You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Matthias Bauer <Ma...@livinglogic.de> on 2001/02/13 10:25:16 UTC

html:password

Hi, 

I just upgraded to struts 1.0 nightly build 20010212 from an earlier version and
found that the html:password tag does not work as in the earlier version I used
(20010117): The password is no longer displayed as '*'s. Instead the password
field is empty. This does not seem to be a feature, because it imposes some
difficulties, when I want to offer the user to edit his profile which contains a
password, because now the user always has to reenter the password, also when he
only wants to change some other field of his profile.

Has anybody seen the same behaviour?

Thanks,

--- Matthias

Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++ www.livinglogic.de

Re: html:password

Posted by Matthias Bauer <Ma...@livinglogic.de>.

As I asked the original question on the new behaviour for the password field,
let me say this: I did not see the problem when I asked my question, but now I
am perfectly aware (and I admit, it is quite obvious) of the security risk you
are imposing when you send the current value of the password along in the html
source. Therefore I would say that for the sake of security there shouldn't be a
boolean value, so people are not tempted to implement a risky solution.

--- Matthias

Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++ www.livinglogic.de

"Craig R. McClanahan" wrote:
> 
> Maya Muchnik wrote:
> 
> > I have seen the similar behavior for edit option. The form (struts-example) does
> > not display "*", but it does not require to re-enter password again either.
> >
> 
> This behavior was changed due to concerns about the fact that the old password would
> appear (in the HTML source) when you were on the login page and -- for example --
> mistyped by one character your actual password.  A hacker who saw the incorrect value
> is a lot closer to guessing the right one.
> 
> Would it make sense to have a boolean option to "have it your way" on this?
> 
> Craig

Re: html:password

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Maya Muchnik wrote:

> I have seen the similar behavior for edit option. The form (struts-example) does
> not display "*", but it does not require to re-enter password again either.
>

This behavior was changed due to concerns about the fact that the old password would
appear (in the HTML source) when you were on the login page and -- for example --
mistyped by one character your actual password.  A hacker who saw the incorrect value
is a lot closer to guessing the right one.

Would it make sense to have a boolean option to "have it your way" on this?

Craig

Re: html:password

Posted by Maya Muchnik <mm...@pumatech.com>.

I have seen the similar behavior for edit option. The form (struts-example) does
not display "*", but it does not require to re-enter password again either.

Matthias Bauer wrote:

> Hi,
>
> I just upgraded to struts 1.0 nightly build 20010212 from an earlier version and
> found that the html:password tag does not work as in the earlier version I used
> (20010117): The password is no longer displayed as '*'s. Instead the password
> field is empty. This does not seem to be a feature, because it imposes some
> difficulties, when I want to offer the user to edit his profile which contains a
> password, because now the user always has to reenter the password, also when he
> only wants to change some other field of his profile.
>
> Has anybody seen the same behaviour?
>
> Thanks,
>
> --- Matthias
>
> Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++ www.livinglogic.de

Re: html:password

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Frederic BAGES wrote:

>         I haven't try since the changes were made but i think it's because of the
> way the session object is managed. You don't lose session information (your
> form) until a timeout occur. It's the same on many web sites. If you close
> your browser you won't be able to log in without your password. It's better
> than seeing the password in plain text in the html source. But i don't know
> why the password is not set to an empty string if you don't fill the
> password field.
>

This got changed about a week ago -- the password field no longer echoes the previous
contents into the source of the page.  Try a recent nightly build.

>
>         I forward this message in the dev list before the 1.0 release of struts.
>
>         Frederic.
>

Craig

Re: Class BaseHandlerTag

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Josh wrote:

> I am trying to understand the BaseHandlerTag in the package
> org.apache.struts.taglib.html and in particular the events.  For example when
> and how would one go about using "getOnclick()"?

You probably would not be using this, which is probably leading to your confusion
:-).

Technically, custom tags only need setter methods for their properties, because
that is all the JSP page compiler needs.  I put getters in by programming habit,
and have found them to be useful in case of nested tags (a tag can find out who
its immediate parent is, and call property getters on that tag instance as if it
were a bean).

>  I would think that there is
> some example code lying around which could answer many of my questions.  I am
> running the struts-example program, which has been very helpful, however it
> does not seem to be utilizing any of the events in the BaseHandlerTag (or am I
> wrong?).  I will continue to search for some example code to illustrate uses
> for these events, but in the meantime if people subscribe to this list could
> post any links to follow I would appreciate it.
>

If you wanted to pop up an alert box when a button was clicked, you might say
something like (I'm not a JavaScript maven, so forgive any incorrect syntax):

    <html:button value="Click Me!"
     onclick='alert("I was clicked!")'/>

which will cause an "onclick" event handler to be included on the generated button
tag.  The same goes for all the other event handlers -- they just pass through
corresponding attributes on the generated HTML elements.

