inputSecret value attribute

[Yavin]

Hi, I have concern about how inputSecret works now.

In documentation there is:

<b:inputSecret> is basically a <b:inputText> which doesn't show the text.

Problem is that it shows the hashed password in a field value. It probably should only set value to bean if the field was filled, but not set value attribute back to browser.

---

Reproduce:
<b:inputSecret value="#{userView.user.password}" label="password"/>

Will render field with hashed password:

<input ... type="password" value="$2a$10$bePT/Z.1TFVXdyAnhTr6cuNaTVPOZ4RKb5.9EKYBW.TzQQF8Pmuo.">

Expected: input without value attribute

---

BootsFaces Version(s): 1.1.1 (current)

[stephanrauh]

Good point! Security issues should be dealt with first, so that's what I did. I'll upload the new developer snapshot of BootsFaces 1.1.2 later this evening. I know it's demanding too much, but if you have the opportunity to test the Saturday, that'd be great, because we plan to publish BootsFaces 1.1.2 this week-end.

[stephanrauh]

I've just uploaded the developer snapshot of BootsFaces 1.1.2 to Maven Central. See #369 on how to get it.

I'll close this ticket now because I believe it to be fixed, but I keep listening to it. If something's wrong, just post your comments here.

Thanks in advance
Stephan

[Yavin]

It works in snapshot, the value doesn't show up.

It came up because i have a form with user data and password together, and setter looks like this:

public void setPassword(String password) {
    this.password = BCrypt.hashpw(password, BCrypt.gensalt());
}

And now I have null passed to this setter. At first I thought that component should not set value when it's empty, but now I think it should be as is. I should move password change to separate form.

Thanks!

[stephanrauh]

There's always the option to modify your setter like this:

public void setPassword(String password) {
    if (null != password) {
        this.password = BCrypt.hashpw(password, BCrypt.gensalt());
    }
}