Obfuscate / Hide / Mask Confidential Information in User Interface based on User Role

Question

I am working on Primefaces. While displaying customer information, for certain customers, some fields are to be kept confidential and should be shown as XXXXXXXXXX and for certain customers, those fields can display the value.

I thought of having a composite component which accpets rendered and value objects. Based on customer, I will display outputText with static text "XXXXXXXXXX" and inputText with value bound to the backing bean attribute.

//Composite component code
<composite:interface>
    <composite:attribute name="render" />
    <composite:attribute name="value" />
</composite:interface>
<composite:implementation>
    <h:outputText value=" XXXXXXXXXX " rendered="#{cc.attrs.render}" />
    <p:inputText value="#{cc.attrs.value}" rendered="#{!cc.attrs.render}">
        <f:convertNumber type="currency" />
    </p:inputText>
</composite:implementation>

//Using composite component
<util:input id="accountBalance" render="#{myBean.vipCustomer}" value="#{ myBean.value}" />

//myBean    
public class Account implements Serializable {
    private double value;
    private boolean vipCustomer = false;
// getter's and setter's goes here.....
}

Is this safe approach ? will there be any maintainence issues because of future releases of JSF or Primefaces ? Is there a better way? Thanks for any input.

Answer 1

I think I would try to accomplish this with only one component instead of 2. Something like: <p:inputText value="#{cc.attrs.render ? cc.attrs.value : 'XXXXX'}"> <f:convertNumber type="currency" /> </p:inputText>

In your bean, check for "XXXXX" before setting the new value.

Answer 2

Used preRenderView listener to set the value of confidential fields to XXXXXXXXXX