>
> Thanks,
> Josh
>

Craig

Class BaseHandlerTag

Posted by Josh <jr...@yahoo.com>.

I am trying to understand the BaseHandlerTag in the package
org.apache.struts.taglib.html and in particular the events.  For example when
and how would one go about using "getOnclick()"?  I would think that there is
some example code lying around which could answer many of my questions.  I am
running the struts-example program, which has been very helpful, however it
does not seem to be utilizing any of the events in the BaseHandlerTag (or am I
wrong?).  I will continue to search for some example code to illustrate uses
for these events, but in the meantime if people subscribe to this list could
post any links to follow I would appreciate it.

Thanks,
Josh



__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

Re: html:password

Posted by Maya Muchnik <mm...@pumatech.com>.

Frederic,

I agree, that nobody will "welcome" to get password back as a plain text. I am for
NO getter method for password (we are doing this on database level). When a user
sees an empty field in the form he / she is confusing: "Do I need to fill in or
not?" Specially for password.

Frederic BAGES wrote:

>         I haven't try since the changes were made but i think it's because of the
> way the session object is managed. You don't lose session information (your
> form) until a timeout occur. It's the same on many web sites. If you close
> your browser you won't be able to log in without your password. It's better
> than seeing the password in plain text in the html source. But i don't know
> why the password is not set to an empty string if you don't fill the
> password field.
>
>         I forward this message in the dev list before the 1.0 release of struts.
>
>         Frederic.
>
> -----Message d'origine-----
> De : mmuchnik@brainwasher.iway.fr
> [mailto:mmuchnik@brainwasher.iway.fr]De la part de Maya Muchnik
> Envoyé : mardi 13 février 2001 15:36
> À : struts-user@jakarta.apache.org
> Objet : Re: html:password
>
> OK, you do not display password as some amount of "*" and password is empty
> field.
> But then you change other field, not password, and push "Save". No problem.
> Where
> is security? If a user can see in the source all "*" string, I think, it is
> not a
> bigger problem, as see an empty string. I think it is important that
> password will
> not have getter method.
>
> Frederic BAGES wrote:
>
> >         It was a request from myself. I didn't know that would annoy
> anyone. The
> > fact is that if you ask your browser to show you the html source you will
> > see the password is embedded in it (case of '*'). It is not secure and we
> > found that it's better not to fill back the password field.
> >
> >         Frederic.
> >
> > -----Message d'origine-----
> > De : hias@livinglogic.de [mailto:hias@livinglogic.de]De la part de
> > Matthias Bauer
> > Envoyé : mardi 13 février 2001 10:25
> > À : struts-user@jakarta.apache.org
> > Objet : html:password
> >
> > Hi,
> >
> > I just upgraded to struts 1.0 nightly build 20010212 from an earlier
> version
> > and
> > found that the html:password tag does not work as in the earlier version I
> > used
> > (20010117): The password is no longer displayed as '*'s. Instead the
> > password
> > field is empty. This does not seem to be a feature, because it imposes
> some
> > difficulties, when I want to offer the user to edit his profile which
> > contains a
> > password, because now the user always has to reenter the password, also
> when
> > he
> > only wants to change some other field of his profile.
> >
> > Has anybody seen the same behaviour?
> >
> > Thanks,
> >
> > --- Matthias
> >
> > Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++
> > www.livinglogic.de

Re: html:password

Posted by Maya Muchnik <mm...@pumatech.com>.

Frederic,

I agree, that nobody will "welcome" to get password back as a plain text. I am for
NO getter method for password (we are doing this on database level). When a user
sees an empty field in the form he / she is confusing: "Do I need to fill in or
not?" Specially for password.

Frederic BAGES wrote:

