JPasswordField security with action command

2019-01-26 12:16发布

站内问答 / Java
1982 1 4

I am using a JPasswordField in my program. When I ask getPassword(), I get a char[] array. But when I add an ActionListener to the JPasswordField and ask getActionCommand(), I get the password as a String. Is this password save in the event object as String? Isn't this a security issue?

1条回答
▲ chillily
2楼-- · 2019-01-26 12:57

When you set no action command for a component, the text in it will be the action command. This is why you are getting the password.

Even for JTextField also

JTextField jt=new JTextField("text");
        jt.addActionListener(new ActionListener(){
            public void actionPerformed(ActionEvent ae)
            {
                System.out.println(ae.getActionCommand());
            }
        });

This is a security issue because you are getting password as String which is immutable rather than a char[]

Whenever an explicit action command is not set, the text in the component will be sent to the ActionEvent constructor though you didn't specifically set it as action command. The command parameter can be null though, but it is not recommended to be null, therefore the text in the component is the action command by default. If there is no password in the JPasswordField an empty string will be the action command.

Don't try setting action command to null, if it is null, then the text in the JPasswordField will be the action command. The problem comes again.

So i would recommend you to set some action command for the JPasswordField without leaving it like that for now until this is rectified by Oracle.

JPasswordField jt=new JPasswordField("text");
        jt.setActionCommand("");
        jt.addActionListener(new ActionListener(){
            public void actionPerformed(ActionEvent ae)
            {
                System.out.println(ae.getActionCommand());
            }
        });
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)