You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Jim Pinkham <pi...@gmail.com> on 2010/07/23 21:12:54 UTC
learn from my security mistake with getString
I was just looking around for my dunce cap after noticing this little gotcha
- and I thought of this forum instead to share my moment of
not-so-brilliance:
public LoginForm(final String id) {
... other stuff ...
add(new FormComponentFeedbackBorder("user.feedback").add(new
TextField("user").setRequired(true)));
passwordField = new PasswordTextField("password");
passwordField.setRequired(true);
add(new
FormComponentFeedbackBorder("password.feedback").add(passwordField));
}
protected void onSubmit() {
String password=getString("password").trim();
if (password.equalsIgnoreCase(getPassword())) {
((AuctionSession)getSession()).setAdmin(true);
((AuctionSession)getSession()).setUserName(getUser());
if (!continueToOriginalDestination())
setResponsePage(getApplication().getHomePage());
} else
passwordField.error("invalid user/password");
}
}
Pretty basic, I know. Maybe you have a page like this in your Wicket app?
The mistake I wanted to share is that I'm using the same name for the
"password" wicket:id, and the string property in MyLoginPage.properties,
which just has a line that says password=super_secret_whatever. (Actually,
it's ${profile.password} and I have different maven profiles for different
versions of the app, but that's another story).
Anyway, imagine my suprise when I accidentally left the password blank by
mistake - the required error message uses the same property and shows the
password to the wide world in the feedback message: 'super_secret_whatever'
is required. Hah! (Yup, it's been in production for quite a while like
this...)
Just wanted to share that one with y'all - may all your mistakes be
entertaining and/or educational...
:)
-- Jim.
Re: learn from my security mistake with getString
Posted by James Carman <ja...@carmanconsulting.com>.
Doh!
On Jul 23, 2010 3:13 PM, "Jim Pinkham" <pi...@gmail.com> wrote:
> I was just looking around for my dunce cap after noticing this little
gotcha
> - and I thought of this forum instead to share my moment of
> not-so-brilliance:
>
> public LoginForm(final String id) {
> ... other stuff ...
> add(new FormComponentFeedbackBorder("user.feedback").add(new
> TextField("user").setRequired(true)));
> passwordField = new PasswordTextField("password");
> passwordField.setRequired(true);
> add(new
> FormComponentFeedbackBorder("password.feedback").add(passwordField));
> }
> protected void onSubmit() {
> String password=getString("password").trim();
> if (password.equalsIgnoreCase(getPassword())) {
> ((AuctionSession)getSession()).setAdmin(true);
> ((AuctionSession)getSession()).setUserName(getUser());
> if (!continueToOriginalDestination())
> setResponsePage(getApplication().getHomePage());
> } else
> passwordField.error("invalid user/password");
> }
> }
>
> Pretty basic, I know. Maybe you have a page like this in your Wicket app?
>
>
> The mistake I wanted to share is that I'm using the same name for the
> "password" wicket:id, and the string property in MyLoginPage.properties,
> which just has a line that says password=super_secret_whatever. (Actually,
> it's ${profile.password} and I have different maven profiles for different
> versions of the app, but that's another story).
>
> Anyway, imagine my suprise when I accidentally left the password blank by
> mistake - the required error message uses the same property and shows the
> password to the wide world in the feedback message:
'super_secret_whatever'
> is required. Hah! (Yup, it's been in production for quite a while like
> this...)
>
> Just wanted to share that one with y'all - may all your mistakes be
> entertaining and/or educational...
> :)
>
> -- Jim.
Re: learn from my security mistake with getString
Posted by Igor Vaynberg <ig...@gmail.com>.
java.util.Properties
-igor
On Fri, Jul 23, 2010 at 2:32 PM, Fernando Wermus
<fe...@gmail.com> wrote:
> All we know that. On the other hand it is very practice to solve it in that
> way. What tools or framework do you use instead?
>
> On Fri, Jul 23, 2010 at 5:25 PM, Igor Vaynberg <ig...@gmail.com>wrote:
>
>> wicket property files are meant for externalizing ui strings, not
>> configuration values :)
>>
>> -igor
>>
>> On Fri, Jul 23, 2010 at 12:12 PM, Jim Pinkham <pi...@gmail.com> wrote:
>> > I was just looking around for my dunce cap after noticing this little
>> gotcha
>> > - and I thought of this forum instead to share my moment of
>> > not-so-brilliance:
>> >
>> > public LoginForm(final String id) {
>> > ... other stuff ...
