Best way to support a username/password fields in install4j

Question

I have an install4j installer that has a custom screen which prompts the user installing the software to supply a username/password. I know that installer textboxes store values to install4j variables which are persisted to a resource.varfile. Whats the best way to store the password?

We have a situation where an IT admin will be installing the software, but the actual user shouldn't be able to view this password.

thanks

Answer 1

I turned on “write encoded value to response file” option that writes encoded value to the response.varfile. This encoding is very similar to Base64, but I spent some time trying to decode a value and didn’t found any common practices, but figured out some manual working sequence:

    String encoded = appProps.password;
   byte[] data = Base64.decode(encoded);
    for (int i = 0; i<data.length; i++) {
        data[i] = ((byte) (Math.abs(data[i])- 1)) ;
    }
    String decoded = new String(data);

It tested and working, but I can’t explain it and guarantee it will work in a future. The page page says that another approach based on saving to java prefs exists, but it is not secure way to store password. What the best practice to retrieve password field value?

Answer 2

The "password" form component does not write its value to the response file for security reasons. If you select the "Write encoded value to response file" property of the form component, an encoded value will be written to the response file. This is not safe at all but prevents the casual user from seeing the plain-text password in the response file.