Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Remote Application Platform (RAP) » Password text field without synchronization with Java client
Password text field without synchronization with Java client [message #1386795] Fri, 20 June 2014 13:53 Go to next message
Tiburon T is currently offline Tiburon TFriend
Messages: 53
Registered: October 2011
Member
Hello!

We would like to have some password fields in our RAP application. We used SWT.PASSWORD and created the text fields just as usual, but we are a little bit concerned about the transfer of the clear text password from the JS to the Java client via JSON. We know TLS would fix this, but anyway:
We would feel better, if it was possible to hash the password, before it leaves the browser of the user. This seemed straight forward with ClientScripting:
- create a ClientListener with JS to hash password
- write password hash into hidden field in the respective dialog
- set text of original password text field to empty string (setText(""))
- make sure no listeners trigger a transfer of the password (i.e. SWT.Modify on the text field)
- read password hash from hidden field in Java

I implemented this and it seems to work - the only problem is, that the value of the text field still shows up in the JSON. Does the json always incorporate a complete history of the value changes of a control? Is it possible to do what I described?

I hope I did not miss something trivial here.

Greetings,
Tibu

Edit: We use latest RAP 2.3 (I think RC3)

[Updated on: Fri, 20 June 2014 14:04]

Report message to a moderator

Re: Password text field without synchronization with Java client [message #1387007 is a reply to message #1386795] Mon, 23 June 2014 13:16 Go to previous messageGo to next message
Paul Bilnoski is currently offline Paul BilnoskiFriend
Messages: 25
Registered: August 2010
Junior Member
I would recommend using an HTTPS connection or some other security technology (perhaps TLS as you mentioned) to secure the password (credentials, challenge response, etc.) from the client to the server.

If you hash the password on the client and send the hashed version, now an attacker just needs the hashed password instead of the clear text password to compromise security with the slight added bonus they may be able to reverse engineer your hashing algorithm parameters.

Another option could be to perform the authentication on the client itself using JS client-side cryptography, but that would likely be difficult to implement and slow in computation compared to server-side crypto.

--Paul Bilnoski
Re: Password text field without synchronization with Java client [message #1387165 is a reply to message #1387007] Tue, 24 June 2014 14:34 Go to previous messageGo to next message
Tiburon T is currently offline Tiburon TFriend
Messages: 53
Registered: October 2011
Member
Thanks for your suggestion and explanation Mr.Bilnoski. The considerations you mention are valid and I agree with you completely.

It would still be nice to know though, if it is possible, to keep the value of a text field from being send in the JSON traffic somehow. I guess one workaround would be to use a custom HTML Form and embedding it using the Browser widget, but I was hoping for an easier way using only RWT Text.

Greetings
Tibu
Re: Text field without synchronization with Java client [message #1389026 is a reply to message #1386795] Fri, 27 June 2014 08:19 Go to previous messageGo to next message
Tim Buschtoens is currently offline Tim BuschtoensFriend
Messages: 387
Registered: July 2009
Senior Member
Hi.

It's a question of what happens in what order. The text is written into
the message as soon as there is any event that is added to the message.
So if you have a Modify, Verify or Selection listener, just typing might
do that. Any other widget triggering an event might also do that.
Looking into the message might tell you what event that is.

But I have to agree with the other post, this is not a good idea. And
even if you want stick to the general approach (not sending the plain
password to the server), do NOT rely on how RAP internals synchronize
properties, create your own custom widget to do this.

Greetings,
Tim

Am 20.06.2014 15:53, schrieb Tiburon T:
> Hello!
>
> We would like to have some password fields in our RAP application. We
> used SWT.PASSWORD and created the text fields just as usual, but we are
> a little bit concerned about the transfer of the clear text password
> from the JS to the Java client via JSON. We know TLS would fix this, but
> anyway: We would feel better, if it was possible to hash the password,
> before it leaves the browser of the user. This seemed straight forward
> with ClientScripting:
> - create a ClientListener with JS to hash password
> - write password hash into hidden field in the respective dialog
> - set text of original password text field to empty string (setText(""))
> - make sure no listeners trigger a transfer of the password (i.e.
> SWT.Modify on the text field)
> - read password hash from hidden field in Java
>
> I implemented this and it seems to work - the only problem is, that the
> value of the text field still shows up in the JSON. Does the json always
> incorporate a complete history of the value changes of a control? Is it
> possible to do what I described?
> I hope I did not miss something trivial here.
>
> Greetings,
> Tibu
>
>

--
Tim Buschtöns

Twitter: @EclipseRAP
Blog: http://eclipsesource.com/blogs/

Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/
Re: Password text field without synchronization with Java client [message #1389180 is a reply to message #1386795] Fri, 27 June 2014 12:51 Go to previous message
Tiburon T is currently offline Tiburon TFriend
Messages: 53
Registered: October 2011
Member
Thanks for your answer, Mr. Buschtöns. I see how relying on the internals would be very bad indeed. I will look into realizing this with a custom widget, that is the cleanest way to do it.

Greetings,
Tibu
Previous Topic:RAP Target runtime not appearing intermittently
Next Topic:How to make table tooltip sort.
Goto Forum:
  


Current Time: Sun Mar 01 00:57:10 GMT 2015

Powered by FUDForum. Page generated in 0.02438 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software