Hi,
As discussed offline I used the msf4j Reuest object in my microservice
@POST
@Path("/validatePassword")
public Response isValidPassword(@Context Request password) {
Then I tried retreving a char[] out of it as following
ByteBuffer fullContent = BufferUtil.merge(password.getFullMessageBody());
char[] passwordText = Charset.defaultCharset().decode(fullContent).array()
But the returned contains different values for special characters.
For example, the actual password I gave was ABCabc01*$*
Then the value retreved in the microservice is ABCabc01
*%24*
Is there a way we can handle this?The password is sent from frontendside to
backedn via an ajax call
var password = $("#newPassword").val();
$.ajax({
type: "POST",
url: "/admin-portal/root/apis/passwordUtil-micro-service/validatePassword",
data: {newPassword: password},
Thanks
On Thu, Mar 23, 2017 at 9:54 PM, Ayoma Wijethunga <ay...@wso2.com> wrote:
> Hi Jude,
>
> I think you got me wrong. StringBuilder internally uses char[] to store
> values (mutable sequence of characters [1] [2]). Therefore, we will not be
> creating (and leaving behind) immutable String objects as long as we use
> the StringBuilder properly.
>
> However, if you accidentally call a method such as
> stringBuilder.toString() or stringBuilder.append(String str) you will end
> up creating a immutable String in the memory. This is what I was trying to
> imply with my sentence.
>
> We should not really depend on garbage collection for any data structure
> storing passwords. If we are going to depend on GC for Arrays, there is no
> point of *not* using String. Instead, since "char" is a mutable
> primitive, it's possible to change the value to as desired (where as
> Strings are immutable). Therefore, after storing password in a char[] or a
> StringBuilder (which internally uses a char[]) you should clear the data,
> before leaving the reference for GC to pickup, to make sure memory is
> clean.
>
> However there is one issue associated with using StringBuilder for
> password storage. StringBuilder has a mechanism used to grow the char[]
> used internal, when such expansion is required
> (AbstractStringBuilder.expandCapacity).
> This can leave behind arrays that are not properly cleared in memory. This
> too can be addressed by setting proper initialCapacity when creating
> StringBuilder.
>
> Anyhow, during offline discussion we identified that why Thusitha
> suggested StringBuilder here was because, MSF4J by default
> supports StringBuilder as a parameter type. However, with further checking
> we identified that this StringBuilder is creating using Strings in MSF4J
> level. Therefore, instead of going through the StringBuilder approach, we
> will be directly using Byte stream of the request to ready passwords out
> into char[] which is much clearer and does not introduce any immutable
> Strings.
>
> [1] https://docs.oracle.com/javase/7/docs/api/java/lang/StringBuilder.html
> [2] http://developer.classpath.org/doc/java/lang/StringBuilder-source.html
>
> Best Regards,
> Ayoma.
>
>
> On Thu, Mar 23, 2017 at 9:19 PM, Jude Niroshan <jude.nirosha...@gmail.com>
> wrote:
>
>> We just need to avoid using any method that accepts or returns a String
>>> in StringBuilder, to avoid intermediate level Strings.
>>
>>
>> I believe you are well aware about why the Strings and other sort of
>> objects being discouraged to be used for passwords and other valuable
>> information. It simply not to retain any information anywhere in heap or
>> other intermediate volatile memory. Arrays can be quickly garbage collected
>> and that valuable information can not be extracted again.
>>
>> http://stackoverflow.com/q/8881291/4506140
>>
>> Hope it helps :)
>>
>> Regards,
>> Jude
>>
>>
>> On Thu, Mar 23, 2017 at 3:42 PM, Ayoma Wijethunga <ay...@wso2.com> wrote:
>>
>>> Yes. That seems to address the requirement.
>>>
>>> We can accept InputStream as a parameter and then use the input stream
>>> to read characters into a StringBuilder. I hope this was what you were
>>> suggesting and this is supported with MSF4J.
>>>
>>> We just need to avoid using any method that accepts or returns a String
>>> in StringBuilder, to avoid intermediate level Strings.
>>>
>>> Best Regards,
>>> Ayoma.
>>>
>>> On Thu, Mar 23, 2017 at 3:17 PM, Thusitha Thilina Dayaratne <
>>> thusit...@wso2.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> AFAIU char[] is not compliant with neither QueryParam nor FormParam
>>>> according to [1]. Therefore from MSF4J (as a JAXRS engine) IMHO we couldn't
>>>> support char[].
>>>> What if we use StringBuilder instead of String. Then we can delete the
>>>> StringBuilder as we want. WDYT?
>>>>
>>>> [1] - http://docs.oracle.com/javaee/7/api/javax/ws/rs/FormParam.html
>>>>
>>>> Thanks
>>>>
>>>> On Thu, Mar 23, 2017 at 3:10 PM, Denuwanthi De Silva <
>>>> denuwan...@wso2.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have a micro service which calls a password validation back end.
>>>>> For that, it passes the password as microservice parameter.
>>>>>
>>>>> Due to security concerns we need to pass password as a char array
>>>>> instead of a String[1].
>>>>>
>>>>> The password value is retrieved using jquery input field call and
>>>>> passed as a char array.
>>>>> Then it is passed to the microservice via an ajax call. But the
>>>>> micorservice method Params does not support char[] type[1].
>>>>>
>>>>> Is there a way we can handle this without involving String type in the
>>>>> intermediate level?
>>>>>
>>>>>
>>>>>
>>>>> [1]https://nvisium.com/blog/2016/03/31/secure-password-strings/
>>>>> [2]https://jersey.java.net/apidocs/2.7/jersey/javax/ws/rs/Qu
>>>>> eryParam.html
>>>>>
>>>>>
>>>>> Thanks,
>>>>> --
>>>>> Denuwanthi De Silva
>>>>> Senior Software Engineer;
>>>>> WSO2 Inc.; http://wso2.com,
>>>>> Email: denuwan...@wso2.com
>>>>> Blog: https://denuwanthi.wordpress.com/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Thusitha Dayaratne
>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com
>>>>
>>>> Mobile +94712756809 <+94%2071%20275%206809>
>>>> Blog alokayasoya.blogspot.com
>>>> About http://about.me/thusithathilina
>>>> <http://wso2.com/signature>
>>>>
>>>>
>>>
>>>
>>> --
>>> Ayoma Wijethunga
>>> Software Engineer
>>> Platform Security Team
>>> WSO2, Inc.; http://wso2.com
>>> lean.enterprise.middleware
>>>
>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123>
>>> Blog : http://www.ayomaonline.com
>>> LinkedIn: https://www.linkedin.com/in/ayoma
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>
>
> --
> Ayoma Wijethunga
> Software Engineer
> Platform Security Team
> WSO2, Inc.; http://wso2.com
> lean.enterprise.middleware
>
> Mobile : +94 (0) 719428123 <+94+(0)+719428123>
> Blog : http://www.ayomaonline.com
> LinkedIn: https://www.linkedin.com/in/ayoma
>
> _______________________________________________
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
Denuwanthi De Silva
Senior Software Engineer;
WSO2 Inc.; http://wso2.com,
Email: denuwan...@wso2.com
Blog: https://denuwanthi.wordpress.com/
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
