WICKET-6211 clear password on detach
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/4054dbc7 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/4054dbc7 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/4054dbc7 Branch: refs/heads/master Commit: 4054dbc7f8839a9b6dfee1fcdfc9afe4370724ce Parents: b93e1ba Author: Sven Meier <svenme...@apache.org> Authored: Tue Jul 19 23:50:17 2016 +0200 Committer: Martin Tzvetanov Grigorov <mgrigo...@apache.org> Committed: Wed Jul 20 00:10:32 2016 +0200 ---------------------------------------------------------------------- .../markup/html/form/PasswordTextField.java | 50 ++++++---- .../markup/html/form/PasswordTextFieldTest.java | 97 ++++++++++++++++++++ 2 files changed, 129 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/4054dbc7/wicket-core/src/main/java/org/apache/wicket/markup/html/form/PasswordTextField.java ---------------------------------------------------------------------- diff --git a/wicket-core/src/main/java/org/apache/wicket/markup/html/form/PasswordTextField.java b/wicket-core/src/main/java/org/apache/wicket/markup/html/form/PasswordTextField.java index cbb5010..334248c 100644 --- a/wicket-core/src/main/java/org/apache/wicket/markup/html/form/PasswordTextField.java +++ b/wicket-core/src/main/java/org/apache/wicket/markup/html/form/PasswordTextField.java @@ -18,8 +18,6 @@ package org.apache.wicket.markup.html.form; import org.apache.wicket.markup.ComponentTag; import org.apache.wicket.model.IModel; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; /** @@ -28,6 +26,10 @@ import org.slf4j.LoggerFactory; * <p> * By default this text field is required. If it is not, call {@link #setRequired(boolean)} with * value of <code>false</code>. + * <p> + * Note that by default the model object is nullified after each request to prevent the entered + * password to be serialized along with the containing page, see {@link #setResetPassword(boolean)} + * for details. * * @author Jonathan Locke */ @@ -35,14 +37,8 @@ public class PasswordTextField extends TextField<String> { private static final long serialVersionUID = 1L; - /** Log. */ - private static final Logger log = LoggerFactory.getLogger(PasswordTextField.class); - /** - * Flag indicating whether the contents of the field should be reset each time it is rendered. - * If <code>true</code>, the contents are emptied when the field is rendered. This is useful for - * login forms. If <code>false</code>, the contents of the model are put into the field. This is - * useful for entry forms where the contents of the model should be editable, or resubmitted. + * Should password be reset, see {@link #setResetPassword(boolean)}. */ private boolean resetPassword = true; @@ -67,12 +63,9 @@ public class PasswordTextField extends TextField<String> } /** - * Flag indicating whether the contents of the field should be reset each time it is rendered. - * If <code>true</code>, the contents are emptied when the field is rendered. This is useful for - * login forms. If <code>false</code>, the contents of the model are put into the field. This is - * useful for entry forms where the contents of the model should be editable, or resubmitted. + * Should password be reset, see {@link #setResetPassword(boolean)}. * - * @return Returns the resetPassword. + * @return should password be resetted */ public final boolean getResetPassword() { @@ -80,10 +73,14 @@ public class PasswordTextField extends TextField<String> } /** - * Flag indicating whether the contents of the field should be reset each time it is rendered. - * If <code>true</code>, the contents are emptied when the field is rendered. This is useful for - * login forms. If <code>false</code>, the contents of the model are put into the field. This is - * useful for entry forms where the contents of the model should be editable, or resubmitted. + * Flag indicating whether the password should be reset after each request. + * Additionally any present value is not rendered into the markup. + * <br> + * If <code>true</code>, the model object is set to null after each request to prevent it + * being serialized along with the containing page. This is default and highly recommended + * for login forms. If <code>false</code> the model value is handled as in a standard + * {@link TextField}, this is useful for entry forms where the contents of the model should + * be editable, or resubmitted. * * @param resetPassword * The resetPassword to set. @@ -117,4 +114,21 @@ public class PasswordTextField extends TextField<String> { return new String[] {"password"}; } + + /** + * Overriden to nullify the password. + */ + @Override + protected void onDetach() + { + if (resetPassword) { + clearInput(); + + if (getModel() != null) { + setModelObject(null); + } + } + + super.onDetach(); + } } http://git-wip-us.apache.org/repos/asf/wicket/blob/4054dbc7/wicket-core/src/test/java/org/apache/wicket/markup/html/form/PasswordTextFieldTest.java ---------------------------------------------------------------------- diff --git a/wicket-core/src/test/java/org/apache/wicket/markup/html/form/PasswordTextFieldTest.java b/wicket-core/src/test/java/org/apache/wicket/markup/html/form/PasswordTextFieldTest.java new file mode 100644 index 0000000..9b93fcc --- /dev/null +++ b/wicket-core/src/test/java/org/apache/wicket/markup/html/form/PasswordTextFieldTest.java @@ -0,0 +1,97 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.wicket.markup.html.form; + +import org.apache.wicket.model.IModel; +import org.apache.wicket.util.tester.WicketTestCase; +import org.junit.Test; + +/** + * Test for {@link PasswordTextField}. + * + * @author svenmeier + */ +public class PasswordTextFieldTest extends WicketTestCase +{ + + @Test + public void nullifyPassword() + { + TestModel model = new TestModel(); + + PasswordTextField field = new PasswordTextField("password", model); + + field.detach(); + + assertNull(model.password); + assertTrue(model.detached); + } + + @Test + public void nullifyPasswordOnNullModel() + { + PasswordTextField field = new PasswordTextField("password"); + field.setVisible(false); + + // does nothing on null model + field.detach(); + } + + + @Test + public void nullifyNoReset() + { + TestModel model = new TestModel(); + + PasswordTextField field = new PasswordTextField("password", model); + field.setResetPassword(false); + + field.detach(); + + assertEquals("test", model.password); + assertTrue(model.detached); + } + + private class TestModel implements IModel<String> + { + public boolean detached; + + public String password = "test"; + + @Override + public String getObject() + { + detached = false; + + return password; + } + + @Override + public void setObject(String password) + { + this.password = password; + + detached = false; + } + + @Override + public void detach() + { + detached = true; + } + } +}
