[
https://issues.apache.org/jira/browse/WICKET-6912?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sven Meier reassigned WICKET-6912:
----------------------------------
Assignee: Sven Meier
Priority: Minor (was: Major)
Actually Wicket doesn't store the password, it just writes it into a model
which *you* provide to the component.
Furthermore #resetPassword ensures that nothing gets stored along with the
component tree.
That said, we could make it easier to bind a PasswordTextField to a byte[]
property, by just making it generic instead of <String>.
WDYT?
> PasswordTextField should not use Strings
> ----------------------------------------
>
> Key: WICKET-6912
> URL: https://issues.apache.org/jira/browse/WICKET-6912
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-core
> Reporter: Daniel Meier
> Assignee: Sven Meier
> Priority: Minor
>
> According to the [Java Cryptography Architecture Reference
> Guide|https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#PBEEx],
> passwords should not be stored in {{java.lang.String}} Objects. Wicket's
> {{PasswordTextField}} however uses {{String}} Models, which can be a security
> vulnerability.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
