Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why does Spring Security not provide character array parameters for passwords

Tags:

java

spring

spring-security

If the best practice for handling sensitive data in Java is to use character arrays, why do most methods in Spring Security use String or CharSequence? For example the methods on Encryptors take CharSequence. In fact, looking at the source code of those methods, they actually end up converting the CharSequence to a String. Since the folks on that project have more lifetimes of experience in these matters than I will ever have, I feel like I must be missing something. Does anyone have any insight into how to pass sensitive data to these methods?

like image 425
baron1405 Avatar asked Jul 22 '17 01:07

baron1405

People also ask

Why string is not used for storing the passwords rather a char array is preferred for the same?

Since String is immutable, there is no method defined that allow us to change or overwrite the content of the string. This feature makes string objects unstable for storing secure information such as passwords, SSN, etc. We should always store the secure information in char[] array rather than String.

Does spring security support password encoding?

Spring Security supports many password encoders, for both old and modern algorithms. Also, Spring Security provides methods to work with multiple password encodings in the same application.

Why is char [] preferred over string for passwords in Java?

Since Strings are immutable there is no way the contents of Strings can be changed because any change will produce a new String, while if you use a char[] you can still set all the elements as blank or zero. So storing a password in a character array clearly mitigates the security risk of stealing a password.

Will you store password in string or char array?

Since Strings are immutable there is no way the contents of Strings can be changed because any change will produce new String, while if you char[] you can still set all his elements as blank or zero. So Storing the password in a character array clearly mitigates security risk of stealing passwords.

1 Answers

You really cannot do much to reduce the life of the password in a Servlet container because the HttpServletRequest returns the HTTP parameters as a String. So Spring Security could take all the measures in the world to reduce the lifetime of the password but it wouldn't make a difference because the String would already exist.

-Rob Winch (Spring Security)

Source

like image 121
Kyle Anderson Avatar answered Oct 21 '22 14:10

Kyle Anderson
Sign in to Comment

Related questions

How to extract hyperlink information PDFBox
How to collect heap dumps of any java process
What is the official spring boot way to start a simple non web based java application?
Do JDK classes have any further specifications beyond their Javadoc?
Java English date format parsing
Efficiently sorting a String by the number of occurrences of each of its characters
Include Gradle module to Maven project
C# equivalent of Java 8 Default Methods in Interface
Java 8 hashmap high memory usage
How can I make concurrent requests faster with Retrofit / OkHttp?
what is System.getProperty("user.home") output in windows? [closed]
Eureka Server - list all registered instances
Coder issues with Apache Beam and CombineFn
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{...}{127.0.0.1}{127.0.0.1:9300}]]
Convert GsonBuilder into Kotlin
Checkbox value is true but tick is not showing - Android / Java
Chrome 59 and Basic Authentication with Selenium/Fluentlenium
Spring Boot - Key Store Password set in Code
What is the equivalent of Java's Stream#Peek method in Linq C#?
Getting versionCode and VersionName from Google Play

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!