Hi Denuwanthi, The value seems to be url encoded.
Thanks, On Fri, Mar 24, 2017 at 6:44 AM, Denuwanthi De Silva <[email protected]> wrote: > When I do a POST request via, postman the special characters are rendered > fine. > Seems like this is happening with the ajax call > > On Fri, Mar 24, 2017 at 5:02 PM, Denuwanthi De Silva <[email protected]> > wrote: > >> Hi, >> >> As discussed offline I used the msf4j Reuest object in my microservice >> >> @POST >> @Path("/validatePassword") >> public Response isValidPassword(@Context Request password) { >> >> Then I tried retreving a char[] out of it as following >> >> ByteBuffer fullContent = BufferUtil.merge(password.getFullMessageBody()); >> char[] passwordText = Charset.defaultCharset().decode(fullContent).array() >> >> >> But the returned contains different values for special characters. >> >> For example, the actual password I gave was ABCabc01*$* >> Then the value retreved in the microservice is ABCabc01 >> >> *%24* >> Is there a way we can handle this?The password is sent from frontendside >> to backedn via an ajax call >> >> var password = $("#newPassword").val(); >> $.ajax({ >> type: "POST", >> url: >> "/admin-portal/root/apis/passwordUtil-micro-service/validatePassword", >> data: {newPassword: password}, >> >> >> >> >> >> Thanks >> >> On Thu, Mar 23, 2017 at 9:54 PM, Ayoma Wijethunga <[email protected]> wrote: >> >>> Hi Jude, >>> >>> I think you got me wrong. StringBuilder internally uses char[] to store >>> values (mutable sequence of characters [1] [2]). Therefore, we will not be >>> creating (and leaving behind) immutable String objects as long as we use >>> the StringBuilder properly. >>> >>> However, if you accidentally call a method such as >>> stringBuilder.toString() or stringBuilder.append(String str) you will end >>> up creating a immutable String in the memory. This is what I was trying to >>> imply with my sentence. >>> >>> We should not really depend on garbage collection for any data structure >>> storing passwords. If we are going to depend on GC for Arrays, there is no >>> point of *not* using String. Instead, since "char" is a mutable >>> primitive, it's possible to change the value to as desired (where as >>> Strings are immutable). Therefore, after storing password in a char[] or a >>> StringBuilder (which internally uses a char[]) you should clear the data, >>> before leaving the reference for GC to pickup, to make sure memory is >>> clean. >>> >>> However there is one issue associated with using StringBuilder for >>> password storage. StringBuilder has a mechanism used to grow the char[] >>> used internal, when such expansion is required >>> (AbstractStringBuilder.expandCapacity). This can leave behind arrays >>> that are not properly cleared in memory. This too can be addressed by >>> setting proper initialCapacity when creating StringBuilder. >>> >>> Anyhow, during offline discussion we identified that why Thusitha >>> suggested StringBuilder here was because, MSF4J by default >>> supports StringBuilder as a parameter type. However, with further checking >>> we identified that this StringBuilder is creating using Strings in MSF4J >>> level. Therefore, instead of going through the StringBuilder approach, we >>> will be directly using Byte stream of the request to ready passwords out >>> into char[] which is much clearer and does not introduce any immutable >>> Strings. >>> >>> [1] https://docs.oracle.com/javase/7/docs/api/java/lang/Stri >>> ngBuilder.html >>> [2] http://developer.classpath.org/doc/java/lang/StringBuild >>> er-source.html >>> >>> Best Regards, >>> Ayoma. >>> >>> >>> On Thu, Mar 23, 2017 at 9:19 PM, Jude Niroshan < >>> [email protected]> wrote: >>> >>>> We just need to avoid using any method that accepts or returns a String >>>>> in StringBuilder, to avoid intermediate level Strings. >>>> >>>> >>>> I believe you are well aware about why the Strings and other sort of >>>> objects being discouraged to be used for passwords and other valuable >>>> information. It simply not to retain any information anywhere in heap or >>>> other intermediate volatile memory. Arrays can be quickly garbage collected >>>> and that valuable information can not be extracted again. >>>> >>>> http://stackoverflow.com/q/8881291/4506140 >>>> >>>> Hope it helps :) >>>> >>>> Regards, >>>> Jude >>>> >>>> >>>> On Thu, Mar 23, 2017 at 3:42 PM, Ayoma Wijethunga <[email protected]> >>>> wrote: >>>> >>>>> Yes. That seems to address the requirement. >>>>> >>>>> We can accept InputStream as a parameter and then use the input stream >>>>> to read characters into a StringBuilder. I hope this was what you >>>>> were suggesting and this is supported with MSF4J. >>>>> >>>>> We just need to avoid using any method that accepts or returns a >>>>> String in StringBuilder, to avoid intermediate level Strings. >>>>> >>>>> Best Regards, >>>>> Ayoma. >>>>> >>>>> On Thu, Mar 23, 2017 at 3:17 PM, Thusitha Thilina Dayaratne < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> AFAIU char[] is not compliant with neither QueryParam nor FormParam >>>>>> according to [1]. Therefore from MSF4J (as a JAXRS engine) IMHO we >>>>>> couldn't >>>>>> support char[]. >>>>>> What if we use StringBuilder instead of String. Then we can delete >>>>>> the StringBuilder as we want. WDYT? >>>>>> >>>>>> [1] - http://docs.oracle.com/javaee/7/api/javax/ws/rs/FormParam.html >>>>>> >>>>>> Thanks >>>>>> >>>>>> On Thu, Mar 23, 2017 at 3:10 PM, Denuwanthi De Silva < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have a micro service which calls a password validation back end. >>>>>>> For that, it passes the password as microservice parameter. >>>>>>> >>>>>>> Due to security concerns we need to pass password as a char array >>>>>>> instead of a String[1]. >>>>>>> >>>>>>> The password value is retrieved using jquery input field call and >>>>>>> passed as a char array. >>>>>>> Then it is passed to the microservice via an ajax call. But the >>>>>>> micorservice method Params does not support char[] type[1]. >>>>>>> >>>>>>> Is there a way we can handle this without involving String type in >>>>>>> the intermediate level? >>>>>>> >>>>>>> >>>>>>> >>>>>>> [1]https://nvisium.com/blog/2016/03/31/secure-password-strings/ >>>>>>> [2]https://jersey.java.net/apidocs/2.7/jersey/javax/ws/rs/Qu >>>>>>> eryParam.html >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> -- >>>>>>> Denuwanthi De Silva >>>>>>> Senior Software Engineer; >>>>>>> WSO2 Inc.; http://wso2.com, >>>>>>> Email: [email protected] >>>>>>> Blog: https://denuwanthi.wordpress.com/ >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thusitha Dayaratne >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> Mobile +94712756809 <+94%2071%20275%206809> >>>>>> Blog alokayasoya.blogspot.com >>>>>> About http://about.me/thusithathilina >>>>>> <http://wso2.com/signature> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ayoma Wijethunga >>>>> Software Engineer >>>>> Platform Security Team >>>>> WSO2, Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>>>> Blog : http://www.ayomaonline.com >>>>> LinkedIn: https://www.linkedin.com/in/ayoma >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>> >>> >>> -- >>> Ayoma Wijethunga >>> Software Engineer >>> Platform Security Team >>> WSO2, Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> Mobile : +94 (0) 719428123 <+94+(0)+719428123> >>> Blog : http://www.ayomaonline.com >>> LinkedIn: https://www.linkedin.com/in/ayoma >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Denuwanthi De Silva >> Senior Software Engineer; >> WSO2 Inc.; http://wso2.com, >> Email: [email protected] >> Blog: https://denuwanthi.wordpress.com/ >> > > > > -- > Denuwanthi De Silva > Senior Software Engineer; > WSO2 Inc.; http://wso2.com, > Email: [email protected] > Blog: https://denuwanthi.wordpress.com/ > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Maduranga Siriwardena Senior Software Engineer WSO2 Inc; http://wso2.com/ Email: [email protected] Mobile: +94718990591 Blog: *https://madurangasiriwardena.wordpress.com/ <https://madurangasiriwardena.wordpress.com/>* <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
