P1
Currently the java doc states:
Setting a value of 0 unsets the echo character.
To me, unsetting the echo character, means showing NOTHING. This was the behavior in JDK1.2
According to bug: 4197612, the user perceives that unsetting the echo character means showing the password in CLEAR TEXT.
With this change in JDK 1.3, there could have been and extremely dangerous security leak in Solaris, and Trusted Solaris.
In Trusted Solaris, and RBAC, it is imperative not to show any characters when the password is typed in. In JDK1.2 this was done with .setEchoChar((char) 0), and it worked.
When upgrading to JDK 1.3, all of the sudden the password is in CLEAR TEXT. Can you imagine if this was released????
Aside: For the security "geeks" and ultra paranoid, the password field should NEVER show the clear text password. It shouldn't even show a 1-1 ratio between *'s and the characters typed int.
Setting a value of 0 unsets the echo character.
To me, unsetting the echo character, means showing NOTHING. This was the behavior in JDK1.2
According to bug: 4197612, the user perceives that unsetting the echo character means showing the password in CLEAR TEXT.
With this change in JDK 1.3, there could have been and extremely dangerous security leak in Solaris, and Trusted Solaris.
In Trusted Solaris, and RBAC, it is imperative not to show any characters when the password is typed in. In JDK1.2 this was done with .setEchoChar((char) 0), and it worked.
When upgrading to JDK 1.3, all of the sudden the password is in CLEAR TEXT. Can you imagine if this was released????
Aside: For the security "geeks" and ultra paranoid, the password field should NEVER show the clear text password. It shouldn't even show a 1-1 ratio between *'s and the characters typed int.