java - JPasswordField security with action command

Question

I am using a JPasswordField in my program. When I ask getPassword(), I get a char[] array. But when I add an ActionListener to the JPasswordField and ask getActionCommand(), I get the password as a String. Is this password save in the event object as String? Isn't this a security issue?

Answer 1

When you set no action command for a component, the text in it will be the action command. This is why you are getting the password.

Even for JTextField also

JTextField jt=new JTextField("text");
        jt.addActionListener(new ActionListener(){
            public void actionPerformed(ActionEvent ae)
            {
                System.out.println(ae.getActionCommand());
            }
        });

This is a security issue because you are getting password as String which is immutable rather than a char[]

Whenever an explicit action command is not set, the text in the component will be sent to the ActionEvent constructor though you didn't specifically set it as action command. The command parameter can be null though, but it is not recommended to be null, therefore the text in the component is the action command by default. If there is no password in the JPasswordField an empty string will be the action command.

Don't try setting action command to null, if it is null, then the text in the JPasswordField will be the action command. The problem comes again.

So i would recommend you to set some action command for the JPasswordField without leaving it like that for now until this is rectified by Oracle.

JPasswordField jt=new JPasswordField("text");
        jt.setActionCommand("");
        jt.addActionListener(new ActionListener(){
            public void actionPerformed(ActionEvent ae)
            {
                System.out.println(ae.getActionCommand());
            }
        });