3

I am transmitting a password through HTTP(S) to a HttpServlet as parameter. To get the password I am using the Servlets getParameter(String) method, which returns a String. But passwords should be handled with char[] like mentioned here.

Well, what I want to know is: How can I process a password securely within a Java Servlet? Is my solution with getParameter(String) the only one or are there better options?

Please keep in mind that I am NOT interested in how to transmit a password securely (I am expecting that the transmit is secure - maybe with SSL or something else).

Thanks in advance :)

Edit: I forgot to mention that I am not using the password myself (for some kind of access restrictions for my application). I am just forwarding the password (so you could say my WebApp is something like a remote control).

Community
  • 1
  • 1
Jan
  • 1,004
  • 6
  • 23
  • 2
    Very good question, but the answer is that you shouldn't be processing passwords at all. You should be using Container Managed Authentication (CMA). The only occasion you should handle a password yourself is in change-profile or change-password requests. – user207421 Aug 27 '15 at 11:13
  • @EJP Oh you're completely right I just forgot the mention something from my problem domain. I am not using the password myself (for access to my webapp) I am just forwarding it like a "remote control" to windows cmd, which requires the password. I'll edit that. – Jan Aug 27 '15 at 11:22
  • Well you're stuck with the fact that `HttpServletRequest.getParameter()` returns a string. But it's only referenced during the life of the request, unless you stash a reference yourself, which you shouldn't do. – user207421 Aug 27 '15 at 11:41

2 Answers2

0

If your login parameter is sent in a POST request and contained in the request content you could parse the content yourself and put the password in a char array.

You need to do this before any call to request.getParameter(String)is made since this will make the container read and parse the content. This only works if the servlet container lazily initializes its parameter map.

wero
  • 32,544
  • 3
  • 59
  • 84
0

"Teleporter" approach:

Have Javascript break the password into parameters of 1 character each. Reassemble directly into char array at server side.

Calvin
  • 53
  • 7