Hello, I have a user table where the password is.
I have another table called client that has the user attribute.
When I make a call to the ClientService to retrieve the user’s data, the user’s password appears.
Is there any risk of the user’s password being exposed to the front end?
There’s always a risk because there might be a programming mistake anywhere in the system.
The best approach for avoiding this is to use password hashing and never even store the actual passwords anywhere. This is also the case if you use some modern SSO solution.
Second best would be to make sure your database queries don’t return the password since you would then reduce places where a potential bug might hide. But even in that case, an SQL injection vulnerability might still expose the passwords.
With Vaadin Flow components only the visible data is transferred to client and data binding and manipulation in Java is generally safe in that sense. However a good practice is not to have clear text passwords in DB.
Here is a tutorial about that for Spring Boot: https://www.baeldung.com/spring-security-registration-password-encoding-bcrypt
I use Keycloak for this, and there is a tutorial that is pretty straight forward here: Vaadin Keycloak OAuth2 Integration – Martinelli Using this recipe you can use @RequiresRole, @AnynoymousAllowed, @PermitAll etc. on your view to secure them.
One might argue that it is overkill, but actually it is possible to keep it simple and feasible for even basic applications. Roll-your-own solutions might seem simple too, but it is not exactly simple to make sure they are actually secure. With Keycloak you can start using more advanced features when needed, without having to change “everything”.