Re: [Wicket-user] PasswordField special getModelValue() method question

Juergen Donnerstag Sat, 19 Nov 2005 02:23:01 -0800

On 11/18/05, Laurent PETIT <[EMAIL PROTECTED]> wrote:
> Hello,
>
>  yet another question concerning PasswordField ?
>
>  the getModelValue() returns and encrypted version, and the setModelValue()
> decrypts it, why ?
>


The idea: prevent access to the plain password by accident. An attempt
to make wicket apps secure without any additional effort.

>  Because it is still possible to get the real value by using
> getModelAsString() for example, which is not overriden, so I think it has
> not been done for security reasons ... ?
>

I agree, the approach obviously is not perfect. But if a wicket user
realy wants to have the password, he/she simply creates his own
MyPasswordTextField. A developer will always be able to get the
password somehow. 100% security is not possible in that context IMO.

getModelAsString() is final and in IMO it should not be removed just
for PasswortTextField to replace it. See the security reason above,
for the why.

Juergen


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
Wicket-user mailing list
Wicket-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wicket-user

Re: [Wicket-user] PasswordField special getModelValue() method question

Reply via email to