want to offer the user to edit his profile which
> > contains a
> > password, because now the user always has to reenter the password, also
> when
> > he
> > only wants to change some other field of his profile.
> >
> > Has anybody seen the same behaviour?
> >
> > Thanks,
> >
> > --- Matthias
> >
> > Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++
> > www.livinglogic.de
Re: html:password
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Frederic BAGES wrote:
> I haven't try since the changes were made but i think it's because of the
> way the session object is managed. You don't lose session information (your
> form) until a timeout occur. It's the same on many web sites. If you close
> your browser you won't be able to log in without your password. It's better
> than seeing the password in plain text in the html source. But i don't know
> why the password is not set to an empty string if you don't fill the
> password field.
>
This got changed about a week ago -- the password field no longer echoes the previous
contents into the source of the page. Try a recent nightly build.
>
> I forward this message in the dev list before the 1.0 release of struts.
>
> Frederic.
>
Craig