>> > add(new FormComponentFeedbackBorder("user.feedback").add(new
>> > TextField("user").setRequired(true)));
>> > passwordField = new PasswordTextField("password");
>> > passwordField.setRequired(true);
>> > add(new
>> > FormComponentFeedbackBorder("password.feedback").add(passwordField));
>> > }
>> > protected void onSubmit() {
>> > String password=getString("password").trim();
>> > if (password.equalsIgnoreCase(getPassword())) {
>> > ((AuctionSession)getSession()).setAdmin(true);
>> > ((AuctionSession)getSession()).setUserName(getUser());
>> > if (!continueToOriginalDestination())
>> > setResponsePage(getApplication().getHomePage());
>> > } else
>> > passwordField.error("invalid user/password");
>> > }
>> > }
>> >
>> > Pretty basic, I know. Maybe you have a page like this in your Wicket
>> app?
>> >
>> >
>> > The mistake I wanted to share is that I'm using the same name for the
>> > "password" wicket:id, and the string property in MyLoginPage.properties,
>> > which just has a line that says password=super_secret_whatever.
>> (Actually,
>> > it's ${profile.password} and I have different maven profiles for
>> different
>> > versions of the app, but that's another story).
>> >
>> > Anyway, imagine my suprise when I accidentally left the password blank by
>> > mistake - the required error message uses the same property and shows the
>> > password to the wide world in the feedback message:
>> 'super_secret_whatever'
>> > is required. Hah! (Yup, it's been in production for quite a while
>> like
>> > this...)
>> >
>> > Just wanted to share that one with y'all - may all your mistakes be
>> > entertaining and/or educational...
>> > :)
>> >
>> > -- Jim.
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
>
> --
> Fernando Wermus.
>
> www.linkedin.com/in/fernandowermus
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: learn from my security mistake with getString
Posted by 7zark7 <7z...@gmail.com>.
properties files and/or Spring configuration files
Sent from my iPod
On Jul 23, 2010, at 2:32 PM, Fernando Wermus <fe...@gmail.com> wrote:
> All we know that. On the other hand it is very practice to solve it in that
> way. What tools or framework do you use instead?
>
> On Fri, Jul 23, 2010 at 5:25 PM, Igor Vaynberg <ig...@gmail.com>wrote:
>
>> wicket property files are meant for externalizing ui strings, not
>> configuration values :)
>>
>> -igor
>>
>> On Fri, Jul 23, 2010 at 12:12 PM, Jim Pinkham <pi...@gmail.com> wrote:
>>> I was just looking around for my dunce cap after noticing this little
>> gotcha
>>> - and I thought of this forum instead to share my moment of
>>> not-so-brilliance:
>>>
>>> public LoginForm(final String id) {
>>> ... other stuff ...
>>> add(new FormComponentFeedbackBorder("user.feedback").add(new
>>> TextField("user").setRequired(true)));
>>> passwordField = new PasswordTextField("password");
>>> passwordField.setRequired(true);
>>> add(new
>>> FormComponentFeedbackBorder("password.feedback").add(passwordField));
>>> }
>>> protected void onSubmit() {
>>> String password=getString("password").trim();
>>> if (password.equalsIgnoreCase(getPassword())) {
>>> ((AuctionSession)getSession()).setAdmin(true);
>>> ((AuctionSession)getSession()).setUserName(getUser());
>>> if (!continueToOriginalDestination())
>>> setResponsePage(getApplication().getHomePage());
>>> } else
>>> passwordField.error("invalid user/password");
>>> }
>>> }
>>>
>>> Pretty basic, I know. Maybe you have a page like this in your Wicket
>> app?
>>>
>>>
>>> The mistake I wanted to share is that I'm using the same name for the
>>> "password" wicket:id, and the string property in MyLoginPage.properties,
>>> which just has a line that says password=super_secret_whatever.
>> (Actually,
>>> it's ${profile.password} and I have different maven profiles for
>> different
>>> versions of the app, but that's another story).
>>>
>>> Anyway, imagine my suprise when I accidentally left the password blank by
>>> mistake - the required error message uses the same property and shows the
>>> password to the wide world in the feedback message:
>> 'super_secret_whatever'
>>> is required. Hah! (Yup, it's been in production for quite a while
>> like
>>> this...)
>>>
>>> Just wanted to share that one with y'all - may all your mistakes be
>>> entertaining and/or educational...
>>> :)
>>>
>>> -- Jim.
