How Can jBilling Help You?
“We have been using jBilling for years with great results.”
Latest News Items
November 30, 2011
September 27, 2011
August 31, 2011
DONE - BUG: do not populate credit card number
Log in as a customer (not an administrator). If you have a credit card in record, and click on Paymnet -> Credit Card, to pay an invoice on-line. Your credit card number will be used to pre-populate the form. This is convenient, and was done on purpose to facilitate the payment, but it turns out to be a security issue. If someone has the password of a customer, it should not result on the credit card of the customer being compromised.
Since this is the only place where the credit card is displayed, we can just remove the population of this field. I believe that this can be achieved by deleting the lines 1342 to 1360 of GenericMaintainAction.java (package com.sapienter.jbilling.client.util).
However, this alone will only address the security issue by making jbilling less user friendly. The user should still be able to make a quick payment using the credit card on file. So the solution could be to not pre-populate the credit card number, but to add a check box with 'use the credit card on file'. By clicking on the check box the user doesn't need to enter the card again, but it is secure, since the credit card information is kept confidential.
It'd be best if, beside the check box, the last four digits of the credit card on file are displayed. This will help the user realize what credit card is actually on file.
The files involved for this are: GenericMaintainAction.java (package com.sapienter.jbilling.client.util), as mentioned earlier. MaintainAction.java (package com.sapienter.jbilling.client.payment) and \view\payment\viewBody.jsp
Copyright 2012 Enterprise jBilling Software Ltd. All rights reserved. jBilling is a registered trademark used under license.
This is a related topic. Log
This is a related topic.
Log in as a customer: Account->Edit Credit Card. Currently, if there is credit card info on file, then the cc number is completely masked out, do we want customer to know which cc they are deleting? Emiliano, do you remember which file is involved? I can modify it so that the last 4 digits is shown.
Thanks.
lu
Lu,
Lu,
The file where the masking happens is view/user/viewCreditCardBody.jsp
It'd be great if you can expose the last four digits, it is really the way it should've been done in the first place.
It might not be straight forward, but is is definitely worth a try.
Cheers,
Emiliano Conde
Lead Developer - jbilling
Emiliano Conde
Lead Developer - jBilling
Is it ok to implement this
Is it ok to implement this way?
when a customer clicks on the link "You can pay this invoice with a credit card by clicking here", if there is credit card info on file, then that credit card info is populated with the first 12 digits masked out; otherwsie, the customer can just enter the info at that point.
lu
Lu, your approach sounds
Lu, your approach sounds pretty good. I'll mark the task as in progress.
Cheers,
Emiliano Conde
Lead Developer - jbilling
Emiliano Conde
Lead Developer - jBilling
Ok. I will take care of
Ok. I will take care of this. =)
Lu, I've reviewed and tested
Lu, I've reviewed and tested your code. It does show the masked credit card number, with only the 4 last digit actually present. However, from then on the number is lost. When you click on 'Submit' you get an error because the credit card number is invalid... I'm afraid there is more to this issue than hiding the cc number ;)
Cheers,
Emiliano Conde
Lead Developer - jbilling
Emiliano Conde
Lead Developer - jBilling
Hi Emil, I am going to need
Hi Emil,
I am going to need some help, please.
localDB.script is the file with all SQL statements, where does the actual data stay? I admit I don't understand the database Jbilling is using. I want to see why the cc number is lost. I thought the code I modified only affects retrieving the cc number from DB and present it on the client side. How it also affects the storing part is still a puzzle to me. Reading through a thousand lines of code to understand what is going on is quite a challenge. :)
Thanks.
lu
Lu, you are actually right,
Lu, you are actually right, the code you modified only changes how the credit card number is displayed. However, this is the number that is then sent to the server tier. In other words, since you've changed the number to display it to the user, then it is like the user had entered the number '********2132' instead of the real number. So the cc number has to be displayed masked but the client tier also needs to 'remember' the real number, so when the user clicks on 'submit' the number sent is the real one, instead of the displayed (which is masked).
Thus, you don't need to worry about anything related with the server or database tier. This problem is all in the client tier. If you are confused by the tiered architecture, give the architecture document a read.
Cheers,
Emiliano Conde
Lead Developer - jbilling
Emiliano Conde
Lead Developer - jBilling
Thanks for pointing that
Thanks for pointing that out. I will fix it. :)