Code:
map.obfuscateKeys.password: <obfuscated> map.obfuscateKeys.newPassword: <obfuscated>
-
You can declare that certain keys will be obfuscated whenever they are logged (via DataTools.prettyPrint). In server.properties, add entries like this:
The value "<obfuscated>" will appear in the logs instead of the true value. -
Are you trying to keep the password from actually being transmitted in cleartext (which would require doing something like a SHA-1 hash client-side) or are you just worried about the fact that the password appears in the logs?Leave a comment:
-
obfuscating passwords in a dynamic form submitted to
We are using version 6.5 with your server side integration tools.
A DynamicForm is used for logging into our system and also for changing the password once logged in, it is tied to a server side datasource via smart client RPC.
Code:// datasource xml definition <DataSource ID="login_DS" dataURL="./smartclientRPC.do" dropExtraFields="true" > <fields> <field name="userName" valueXPath="@userName"/> <field name="password" valueXPath="@password"/> <field name="changePassword" valueXPath="@changePassword"/> <field name="newPassword" valueXPath="@newPassword"/> <field name="confirmPassword" valueXPath="@confirmPassword"/> </fields> </DataSource> // DynamicForm definition isc.DynamicForm.create({ ID:"LoginForm", dataSource: "login_DS", autoDraw:false, canSubmit:false, containsCredentials:true, saveOnEnter:true, show: function () { this.delayCall("focusInItem", ["userName"]); this.Super("show", arguments); }, fields:[ { name:"userName", title:FG_i18n.USER_ID, type:"text", required:true, length:50, keyPress : function (item, form, keyName) { if (keyName == "Enter") { form.focusInItem("password"); return false; } }, validators: [ { type:"lengthRange", min:0, max:50}] }, { name:"password", title:FG_i18n.PASSWORD, type:"password", required:true, length:100, keyPress : function (item, form, keyName) { if (keyName == "Enter") { fgapp.getLoginModule().loginSubmit(); return false; } }, validators: [ { type:"lengthRange", min:0, max:50}] }, { name:"newPassword", title:FG_i18n.NEW_PASSWORD, type:"password", showIf:"form.getValue('changePassword') == 'Y'", required:true, validators: [ { type:"lengthRange", min:0, max:50}] }, { name:"confirmPassword", title:FG_i18n.RETYPE_PASSWORD, type:"password", showIf:"form.getValue('changePassword') == 'Y'", required:true, validators: [ { type:"lengthRange", min:0, max:50}] }, { name:"changePassword", type:"HiddenItem", defaultValue:"N" } ] }) // form submittal code LoginForm.saveData( function (dsResponse, data, dsRequest) { loginCallBack(dsResponse, data, dsRequest); }, {prompt:FG_i18n.AUTHENTICATING_USER, willHandleError:true}) };
on the server side when i dump out the HttpRequest request parameter name/value pairs only the first password is obfuscated(set to **** in the transaction xml), newPassword and changePassword are not.
from our application log:
[2010-01-08 10:30:37.4] DEBUG Request Parameters: [isc_xhr="1" | _transaction="<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"
xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">11</transactionNum>
<operations xsi:type="xsd:List"><elem xsi:type="xsd:Object"><criteria xsi:type="xsd:Object"></criteria>
<values xsi:type="xsd:Object">
<userName>testUser</userName>
<changePassword>Y</changePassword>
<password>********</password>
<newPassword>password1</newPassword>
<confirmPassword>password1</confirmPassword>
</values>
My question is what can I do in the form definition/submission code to ensure that newPassword and confirmPassword do not come across in the clear? Thanks!
Leave a comment: