Tuesday, January 12, 2010

Password Masking

In most of our development time, we see security vulnerability bug file for storing password in text file or getting password from commandline without masking the characters.

If it is AWT/SWING/Web application, we can add a keyUp/keyDown event and do the magic. What about in standalone JAVA program. Whatever we type that will be displayed and read using System.in. There is a nice technical article written by Qusay H. Mahmoud with contributions from Alan Sommerer, July 2004 to make password maskin in commandline. For this we have to write a piece of code to mask the character by running a Thread, which has a while-loop continuously run with interrupt using Thread.sleep(1); for 1ms. While entering password, if system load is heavy then the letters might be displayed in console for a while and then converted to asterisk. This is unavoidable in commandline password masking.

Few of us, built Swing application (Login Dialogue) only to receive password without echoing in console. Most of the time, this is what the story upto Java SE 6 ("Mustang").

Console

java.io.Console introduced to solve this password masking issue in Java SE 6.0. This class not only intended for password masking also for formatted string input and output like C language.

System.console().printf("Happy %s year %d", "new",2010);

Iin JVM, Console instance will be, by default, assigned to System.console, if application started from interactive commandline. Console behaviour varies depending on the platform in which application started. Usually, System.in and System.out deals with byte based I/o. However, System.console deals with character based devices. If no redirection specified for I/O then keyboard and monitor will be used as I/O devices by Console.

If application started from IDE like Eclipse, NetBeans, JDEV or as a background job then this Console instance will not be exist and NullPointerException will be thrown out. NPE is special exception which is very much hate by Application Developer and Customer, and the same time, Production support, Sustain Egnineers are happy to take this NPE bugs ;). This exception does not need any intelligence to fix it, just see the exception trace first code line number, make a if check for null, slick. I am going to do samething below, while using Console Object

if(null != System.console()){
 String username=System.console().readLine("Enter username");
 System.out.println("Username is "+new String(username));
}

Here is the example code to read password using console

public class ConsoleTest {
public static void main(String[] args) {
if(null != System.console()){
 char[] paswd=System.console().readPassword("Enter password");
 System.out.println("Password is "+new String(paswd));
}}}

Note: null will be assigned to paswd, only when End of File is reached, means that CTRL+C, CTRL+D, and CTRL+Z.

No comments:

Post a Comment

Recent Posts

Unix Commands | List all My Posts

Texts

This blog intended to share the knowledge and contribute to JAVA Community such a way that by providing samples and pointing right documents/webpages. We try to give our knowledege level best and no guarantee can be claimed on truth. Copyright and Terms of Policy refer blogspot.com