Hi Jude, I think you got me wrong. StringBuilder internally uses char[] to store values (mutable sequence of characters [1] [2]). Therefore, we will not be creating (and leaving behind) immutable String objects as long as we use the StringBuilder properly.
However, if you accidentally call a method such as stringBuilder.toString() or stringBuilder.append(String str) you will end up creating a immutable String in the memory. This is what I was trying to imply with my sentence. We should not really depend on garbage collection for any data structure storing passwords. If we are going to depend on GC for Arrays, there is no point of *not* using String. Instead, since "char" is a mutable primitive, it's possible to change the value to as desired (where as Strings are immutable). Therefore, after storing password in a char[] or a StringBuilder (which internally uses a char[]) you should clear the data, before leaving the reference for GC to pickup, to make sure memory is clean. However there is one issue associated with using StringBuilder for password storage. StringBuilder has a mechanism used to grow the char[] used internal, when such expansion is required (AbstractStringBuilder.expandCapacity). This can leave behind arrays that are not properly cleared in memory. This too can be addressed by setting proper initialCapacity when creating StringBuilder. Anyhow, during offline discussion we identified that why Thusitha suggested StringBuilder here was because, MSF4J by default supports StringBuilder as a parameter type. However, with further checking we identified that this StringBuilder is creating using Strings in MSF4J level. Therefore, instead of going through the StringBuilder approach, we will be directly using Byte stream of the request to ready passwords out into char[] which is much clearer and does not introduce any immutable Strings. [1] https://docs.oracle.com/javase/7/docs/api/java/lang/StringBuilder.html [2] http://developer.classpath.org/doc/java/lang/StringBuilder-source.html Best Regards, Ayoma. On Thu, Mar 23, 2017 at 9:19 PM, Jude Niroshan <[email protected]> wrote: > We just need to avoid using any method that accepts or returns a String in > StringBuilder, >> to avoid intermediate level Strings. > > > I believe you are well aware about why the Strings and other sort of > objects being discouraged to be used for passwords and other valuable > information. It simply not to retain any information anywhere in heap or > other intermediate volatile memory. Arrays can be quickly garbage collected > and that valuable information can not be extracted again. > > http://stackoverflow.com/q/8881291/4506140 > > Hope it helps :) > > Regards, > Jude > > > On Thu, Mar 23, 2017 at 3:42 PM, Ayoma Wijethunga <[email protected]> wrote: > >> Yes. That seems to address the requirement. >> >> We can accept InputStream as a parameter and then use the input stream to >> read characters into a StringBuilder. I hope this was what you were >> suggesting and this is supported with MSF4J. >> >> We just need to avoid using any method that accepts or returns a String >> in StringBuilder, to avoid intermediate level Strings. >> >> Best Regards, >> Ayoma. >> >> On Thu, Mar 23, 2017 at 3:17 PM, Thusitha Thilina Dayaratne < >> [email protected]> wrote: >> >>> Hi All, >>> >>> AFAIU char[] is not compliant with neither QueryParam nor FormParam >>> according to [1]. Therefore from MSF4J (as a JAXRS engine) IMHO we couldn't >>> support char[]. >>> What if we use StringBuilder instead of String. Then we can delete the >>> StringBuilder as we want. WDYT? >>> >>> [1] - http://docs.oracle.com/javaee/7/api/javax/ws/rs/FormParam.html >>> >>> Thanks >>> >>> On Thu, Mar 23, 2017 at 3:10 PM, Denuwanthi De Silva < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> I have a micro service which calls a password validation back end. >>>> For that, it passes the password as microservice parameter. >>>> >>>> Due to security concerns we need to pass password as a char array >>>> instead of a String[1]. >>>> >>>> The password value is retrieved using jquery input field call and >>>> passed as a char array. >>>> Then it is passed to the microservice via an ajax call. But the >>>> micorservice method Params does not support char[] type[1]. >>>> >>>> Is there a way we can handle this without involving String type in the >>>> intermediate level? >>>> >>>> >>>> >>>> [1]https://nvisium.com/blog/2016/03/31/secure-password-strings/ >>>> [2]https://jersey.java.net/apidocs/2.7/jersey/javax/ws/rs/Qu >>>> eryParam.html >>>> >>>> >>>> Thanks, >>>> -- >>>> Denuwanthi De Silva >>>> Senior Software Engineer; >>>> WSO2 Inc.; http://wso2.com, >>>> Email: [email protected] >>>> Blog: https://denuwanthi.wordpress.com/ >>>> >>> >>> >>> >>> -- >>> Thusitha Dayaratne >>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>> >>> Mobile +94712756809 <+94%2071%20275%206809> >>> Blog alokayasoya.blogspot.com >>> About http://about.me/thusithathilina >>> <http://wso2.com/signature> >>> >>> >> >> >> -- >> Ayoma Wijethunga >> Software Engineer >> Platform Security Team >> WSO2, Inc.; http://wso2.com >> lean.enterprise.middleware >> >> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >> Blog : http://www.ayomaonline.com >> LinkedIn: https://www.linkedin.com/in/ayoma >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > -- Ayoma Wijethunga Software Engineer Platform Security Team WSO2, Inc.; http://wso2.com lean.enterprise.middleware Mobile : +94 (0) 719428123 <+94+(0)+719428123> Blog : http://www.ayomaonline.com LinkedIn: https://www.linkedin.com/in/ayoma
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
