Reputation: 55
Interning of String.valueOf()
Whilst handling passwords in Java, its my understanding that they should always be handled in char[]'s to allow GC and remove hanging references.
My question is would,
char[] password = String.valueOf(authentication.getCredentials()).toCharArray();
Could the value of authentication.getCredentials() to be interned or not?
Upvotes: 3
Views: 758
Answers (2)
Reputation: 73558
String.valueOf() doesn't intern Strings. The only way to intern Strings during runtime is with password.intern(). There's no need to use Using char[] for passwords.char[] allows you to clear the array directly after use, narrowing the attacker's timeframe to dump the memory and retrieve the plaintext password.
A String by itself is nothing special to the GC. Interning affects it a bit, but in regular use you wouldn't encounter anything out of the ordinary.
Upvotes: 2
Reputation: 7267
It's not a question of interning the String, any security concerns around using Strings to store passwords arise from the amount of time they are present in memory.
With a char array you have the ability to wipe the contents once you've finished reading them. With a String (which is immutable) you're left relying on the garbage collector, this means that if someone has access to your server and dumps the memory there may be password visible.
Upvotes: 2
Related Questions
- Spring Security and() method
- Create a mutable java.lang.String
- How is hijack prevented by prefixing the string like this?
- Java / Spring - Securing a Parameter ( Pathvariable )
- What does secured object mean?
- valueOf() method of String class and other wrapper classes
- java String.valueOf issue
- Java Spring Injection String
- instanceof in SpEL
- Securing Methods with Spring Security