Credentials are Retrieved in Response

adnan.khan · July 19, 2024, 6:51am

Hi,

There is one security issue.

Exposing sensitive credentials in the response body after a login operation, this is a serious security
issue that needs immediate attention. Exposing credentials in such a manner can lead to unauthorized
access and compromise user accounts.

Never store or transmit passwords or sensitive data in plain text. Use secure hashing algorithms (like
bcrypt, Argon2) for password storage and secure transmission protocols (TLS/SSL) for data in transit.

Can we hide or encrypt details of username and password while doing login via web application

krivopustov · July 19, 2024, 9:07am

Jmix hashes stored passwords using the standard procedures of Spring Security. Look into your database - you won’t see plain text passwords except for predefined admin which should be changed in production.
Usage of TLS/SSL for data in transit is your responsibility, you should set up HTTPS for your application.

Regards,
Konstantin

adnan.khan · July 19, 2024, 9:10am

Hi

We are aware of password storing mechanism only concern is the request shared in image which is working as per jmix internal logic , any user who is able to intercept the request can able to view details in plain text.

krivopustov · July 19, 2024, 9:21am

Use HTTPS to eliminate the possibility to intercept the request.
There is no way to transmit the password entered by user from browser to the server other than in plain text.

adnan.khan · July 19, 2024, 9:28am

Thank you