https://issues.apache.org/jira/browse/TOMEE-1651
Side note: I know some security teams are kind of strict on this but if you can dump the memory char[] or String you can do much more damages so this only solves a very few part of the security risk you are exposed to if you fear it on your environment. Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber <http://www.tomitribe.com> 2015-11-03 7:16 GMT-08:00 Alex Soto <[email protected]>: > Yes we already discussed but I think that it is more restrictive setting > the return type as String. Instead and since Cipher returns a byte[] it > would be better in terms of security to return the byte[] and if the setter > that you are going to inject the value is a String, then internally we can > convert to String. With current implementation you need to pass to the > String yes or yes. > > For example MongoClient allows you to use a char[] (to avoid creating an > String). You can read more at > > http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords-in-java > > > Alex. > > El dt., 3 nov. 2015 a les 15:05, Romain Manni-Bucau (< > [email protected]>) > va escriure: > > > Le 3 nov. 2015 05:01, "Alex Soto" <[email protected]> a écrit : > > > > > > Hi, I know that you can write something like: > > > > > > VaultPassword = cipher:Static3DES:xMH5uM1V9vQzVUv5LG7YLA== > > > > > > in a resources.xml file for setting an encrypted password. My concern > is > > > that since the password is decrypted using decrypt method of > > PasswordCipher > > > class and since this method returns value as String, this only works if > > the > > > parameter is an String. This might be a problem since first of all > > storing > > > a password (clean password) in String is a bad practice because of > memory > > > dump attack. And the second one is that if your library requires a > byte[] > > > you need to do a transformation calling getBytes which then it means > that > > > there can be problems with Charsets. > > > > > > Since Cipher class always returns a byte[], should it not be better to > > > return byte[] in this method as well? > > > > > > > Think we discussed it already: String is mandatory for most of resources. > > Nothing prevents you to have a setter with string but no string field. > > > > Good point about raw byte[] which is not supported yet - never saw the > need > > until now, only String and char[]. > > > > > Alex. > > >
