Great. I agree with you that you only fixes one part of the problem, but security is about layers and adding fences to the field, add as many protections as you can.
El dt., 3 nov. 2015 a les 17:40, Romain Manni-Bucau (<[email protected]>) va escriure: > https://issues.apache.org/jira/browse/TOMEE-1651 > > Side note: I know some security teams are kind of strict on this but if you > can dump the memory char[] or String you can do much more damages so this > only solves a very few part of the security risk you are exposed to if you > fear it on your environment. > > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <http://rmannibucau.wordpress.com> | Github < > https://github.com/rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > <http://www.tomitribe.com> > > 2015-11-03 7:16 GMT-08:00 Alex Soto <[email protected]>: > > > Yes we already discussed but I think that it is more restrictive setting > > the return type as String. Instead and since Cipher returns a byte[] it > > would be better in terms of security to return the byte[] and if the > setter > > that you are going to inject the value is a String, then internally we > can > > convert to String. With current implementation you need to pass to the > > String yes or yes. > > > > For example MongoClient allows you to use a char[] (to avoid creating an > > String). You can read more at > > > > > http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords-in-java > > > > > > Alex. > > > > El dt., 3 nov. 2015 a les 15:05, Romain Manni-Bucau (< > > [email protected]>) > > va escriure: > > > > > Le 3 nov. 2015 05:01, "Alex Soto" <[email protected]> a écrit : > > > > > > > > Hi, I know that you can write something like: > > > > > > > > VaultPassword = cipher:Static3DES:xMH5uM1V9vQzVUv5LG7YLA== > > > > > > > > in a resources.xml file for setting an encrypted password. My concern > > is > > > > that since the password is decrypted using decrypt method of > > > PasswordCipher > > > > class and since this method returns value as String, this only works > if > > > the > > > > parameter is an String. This might be a problem since first of all > > > storing > > > > a password (clean password) in String is a bad practice because of > > memory > > > > dump attack. And the second one is that if your library requires a > > byte[] > > > > you need to do a transformation calling getBytes which then it means > > that > > > > there can be problems with Charsets. > > > > > > > > Since Cipher class always returns a byte[], should it not be better > to > > > > return byte[] in this method as well? > > > > > > > > > > Think we discussed it already: String is mandatory for most of > resources. > > > Nothing prevents you to have a setter with string but no string field. > > > > > > Good point about raw byte[] which is not supported yet - never saw the > > need > > > until now, only String and char[]. > > > > > > > Alex. > > > > > >
