In my application i am getting the values like password and user access Token in the memory of Tomcat image.When i try to read it using process hacker.
Is there any way to clear this stored values.
Asked
Active
Viewed 115 times
-2
-
1No. Tomcat needs these values in the clear during processing, and due to how Java manages memory, there is no way to reliably erase it from memory once processing is done. However, what are you trying to protect against? Anyone who has full read access to in-process memory on your server can probably already do as they please. – Thilo May 20 '16 at 09:39
1 Answers
0
Depending on how you get your passwords: If you get them as String already: Almost no chance to get rid of it. If you get them as char[], you can clear the array after use. This question and its answers have a good discussion on the reasons to use char[] for passwords.
Technically, yes, you could trigger garbage collection by calling System.gc(), which has its own problems
Olaf Kock
- 46,930
- 8
- 59
- 90
-
I am already getting password as String in my code.Is there any other way to avoid this issue instead if using char[]. – manoj May 20 '16 at 09:49
-
1Nope, but as @Thilo says in the comment to your question: If someone can read the memory of your application, you're toast anyway. In this case they can also inject code, and they'd also have access *while* you're legitimately using the value. I'd say that this should be one of your least worry in terms of attack vectors. – Olaf Kock May 20 '16 at 09:52