Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    obfuscating passwords in a dynamic form submitted to

    We are using version 6.5 with your server side integration tools.
    A DynamicForm is used for logging into our system and also for changing the password once logged in, it is tied to a server side datasource via smart client RPC.

    Code:
    // datasource xml definition 

<DataSource
        ID="login_DS"
        dataURL="./smartclientRPC.do"
        dropExtraFields="true"
        >
    <fields>
        <field name="userName" valueXPath="@userName"/>
        <field name="password" valueXPath="@password"/>
        <field name="changePassword" valueXPath="@changePassword"/>
        <field name="newPassword" valueXPath="@newPassword"/>
        <field name="confirmPassword" valueXPath="@confirmPassword"/>
    </fields>
</DataSource>
 
// DynamicForm definition 
    isc.DynamicForm.create({
        ID:"LoginForm",
        dataSource: "login_DS",
        autoDraw:false,
        canSubmit:false,
        containsCredentials:true,
        saveOnEnter:true,
        show: function () {
            this.delayCall("focusInItem", ["userName"]);
            this.Super("show", arguments);
        },
        fields:[
            {
                name:"userName",
                title:FG_i18n.USER_ID,
                type:"text",
                required:true,
                length:50,
                keyPress : function (item, form, keyName) {
                    if (keyName == "Enter") {
                        form.focusInItem("password");
                        return false;
                    }
                },
                validators: [ { type:"lengthRange",  min:0, max:50}]
            },
            {
                name:"password",
                title:FG_i18n.PASSWORD,
                type:"password",
                required:true,
                length:100,
                keyPress : function (item, form, keyName) {
                    if (keyName == "Enter") {
                        fgapp.getLoginModule().loginSubmit();
                        return false;
                    }
                },
                validators: [ { type:"lengthRange",  min:0, max:50}]
            },
            {
                name:"newPassword",
                title:FG_i18n.NEW_PASSWORD,
                type:"password",
                showIf:"form.getValue('changePassword') == 'Y'",
                required:true,
                validators: [ { type:"lengthRange",  min:0, max:50}]
            },
            {
                name:"confirmPassword",
                title:FG_i18n.RETYPE_PASSWORD,
                type:"password",
                showIf:"form.getValue('changePassword') == 'Y'",
                required:true,
                validators: [ { type:"lengthRange",  min:0, max:50}]
            },
            {
                name:"changePassword",
                type:"HiddenItem",
                defaultValue:"N"
            }
        ]
    })
 
// form submittal code
        LoginForm.saveData(
                function (dsResponse, data, dsRequest) {
                    loginCallBack(dsResponse, data, dsRequest);
                },
        {prompt:FG_i18n.AUTHENTICATING_USER, willHandleError:true})
    };

    on the server side when i dump out the HttpRequest request parameter name/value pairs only the first password is obfuscated(set to **** in the transaction xml), newPassword and changePassword are not.

    from our application log:
    [2010-01-08 10:30:37.4] DEBUG Request Parameters: [isc_xhr="1" | _transaction="<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"
    xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">11</transactionNum>
    <operations xsi:type="xsd:List"><elem xsi:type="xsd:Object"><criteria xsi:type="xsd:Object"></criteria>
    <values xsi:type="xsd:Object">
    <userName>testUser</userName>
    <changePassword>Y</changePassword>
    <password>********</password>
    <newPassword>password1</newPassword>
    <confirmPassword>password1</confirmPassword>
    </values>

    My question is what can I do in the form definition/submission code to ensure that newPassword and confirmPassword do not come across in the clear? Thanks!
    Tags: None
    #2
    Are you trying to keep the password from actually being transmitted in cleartext (which would require doing something like a SHA-1 hash client-side) or are you just worried about the fact that the password appears in the logs?

    Comment

      #3
      more concerned about the logs

      Comment

        #4
        You can declare that certain keys will be obfuscated whenever they are logged (via DataTools.prettyPrint). In server.properties, add entries like this:

        Code:
        map.obfuscateKeys.password: <obfuscated>
map.obfuscateKeys.newPassword: <obfuscated>
        The value "<obfuscated>" will appear in the logs instead of the true value.

        Comment

        Previous template Next
        Working...
        X