>         I haven't try since the changes were made but i think it's because of the
> way the session object is managed. You don't lose session information (your
> form) until a timeout occur. It's the same on many web sites. If you close
> your browser you won't be able to log in without your password. It's better
> than seeing the password in plain text in the html source. But i don't know
> why the password is not set to an empty string if you don't fill the
> password field.
>
>         I forward this message in the dev list before the 1.0 release of struts.
>
>         Frederic.
>
> -----Message d'origine-----
> De : mmuchnik@brainwasher.iway.fr
> [mailto:mmuchnik@brainwasher.iway.fr]De la part de Maya Muchnik
> Envoyé : mardi 13 février 2001 15:36
> À : struts-user@jakarta.apache.org
> Objet : Re: html:password
>
> OK, you do not display password as some amount of "*" and password is empty
> field.
> But then you change other field, not password, and push "Save". No problem.
> Where
> is security? If a user can see in the source all "*" string, I think, it is
> not a
> bigger problem, as see an empty string. I think it is important that
> password will
> not have getter method.
>
> Frederic BAGES wrote:
>
> >         It was a request from myself. I didn't know that would annoy
> anyone. The
> > fact is that if you ask your browser to show you the html source you will
> > see the password is embedded in it (case of '*'). It is not secure and we
> > found that it's better not to fill back the password field.
> >
> >         Frederic.
> >
> > -----Message d'origine-----
> > De : hias@livinglogic.de [mailto:hias@livinglogic.de]De la part de
> > Matthias Bauer
> > Envoyé : mardi 13 février 2001 10:25
> > À : struts-user@jakarta.apache.org
> > Objet : html:password
> >
> > Hi,
> >
> > I just upgraded to struts 1.0 nightly build 20010212 from an earlier
> version
> > and
> > found that the html:password tag does not work as in the earlier version I
> > used
> > (20010117): The password is no longer displayed as '*'s. Instead the
> > password
> > field is empty. This does not seem to be a feature, because it imposes
> some
> > difficulties, when I want to offer the user to edit his profile which
> > contains a
> > password, because now the user always has to reenter the password, also
> when
> > he
> > only wants to change some other field of his profile.
> >
> > Has anybody seen the same behaviour?
> >
> > Thanks,
> >
> > --- Matthias
> >
> > Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++
> > www.livinglogic.de

Re: html:password

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Frederic BAGES wrote:

>         I haven't try since the changes were made but i think it's because of the
> way the session object is managed. You don't lose session information (your
> form) until a timeout occur. It's the same on many web sites. If you close
> your browser you won't be able to log in without your password. It's better
> than seeing the password in plain text in the html source. But i don't know
> why the password is not set to an empty string if you don't fill the
> password field.
>

This got changed about a week ago -- the password field no longer echoes the previous
contents into the source of the page.  Try a recent nightly build.

>
>         I forward this message in the dev list before the 1.0 release of struts.
>
>         Frederic.
>

Craig

RE: html:password

Posted by Frederic BAGES <fr...@in-fusio.com>.

	I haven't try since the changes were made but i think it's because of the
way the session object is managed. You don't lose session information (your
form) until a timeout occur. It's the same on many web sites. If you close
your browser you won't be able to log in without your password. It's better
than seeing the password in plain text in the html source. But i don't know
why the password is not set to an empty string if you don't fill the
password field.

	I forward this message in the dev list before the 1.0 release of struts.

	Frederic.



-----Message d'origine-----
De : mmuchnik@brainwasher.iway.fr
[mailto:mmuchnik@brainwasher.iway.fr]De la part de Maya Muchnik
Envoyé : mardi 13 février 2001 15:36
À : struts-user@jakarta.apache.org
Objet : Re: html:password


OK, you do not display password as some amount of "*" and password is empty
field.
But then you change other field, not password, and push "Save". No problem.
Where
is security? If a user can see in the source all "*" string, I think, it is
not a
bigger problem, as see an empty string. I think it is important that
password will
not have getter method.

Frederic BAGES wrote:

>         It was a request from myself. I didn't know that would annoy
anyone. The
> fact is that if you ask your browser to show you the html source you will
> see the password is embedded in it (case of '*'). It is not secure and we
> found that it's better not to fill back the password field.
>
>         Frederic.
>
> -----Message d'origine-----
> De : hias@livinglogic.de [mailto:hias@livinglogic.de]De la part de
> Matthias Bauer
> Envoyé : mardi 13 février 2001 10:25
> À : struts-user@jakarta.apache.org
> Objet : html:password
>
> Hi,
>
> I just upgraded to struts 1.0 nightly build 20010212 from an earlier
version
> and
> found that the html:password tag does not work as in the earlier version I
> used
> (20010117): The password is no longer displayed as '*'s. Instead the
> password
> field is empty. This does not seem to be a feature, because it imposes
some
> difficulties, when I want to offer the user to edit his profile which
> contains a
> password, because now the user always has to reenter the password, also
when
> he
> only wants to change some other field of his profile.
>
> Has anybody seen the same behaviour?
>
> Thanks,
>
> --- Matthias
>
> Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++
> www.livinglogic.de

RE: html:password

Posted by Frederic BAGES <fr...@in-fusio.com>.

