How can I redirect to logon.jsp with unencrypted password in HTTPSession?
I have a j2ee web application using JAAS forms based authentication. However, due to some unusual requirements, I cannot get the user to enter their username and password directly into the logon.jsp form and submit them. Instead, I have to collect the data in a separate page and then redirect to logon.jsp to log it in.
What I'm going to do is store the username / password unencrypted in an HTTPSession. When I'm ready to authenticate, I use response.redirect for the logon.jsp route. In logon.jsp, I take the username and password from the session, fill out a standard "j-security-check" form, and then use javascript to submit the form.
How much of a security hole is this? I am uncomfortable with routing the request to logon.jsp through the browser (this is what the redirect does) because someone might be able to access the session and hence the unencrypted password. If I am using HTTPS / SSL, is this a likely situation? How will it be used?
I've been looking to call the login servlet directly into the JSP without using a form, but that doesn't seem like a viable option, especially since I'm losing my isolation from different J2EE containers / servers.
Has anyone figured out how I can restrict this security hole? Is it better to use forward rather than redirect because it doesn't go back to the browser?
How bad is it?
a source to share
It seems very easy to describe this practice as terrible, but it is much more difficult to explain why it is terrible, or how it can be used in a situation where SSL is used. We put our confidential information in the hands of HTTPS / SSL all the time, I can't see how it goes.
Best practice would be to avoid interacting with the browser when not needed. You must manage the lag between security and usability, assess the requirements and sensitivity of your applications, and act accordingly.
In any case, using a redirect, as opposed to a redirect, will prevent the browser from participating since the forwarding is done inside the web tier.
a source to share
It looks like you are sending the password to the user so that the user can re-submit the form to the real login.jsp. This Battlefield Earth sounds terrible to me. Assuming the user enters the password after they enter the username, can the password form just not send directly to the login handler?
a source to share
Oh my God. The first password protection rule never transmits the password in clear text. If you store it in the session as clear text, it means that you probably have the password sent by the user to your server in clear text (unless you are using SSL, which I am strong ). This means that any packet sniffer can find the password. As far as storing them in the session as clear text, that means you are vulnerable to session hijacking.
In other words. This is terrible . Do not do that.
a source to share