How to do Password masking in JSF

Question

I have created a database setting jsf page which shows the value from the properties file during the page load. The users will updates the page and click the submit and the value get updated in the properties file.

I wrote the below code

entity.hbm.xml

<class name="mypageEntity"
    table="tbl_user">
    <id name="id" type="long">
        <column name="ID" />
        <property name="Password" type="java.lang.String"
        column="PASSWORD" length="100" />    
    </id></class>

mypage.jsp

<h:inputSecret id="wspasswordInput" value="#{mypage.Password}" style="display:none;width:146px" maxlength="100" redisplay="true" autocomplete="off"></h:inputSecret>

mypageEntity.java

public void setPassword(String Password) {
    this.Password = Password;
}
public String getPassword() {
    return Password;
}

mypageActionImpl.java

i'm updating my entity here.

While I managed to show the password from the properties file during page load it shows correctly. But i don't want to displays actual password in the password field. Coz users can see the password in page source by using firebug extension. i want to display some static characters like '******' instead of showing actual password. When user click the submit button i want to save the password which is modified by user.

Please suggest any solution?

Answer 1

There's no point in pre-populating the password field. getPassword() should return null, or maybe I mean"", or even "********". Then the only password the user can see is whatever he just typed into it, which may or may not be correct, and it will disappear on POST.

I hope this doesn't also mean you have plaintext passwords. If you do, you have a much bigger problem than this. Passwords must be hashed. See password-encryption for why, and my answer here.