Server includes value of PasswordField in response

If I have a password field in a form, the value of the field is part of the normal Vaadin syncing process that keeps server and client in sync.

You can easily check this by creating a PasswordField and setting it to immediate. If you enter something in the field and the field loses focus, the value is sent to the server. Which is fine, I might have a ValueChangeListener after all. But the reply of the server includes the value again (as part of a “state” object in the UIDL response). And while I personally think this is not such a big deal (the whole traffic is SSL encrypted), this made us look terribly bad in front of a security audit we had to take.

Our current workaround is to empty the fields as this is the only way we know of having Vaadin not send the values back. Needless to say this leads to poor user experience as the user has to type the same data over and over again if some validation fails.

Is it possible to validate PasswordFields without having Vaadin send back the value? Of course this would mean that the server cannot update the value but I think the content for a PasswordField should be supplied by the user only anyway.

What are your thoughts on this?

That is actually quite a good point. Unfortunately, overriding that behavior might be a bit tricky. So tricky in fact, that I can’t really think of a way to do it without either extending the component (and sending dummy values back), or creating the component from scratch on the server side and extending the current client-side implementation (which would be a more ‘proper’ solution, but would probably do the same thing in the end).

Does anyone else have a better solution? I have a feeling that there is one, but the Monday is messing with my brain :slight_smile:

Yeah, I thought as much. Without knowing any details of the AJAX protocol it seems that the state is completely synched and not just updated. I tested this by removing the text property from within the getState() method which resulted in the text being cleared in the browser immediately.

I guess this can be solved with a client side component in JavaScript somehow but it would be nice if this was built in.

I’d suggest filing a ticket about this. While it probably doesn’t matter, syncing it back is indeed dubious.

There may be some use cases for syncing it back. Often some passwords are not so critical, such as stored wireless WPA passwords or website passwords (in browsers), and many applications allow viewing them in plain text. In such cases, you may want to show the length of the current password in the PasswordField, and then switch to a TextField to show it in plain text. You can show the current length with the input prompt, so that use case probably doesn’t require syncing it back. But, maybe there are some other use cases.

Note that you can do rudimentary syntax and strength checking of passwords on the client-side with the
CSValidation add-on
. Just remember to do at least as good checking also on the server-side.

Marko, that’s an interesting add-on. I might look into it later. Currently we get by without any add-ons and I’m reluctant to adding one. I think fiddling with the widget sets and the widget set compiler is a hassle. I only raised the issue here because I think this should be part of the core and I wasn’t sure whether it is already possible.

Btw, I asked a similar question on
Security StackExchange
that focuses more on the security aspect and got some interesting answers.

Since this post is now two years old, I wonder if anyone ever opened a ticket for this ‘problem’?

I think the built-in implementation for a client-side password hashing would be a great idea, since SSL is not always an option in an already existing environment.