Re: [Wicket-user] PasswordField special getModelValue() method question

Sat, 19 Nov 2005 02:46:08 -0800

Ok,

I still don't really understand the the answer, but that's not a problem.
Indeed, if it is a feature, it's *good*, because I initially saw it as a bug for the new implementation of FormComponent & Form I sent to the list yesterday (early) morning ( see "Preserve form state" thread).

By the time, did somebody give a look at it ?

I really agree with Matej that there is a problem in this area.

I can give full working example, packaged with maven & jelly ...

And please note that the new implementation I gave (in both diff & full class ways)  is meant to be fully backward compatible with existing code.
That's why I thought there was a problem with PasswordTextField, since my solution didn't work for it. But now I know it is normal, because onRenderTag() of PasswordTextField does'nt call getValue() from Form)

--
Laurent


On 11/19/05, Juergen Donnerstag <[EMAIL PROTECTED]> wrote:
On 11/18/05, Laurent PETIT <[EMAIL PROTECTED]> wrote:
> Hello,
>
>  yet another question concerning PasswordField ?
>
>  the getModelValue() returns and encrypted version, and the setModelValue()
> decrypts it, why ?
>

The idea: prevent access to the plain password by accident. An attempt
to make wicket apps secure without any additional effort.

>  Because it is still possible to get the real value by using
> getModelAsString() for example, which is not overriden, so I think it has
> not been done for security reasons ... ?
>

I agree, the approach obviously is not perfect. But if a wicket user
realy wants to have the password, he/she simply creates his own
MyPasswordTextField. A developer will always be able to get the
password somehow. 100% security is not possible in that context IMO.

getModelAsString() is final and in IMO it should not be removed just
for PasswortTextField to replace it. See the security reason above,
for the why.

Juergen


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&opclick
_______________________________________________
Wicket-user mailing list
Wicket-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wicket-user

Reply via email to