Closed Bug 236987 Opened 20 years ago Closed 17 years ago

Implement Password manager for java applets

Categories

(Toolkit :: Password Manager, enhancement)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
All
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jord.wegge, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8

Firefox will not (offer to) remember passwords asked by java-applets although
the same password is required and known to the password manager to enter the site.

Reproducible: Always
Steps to Reproduce:
1.go to http://www.qualifeed.be/
2.login = joluyck
3.pasw=rfcwlp

Actual Results:  
pasw is stored for site access, not for java

Expected Results:  
not asked twice the pasw for java

Default theme
CCing Jesse since I don't believe this is a bona fide security bug, unless you 
don't want the login revealed? 
 
As to the matter at hand, I can confirm that the password manager is not 
supplying the login info to the java login. I don't believe that's a bug 
though but rather implementing this would fall under the category of an 
enhancement. 
 
Mozilla Browser does the same thing as Firefox. Interestingly though, using 
Konqueror+kwallet in Linux the java login never appears even though the java 
applets are working. I can only surmise that kwallet supplied the necessary 
info to the java applet upon loading the page. I'm not at all familiar with IE 
so I don't what it does under these circumstances. 
 
Confirming so that Brian can make a decision with respect to implementing 
this.
Severity: minor → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Summary: Password manager works for regular passwords, but not for passwords asked by java-applets → Implement Password manager for java applets
Group: security
"I don't believe this is a bona fide security bug, unless you
don't want the login revealed?"
"I don't believe that's a bug though but rather implementing this would fall
under the category of an enhancement."

Are you saying this bug is not important? Are you kidding? This might not be a
security bug, but it is a major usability bug. Users might rightfully think,
that something is broken. Most users don't even know there is something like an
applet at work, how could they?

Wait a minute! If users think a page that requires extra security protection
through a password and also must think the page is somehow broken, as it does
not accept their password or requires it twice, then users think the page is
insecure. I hope I can convince you that it is in the end a security bug or at
least a bug that influences the perception of security or lack of it.

By the way, IE 6.0 does not ask a second time for the authentication information.

Kind regards

K<o>

Mass edit: Changing QA to default QA Contact
QA Contact: davidpjames → password.manager
Assignee: bryner → nobody
Version: unspecified → Trunk
Java applets are external code running in their own VM. The browser can't just reach in and dig around for a username and password, not is their any standard API I know of to do this.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.