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
>
> --
> Fernando Wermus.
>
> www.linkedin.com/in/fernandowermus
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: learn from my security mistake with getString
Posted by Fernando Wermus <fe...@gmail.com>.
All we know that. On the other hand it is very practice to solve it in that
way. What tools or framework do you use instead?
On Fri, Jul 23, 2010 at 5:25 PM, Igor Vaynberg <ig...@gmail.com>wrote:
> wicket property files are meant for externalizing ui strings, not
> configuration values :)
>
> -igor
>
> On Fri, Jul 23, 2010 at 12:12 PM, Jim Pinkham <pi...@gmail.com> wrote:
> > I was just looking around for my dunce cap after noticing this little
> gotcha
> > - and I thought of this forum instead to share my moment of
> > not-so-brilliance:
> >
> > public LoginForm(final String id) {
> > ... other stuff ...
> > add(new FormComponentFeedbackBorder("user.feedback").add(new
> > TextField("user").setRequired(true)));
> > passwordField = new PasswordTextField("password");
> > passwordField.setRequired(true);
> > add(new
> > FormComponentFeedbackBorder("password.feedback").add(passwordField));
> > }
> > protected void onSubmit() {
> > String password=getString("password").trim();
> > if (password.equalsIgnoreCase(getPassword())) {
> > ((AuctionSession)getSession()).setAdmin(true);
> > ((AuctionSession)getSession()).setUserName(getUser());
> > if (!continueToOriginalDestination())
> > setResponsePage(getApplication().getHomePage());
> > } else
> > passwordField.error("invalid user/password");
> > }
> > }
> >
> > Pretty basic, I know. Maybe you have a page like this in your Wicket
> app?
> >
> >
> > The mistake I wanted to share is that I'm using the same name for the
> > "password" wicket:id, and the string property in MyLoginPage.properties,
> > which just has a line that says password=super_secret_whatever.
> (Actually,
> > it's ${profile.password} and I have different maven profiles for
> different
> > versions of the app, but that's another story).
> >
> > Anyway, imagine my suprise when I accidentally left the password blank by
> > mistake - the required error message uses the same property and shows the
> > password to the wide world in the feedback message:
> 'super_secret_whatever'
> > is required. Hah! (Yup, it's been in production for quite a while
> like
> > this...)
> >
> > Just wanted to share that one with y'all - may all your mistakes be
> > entertaining and/or educational...
> > :)
> >
> > -- Jim.
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
Fernando Wermus.
www.linkedin.com/in/fernandowermus
Re: learn from my security mistake with getString
Posted by Igor Vaynberg <ig...@gmail.com>.
wicket property files are meant for externalizing ui strings, not
configuration values :)
-igor
On Fri, Jul 23, 2010 at 12:12 PM, Jim Pinkham <pi...@gmail.com> wrote:
> I was just looking around for my dunce cap after noticing this little gotcha
> - and I thought of this forum instead to share my moment of
> not-so-brilliance:
>
> public LoginForm(final String id) {
> ... other stuff ...
> add(new FormComponentFeedbackBorder("user.feedback").add(new
> TextField("user").setRequired(true)));
> passwordField = new PasswordTextField("password");
> passwordField.setRequired(true);
> add(new
> FormComponentFeedbackBorder("password.feedback").add(passwordField));
> }
> protected void onSubmit() {
> String password=getString("password").trim();
> if (password.equalsIgnoreCase(getPassword())) {
> ((AuctionSession)getSession()).setAdmin(true);
> ((AuctionSession)getSession()).setUserName(getUser());
> if (!continueToOriginalDestination())
> setResponsePage(getApplication().getHomePage());
> } else
> passwordField.error("invalid user/password");
> }
> }
>
> Pretty basic, I know. Maybe you have a page like this in your Wicket app?
>
>
> The mistake I wanted to share is that I'm using the same name for the
> "password" wicket:id, and the string property in MyLoginPage.properties,
> which just has a line that says password=super_secret_whatever. (Actually,
> it's ${profile.password} and I have different maven profiles for different
> versions of the app, but that's another story).
>
> Anyway, imagine my suprise when I accidentally left the password blank by
> mistake - the required error message uses the same property and shows the
> password to the wide world in the feedback message: 'super_secret_whatever'
> is required. Hah! (Yup, it's been in production for quite a while like
> this...)
>
> Just wanted to share that one with y'all - may all your mistakes be
> entertaining and/or educational...
> :)
>
> -- Jim.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org