Hi Maru,
I assume you mean a field that you can type something into, but the browser never displays the content, traditionally just showing a number of stars unrelated to the actual string length.
As @Rebekka Heilmann _viadee_ points out, it's insecure, you should never be storing passwords in Jira (or anywhere other than a highly secured password safe). At a minimum, you should be storing the salt and hash of a password so that the actual password is never sent over the network.
Anyway, you can do something like that with Behaviours, changing the display text to *s, but do not bother. You have a series of problems with it:
- The user will have the plain text on-screen while creating or editing the issue, albeit if you're really clever with the code, you could obscure it after they move off the field (which is complex because the script would also have to remember the plain text and know to replace the ****** when you commit)
- The HTML your browser receives is going to contain the raw password. So you could use the developer tools to look at it. Also, Behaviours usually kicks in after the screen has been rendered by plain Jira. This means the plain text will appear for a short time before Behaviours can kick in and obscure it.
- The password will still be sent in plain text (so if, for some reason, you are not using httpS for your Jira, you've just announced the password to the whole world. Https should always be used for any system you have any form of write access for. Http is only suitable for static read-only services)
- The password is visible, plain text, in the database
What you need to do is find a secured password field type. I wrote one for Jira 3 once, but only for a "password reset" process done within Jira - the password entered was never stored or sent (the salt and hash were sent over a secured local route to another system), the code threw the plain-text away before the issue got written to. Looked odd in the database - "this custom field is used in these projects, but there are no values for it anywhere"
If you really do want to store passwords in Jira properly, you'll need to add code to that field so that it stores the salt and hash of what is entered and then write more code to let Jira act as a password checker.
The basic process of that is:
- Jira has a hashed password somewhere (let's say it's stored on issue ABC-123)
- Another system that someone is trying to log into is given the plain password on logon
- The other system hashes what was entered
- The other system contacts Jira and says, "hey, for issue ABC-123, someone has given me this hash"
- Jira can then check the two hashes match and respond with "nope" or "yes valid"
Again, you could do this with Scriptrunner, but I really recommend that you look for software designed to store passwords securely - Jira isn't the right place.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.