Yes we already discussed but I think that it is more restrictive setting the return type as String. Instead and since Cipher returns a byte[] it would be better in terms of security to return the byte[] and if the setter that you are going to inject the value is a String, then internally we can convert to String. With current implementation you need to pass to the String yes or yes.
For example MongoClient allows you to use a char[] (to avoid creating an String). You can read more at http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords-in-java Alex. El dt., 3 nov. 2015 a les 15:05, Romain Manni-Bucau (<[email protected]>) va escriure: > Le 3 nov. 2015 05:01, "Alex Soto" <[email protected]> a écrit : > > > > Hi, I know that you can write something like: > > > > VaultPassword = cipher:Static3DES:xMH5uM1V9vQzVUv5LG7YLA== > > > > in a resources.xml file for setting an encrypted password. My concern is > > that since the password is decrypted using decrypt method of > PasswordCipher > > class and since this method returns value as String, this only works if > the > > parameter is an String. This might be a problem since first of all > storing > > a password (clean password) in String is a bad practice because of memory > > dump attack. And the second one is that if your library requires a byte[] > > you need to do a transformation calling getBytes which then it means that > > there can be problems with Charsets. > > > > Since Cipher class always returns a byte[], should it not be better to > > return byte[] in this method as well? > > > > Think we discussed it already: String is mandatory for most of resources. > Nothing prevents you to have a setter with string but no string field. > > Good point about raw byte[] which is not supported yet - never saw the need > until now, only String and char[]. > > > Alex. >
