Frederic BAGES wrote:
> I'm just starting using Struts and i don't know if the problem has been
> raised already (no archive ?), but i was very surprised when i've tried the
> strut-example application : as the tour suggested i've tried to log with a
> bad login/password. The automatic filing functionality is wonderful but it
> is also introducing a security problem when running on password fields : the
> response HTML was containing my password !
>
> <input type="password" name="password" maxlength="16" size="16"
> value="toto">
>
> Shouldn't this automatic filing functionality be disabled on password
> fields, or does the dev team decided that it's up to each web site maker to
> chose to implement an empty getPassword() function in the corresponding Form
> ?
>
I don't believe that this issue has been discussed in the past. It certainly was
not a deliberate decision -- the password tag just followed the same convention as
all of the other input tags.
Is it really a security risk, though? Remember that the password displayed here
did *not* work (otherwise, the user would have been logged in), so a potential
attacker is not learning anything new. After all, they can just try various
username and password combinations on your login screen, and find out exactly the
same thing, even if the password text were not echoed.
>
> Sorry for my poor english.
>
> Frederic.
Craig McClanahan