	I haven't try since the changes were made but i think it's because of the
way the session object is managed. You don't lose session information (your
form) until a timeout occur. It's the same on many web sites. If you close
your browser you won't be able to log in without your password. It's better
than seeing the password in plain text in the html source. But i don't know
why the password is not set to an empty string if you don't fill the
password field.

	I forward this message in the dev list before the 1.0 release of struts.

	Frederic.



-----Message d'origine-----
De : mmuchnik@brainwasher.iway.fr
[mailto:mmuchnik@brainwasher.iway.fr]De la part de Maya Muchnik
Envoyé : mardi 13 février 2001 15:36
À : struts-user@jakarta.apache.org
Objet : Re: html:password


OK, you do not display password as some amount of "*" and password is empty
field.
But then you change other field, not password, and push "Save". No problem.
Where
is security? If a user can see in the source all "*" string, I think, it is
not a
bigger problem, as see an empty string. I think it is important that
password will
not have getter method.

Frederic BAGES wrote:

>         It was a request from myself. I didn't know that would annoy
anyone. The
> fact is that if you ask your browser to show you the html source you will
> see the password is embedded in it (case of '*'). It is not secure and we
> found that it's better not to fill back the password field.
>
>         Frederic.
>
> -----Message d'origine-----
> De : hias@livinglogic.de [mailto:hias@livinglogic.de]De la part de
> Matthias Bauer
> Envoyé : mardi 13 février 2001 10:25
> À : struts-user@jakarta.apache.org
> Objet : html:password
>
> Hi,
>
> I just upgraded to struts 1.0 nightly build 20010212 from an earlier
version
> and
> found that the html:password tag does not work as in the earlier version I
> used
> (20010117): The password is no longer displayed as '*'s. Instead the
> password
> field is empty. This does not seem to be a feature, because it imposes
some
> difficulties, when I want to offer the user to edit his profile which
> contains a
> password, because now the user always has to reenter the password, also
when
> he
> only wants to change some other field of his profile.
>
> Has anybody seen the same behaviour?
>
> Thanks,
>
> --- Matthias
>
> Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++
> www.livinglogic.de

Re: html:password

Posted by Maya Muchnik <mm...@pumatech.com>.

OK, you do not display password as some amount of "*" and password is empty field.
But then you change other field, not password, and push "Save". No problem. Where
is security? If a user can see in the source all "*" string, I think, it is not a
bigger problem, as see an empty string. I think it is important that password will
not have getter method.

Frederic BAGES wrote:

>         It was a request from myself. I didn't know that would annoy anyone. The
> fact is that if you ask your browser to show you the html source you will
> see the password is embedded in it (case of '*'). It is not secure and we
> found that it's better not to fill back the password field.
>
>         Frederic.
>
> -----Message d'origine-----
> De : hias@livinglogic.de [mailto:hias@livinglogic.de]De la part de
> Matthias Bauer
> Envoyé : mardi 13 février 2001 10:25
> À : struts-user@jakarta.apache.org
> Objet : html:password
>
> Hi,
>
> I just upgraded to struts 1.0 nightly build 20010212 from an earlier version
> and
> found that the html:password tag does not work as in the earlier version I
> used
> (20010117): The password is no longer displayed as '*'s. Instead the
> password
> field is empty. This does not seem to be a feature, because it imposes some
> difficulties, when I want to offer the user to edit his profile which
> contains a
> password, because now the user always has to reenter the password, also when
> he
> only wants to change some other field of his profile.
>
> Has anybody seen the same behaviour?
>
> Thanks,
>
> --- Matthias
>
> Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++
> www.livinglogic.de

RE: html:password

Posted by Frederic BAGES <fr...@in-fusio.com>.

	It was a request from myself. I didn't know that would annoy anyone. The
fact is that if you ask your browser to show you the html source you will
see the password is embedded in it (case of '*'). It is not secure and we
found that it's better not to fill back the password field.

	Frederic.

-----Message d'origine-----
De : hias@livinglogic.de [mailto:hias@livinglogic.de]De la part de
Matthias Bauer
Envoyé : mardi 13 février 2001 10:25
À : struts-user@jakarta.apache.org
Objet : html:password


Hi,

I just upgraded to struts 1.0 nightly build 20010212 from an earlier version
and
found that the html:password tag does not work as in the earlier version I
used
(20010117): The password is no longer displayed as '*'s. Instead the
password
field is empty. This does not seem to be a feature, because it imposes some
difficulties, when I want to offer the user to edit his profile which
contains a
password, because now the user always has to reenter the password, also when
he
only wants to change some other field of his profile.

Has anybody seen the same behaviour?

Thanks,

--- Matthias

Matthias Bauer +++ mba@livinglogic.de +++ LivingLogic AG +++
www.livinglogic.de