[
https://issues.apache.org/jira/browse/FELIX-6570?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17616427#comment-17616427
]
Christoph Läubrich commented on FELIX-6570:
-------------------------------------------
Not every private property is a secret, but the reverse should always be true
that *anything secret* is best kept *private* ... and its always good to
encourage best practice ... Even the Metatype Spec says that PASSWORD is only a
hint so one *MAYBE* can hide what is entered there in an UI ( == Metatype
Editor in Webconsole probably using a password field), so assuming that all
components in an OSGi framework hide that data based on metatype is just
waiting for a security incident to happen, e.g. if it is hidden by the
_component_ it will still be visible by the _service registration_ as well the
_configuration_ to everyone, so this just act as a smoke screen.
> Components webconsole-plugin shows password in clear text
> ---------------------------------------------------------
>
> Key: FELIX-6570
> URL: https://issues.apache.org/jira/browse/FELIX-6570
> Project: Felix
> Issue Type: Bug
> Components: Web Console
> Affects Versions: webconsole-ds-plugin-2.1.0
> Reporter: Sagar Miglani
> Priority: Major
> Attachments: Screenshot 2022-05-09 at 4.48.42 PM.png,
> webconsole-plugins.patch
>
>
> Open a component details page (eg:
> localhost:8080/system/console/components/${componentId}) for a component with
> a Password Property.
> Passwords are shown in clear text. [^Screenshot 2022-05-09 at 4.48.42 PM.png]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
