Bug 793017 (JBEPP-97)

Summary: Disable autocomplete on login.jsp
Product: [JBoss] JBoss Enterprise Portal Platform 4 Reporter: Martin Weiler <mweiler>
Component: PortalAssignee: Thomas Heute <theute>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 4.3.0.GA_CP1CC: ammppp, dave.wichers, epp-bugs
Target Milestone: ---   
Target Release: 4.3.0.GA_CP2   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/JBEPP-97
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 10:26:01 UTC Type: Task
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Weiler 2009-07-10 10:54:13 UTC 
Date of First Response: 2009-07-10 22:24:22
Help Desk Ticket Reference: https://enterprise.redhat.com/issue-tracker/315634
project_key: JBEPP

Customer request to turn off username/password completion in the default login page by changing

  <input type="password" name="j_password" id="j_password" value=""/>
to
  <input type="password" name="j_password" id="j_password" value="" autocomplete="off"/>
 
in deploy/jboss-portal[-ha].sar/portal-server.war/login.jsp for security reasons.
Comment 2 Dave Wichers 2009-07-11 02:52:14 UTC 
I am the original requestor for this. It is required by the DISA Application Security STIG that autocomplete be off by default for password fields. By making it off by default, you make it safer for users of the portal, and you save every one of your DoD customers the trouble of having to fix the login.jsp page manually. Portal users that want this on can easily turn it back on so why not make it more secure by default?

-Dave
Comment 3 Wesley Hales 2009-07-11 18:39:09 UTC 
I don't see any reason why we can't have this. I agree with making things secure by default. I will add it asap.
Comment 4 Thomas Heute 2009-07-22 10:26:01 UTC 
I am not willing to change this for the following reasons:
 - It's not HTML compliant (autocomplete is not part of any schema)
 - Even more importantly it is a change in behavior for existing customer which is something we don't want to happen in a CP.

I understand the request, but I would also understand that companies want to leave the opportunity to their users to keep autocompletion which is the default behavior is many websites so that it reduces the barrier for a user to login.

At the end there would be 2 camps people for this behavior and people against and we can't satisfy both. With our promise to not change any behavior (except something clearly wrong) I am willing to keep the autocompletion.

At the end I don't see anyone going in production without changing the login.jsp file for look and feel purposes anyway.
Comment 5 Aaron Pestel 2009-07-30 02:15:37 UTC 
Could we change it in the next non-CP release?  I would think most customers would prefer security first and as you said, they'll likely be modifying login.jsp anyhow so can take away extra security then if desired.