Le 3 nov. 2015 05:01, "Alex Soto" <[email protected]> a écrit : > > Hi, I know that you can write something like: > > VaultPassword = cipher:Static3DES:xMH5uM1V9vQzVUv5LG7YLA== > > in a resources.xml file for setting an encrypted password. My concern is > that since the password is decrypted using decrypt method of PasswordCipher > class and since this method returns value as String, this only works if the > parameter is an String. This might be a problem since first of all storing > a password (clean password) in String is a bad practice because of memory > dump attack. And the second one is that if your library requires a byte[] > you need to do a transformation calling getBytes which then it means that > there can be problems with Charsets. > > Since Cipher class always returns a byte[], should it not be better to > return byte[] in this method as well? >
Think we discussed it already: String is mandatory for most of resources. Nothing prevents you to have a setter with string but no string field. Good point about raw byte[] which is not supported yet - never saw the need until now, only String and char[]. > Alex.
