Password text field without synchronization with Java client [message #1386795] |
Fri, 20 June 2014 13:53 |
Tiburon T Messages: 61 Registered: October 2011 |
Member |
|
|
Hello!
We would like to have some password fields in our RAP application. We used SWT.PASSWORD and created the text fields just as usual, but we are a little bit concerned about the transfer of the clear text password from the JS to the Java client via JSON. We know TLS would fix this, but anyway:
We would feel better, if it was possible to hash the password, before it leaves the browser of the user. This seemed straight forward with ClientScripting:
- create a ClientListener with JS to hash password
- write password hash into hidden field in the respective dialog
- set text of original password text field to empty string (setText(""))
- make sure no listeners trigger a transfer of the password (i.e. SWT.Modify on the text field)
- read password hash from hidden field in Java
I implemented this and it seems to work - the only problem is, that the value of the text field still shows up in the JSON. Does the json always incorporate a complete history of the value changes of a control? Is it possible to do what I described?
I hope I did not miss something trivial here.
Greetings,
Tibu
Edit: We use latest RAP 2.3 (I think RC3)
[Updated on: Fri, 20 June 2014 14:04] Report message to a moderator
|
|
|
|
|
Re: Text field without synchronization with Java client [message #1389026 is a reply to message #1386795] |
Fri, 27 June 2014 08:19 |
Tim Buschtoens Messages: 396 Registered: July 2009 |
Senior Member |
|
|
Hi.
It's a question of what happens in what order. The text is written into
the message as soon as there is any event that is added to the message.
So if you have a Modify, Verify or Selection listener, just typing might
do that. Any other widget triggering an event might also do that.
Looking into the message might tell you what event that is.
But I have to agree with the other post, this is not a good idea. And
even if you want stick to the general approach (not sending the plain
password to the server), do NOT rely on how RAP internals synchronize
properties, create your own custom widget to do this.
Greetings,
Tim
Am 20.06.2014 15:53, schrieb Tiburon T:
> Hello!
>
> We would like to have some password fields in our RAP application. We
> used SWT.PASSWORD and created the text fields just as usual, but we are
> a little bit concerned about the transfer of the clear text password
> from the JS to the Java client via JSON. We know TLS would fix this, but
> anyway: We would feel better, if it was possible to hash the password,
> before it leaves the browser of the user. This seemed straight forward
> with ClientScripting:
> - create a ClientListener with JS to hash password
> - write password hash into hidden field in the respective dialog
> - set text of original password text field to empty string (setText(""))
> - make sure no listeners trigger a transfer of the password (i.e.
> SWT.Modify on the text field)
> - read password hash from hidden field in Java
>
> I implemented this and it seems to work - the only problem is, that the
> value of the text field still shows up in the JSON. Does the json always
> incorporate a complete history of the value changes of a control? Is it
> possible to do what I described?
> I hope I did not miss something trivial here.
>
> Greetings,
> Tibu
>
>
--
Tim Buschtöns
Twitter: @EclipseRAP
Blog: http://eclipsesource.com/blogs/
Professional services for RAP and RCP?
http://eclipsesource.com/services/rap/
|
|
|
|
Powered by
FUDForum. Page generated in 0.03461 seconds