如何在ViewScoped bean之间传输秘密的用户名和密码？

Question

I am working on a webprojekt where I in order to minimize session bloating are using primarily ViewScoped beans. But then I face the problem that I need to transfer clients usernames and passwords between my beans (to access the database etc.).

I have made a system where I am using flash objects to transfer usernames and passwords between beans such as this:

public String gotoNextView() {
    ExternalContext external = FacesContext.getCurrentInstance().getExternalContext();
    external.getFlash().put("user_name", (String) FacesContext.getCurrentInstance().getExternalContext().getFlash().get("user_name"));
    external.getFlash().put("password", (String) FacesContext.getCurrentInstance().getExternalContext().getFlash().get("password"));

    return "/../../next_view.xhtml";
}

But I am worried about whether it is somehow possible for a hacker to manipulate the client and thereby trick the server to expose the flash objects!

Another solution that I am thinking about is to store all the JSESSIONID's for the web application as keys in a Map with the usernames and passwords as values. To make that work I suppose that I need a callback method to be called when a user session ends or expires so that I can remove the relevant JSESSIONID from the Map. But the problem with that solution is that I am in doubt about what is the best way to implement the callback so that I can be 100% sure that the Map entry is removed before a new similar JSESSIONID is created by the server (even though I know that the chances are extremely small that it will happen in such a short amount of time). Also I am in doubt about what to with beans that are working with a JSESSIONID (a user) if for some reason the server discards the JSESSIONID before the bean (and for example database operations) is finished (as I then can risk that a new similar JSESSIONID is created by the server for another user which then might get mingled with the JSESSIONID and user the other bean is servicing)!

I Hope that someone with deep insight into the problem will write about what is the best practise and a 100% secure way to this (also I suppose that most people working with JSF webapp servers encounter this problem and therefore it would be helpful for others to know the best solution to the problem). Thanks.

Answer 1

I think you're under a misconception here. The fact that a variable resides in one managed bean, and then is "passed" to another managed bean does not mean that there's actual movement across a physical medium. All viewscoped beans are implemented in the same storage area (I believe it's the UIViewRoot object). At this level, there's an implicit Boundary of Trust between these entities , and unless there's user-accessible movement between the two beans (maybe a client side variable, URL parameter or other HTTP artifact), I don't see the risk.

What this means is that, regardless of the specific @ViewScoped bean the variable sits in, they're all exposed to the same vulnerability (if any). "Passing" a variable between the beans doesn't introduce any new risk. Unless you're displaying the values anywhere to the users (maybe in the URL or in a hidden HTML form element), there's no new risk introduced by the @ViewScoped object in and of itself (improper use of the scopes is a different matter).

Ultimately, if you're still concerned about it, just encrypt your stuff (consider the overhead) before handing the variable to another entity