6

I am using a JPasswordField in my program. When I ask getPassword(), I get a char[] array. But when I add an ActionListener to the JPasswordField and ask getActionCommand(), I get the password as a String. Is this password save in the event object as String? Isn't this a security issue?

nIcE cOw
  • 24,468
  • 7
  • 50
  • 143
Yggdrasil
  • 1,377
  • 2
  • 13
  • 27
  • 3
    Using a string is a security issue. Please read http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords (the answer from Jon Skeet) for details. – René Link Jul 17 '13 at 07:31
  • 3
    +1 good catch, sounds like a bug to me! Way out is to always set the actionCommand so it doesn't fallback to the default – kleopatra Jul 17 '13 at 08:42
  • 2
    +1 for a great find :-) Now are you going to report this to `Java Oracle` or not ? – nIcE cOw Jul 17 '13 at 09:00
  • 1
    It's widely known. http://stackoverflow.com/a/984151/4725 IIRC, you can also end up with remnants appearing undocumentedly in the `Document` and perhaps elsewhere. – Tom Hawtin - tackline Jul 18 '13 at 00:53

1 Answers1

3

When you set no action command for a component, the text in it will be the action command. This is why you are getting the password.

Even for JTextField also

JTextField jt=new JTextField("text");
        jt.addActionListener(new ActionListener(){
            public void actionPerformed(ActionEvent ae)
            {
                System.out.println(ae.getActionCommand());
            }
        });

This is a security issue because you are getting password as String which is immutable rather than a char[]

Whenever an explicit action command is not set, the text in the component will be sent to the ActionEvent constructor though you didn't specifically set it as action command. The command parameter can be null though, but it is not recommended to be null, therefore the text in the component is the action command by default. If there is no password in the JPasswordField an empty string will be the action command.

Don't try setting action command to null, if it is null, then the text in the JPasswordField will be the action command. The problem comes again.

So i would recommend you to set some action command for the JPasswordField without leaving it like that for now until this is rectified by Oracle.

JPasswordField jt=new JPasswordField("text");
        jt.setActionCommand("");
        jt.addActionListener(new ActionListener(){
            public void actionPerformed(ActionEvent ae)
            {
                System.out.println(ae.getActionCommand());
            }
        });
JavaTechnical
  • 8,846
  • 8
  • 61
  • 97