In specific circumstances the use of password fields in J2EE Application Clients and Java GUI applications with EAServer can reveal passwords. This vulnerability affects development and deployment of GUI applications and use of javax.swing.JPasswordField UI component from the EAServer JDK 1.4.2 installation.
To avoid direct use of the javax.swing.JPasswordField UI component, make these changes in your code:
Subclass JPasswordField and return an empty string from the getSelectedText method as follows:
public class MyPasswordField extends JPasswordField
{
public MyPasswordField(String text)
{
super(text);
}
public String getSelectedText()
{
Return “”;
}
}
Update your existing code to use MyPasswordField rather than JPasswordField.
Alternatively, you can use EAServer JDK/JRE 1.5 to develop your GUI applications. EAServer 5.3 adds support for JDK 1.5 and its applications. To install JDK 1.5, select JDK 1.5 in the Feature Selection panel when installing EAServer. If you have already installed EAServer, use the add components option in the EAServer 5.3 installation program. For more information, see Chapter 2 of the EAServer Installation Guide for Sun Solaris available on Sybase Product Manuals Web site.
