I feel strings can replace character array in all the scenarios. Even considering the immutability characteristic of Strings, declaration of strings in appropriate scope and java's garbage collection feature should help us avoid any memory leaks. I want to know if there is any corner case where character array should be used instead of Strings in Java.
Asked
Active
Viewed 517 times
3
-
1This question is so broad it is meaningless. Are there cases? Yes. What are they? It depends. – Joakim Danielson Sep 22 '18 at 10:24
-
9Simple Rules To Live By: The answer to any question that begins with "Is there **any** way to/scenario where/circumstance when..." is almost always "Yes". – Kevin Anderson Sep 22 '18 at 10:36
-
Why would they even bother to have char arrays in the language if using strings was always better? Huh. – Marco Bonelli Sep 22 '18 at 11:28
-
@MarcoBonelli: Well, you can have arrays of all types, so as long as they still have a `char` type, there will always be `char[]` (and `char[][]` and `char[][][]`) as well (even if there was no real use for it) – Thilo Sep 22 '18 at 11:31
-
This is not a broad nor a bad question IMHO . It seems natural to use a `String` for storing strings in an application. In many libraries we see APIs which force us to use character arrays in some scenarios though. There are a few common reasons for that and I guess it's these motivations the op is asking about. Maybe the question could be clearer but it's a good question. – jannis Sep 22 '18 at 13:23
-
Could the downvoters kindly justify their -1? – jannis Sep 22 '18 at 21:08
4 Answers
5
Character arrays have some slight advantage over plain strings when it comes to storing security sensitive data. There's a lot of resources on that, for example this question: Why is char[] preferred over String for passwords? (with an answer by Jon Skeet himself).
In general it boils down to two things:
- You have very little influence on how long a
Stringstays in memory. Because of that you might leak sensitive data through a memory dump. - Leaking sensitive data accidentally in application logs as clear text is much more likely with plain strings
More reading:
- Why we read password from console in char array instead of String
- https://www.codebyamir.com/blog/use-character-arrays-to-store-sensitive-data-java
- https://www.geeksforgeeks.org/use-char-array-string-storing-passwords-java/amp/
- https://www.baeldung.com/java-storing-passwords
- https://javarevisited.blogspot.com/2012/03/why-character-array-is-better-than.html
- https://javainsider.wordpress.com/2012/12/10/character-array-is-better-than-string-for-storing-password-in-java/amp/
jannis
- 4,843
- 1
- 23
- 53
2
String is a class, not a build in type. It most likely does what it does by using a char array underneath, but there is no guarantee. "We dont care how it is implemented". It has methods that make sense for strings, like comparing strings. Comparing arrays?? Hmm. Doesn't really make sense to do it. You could check if they are equal sure, but less or greater than...
Back in point. One scenario is you want to operate with chars, not a string. For example you have letters of the alphabet and want to sort them. Or grades in A-F system and you want to sort them. Generally where it makes sense having chars that are not connected to have some meaning together (like in a message string, or a text message). You would not generally need to sort the chars of a text message now, would you? So, you use an array. To sort, you can take advantage of the Arrays.sort() method for example, while i dont think there is a method that does it for strings. Perhaps 3rd part libraries.
On another note(unrelated to question) , you can use StringBuilder to if you want to modify strings often. Its better at performace.
kkica
- 4,034
- 1
- 20
- 40
2
You don't have to look much further than at methods in the JDK core API that use char[].
Such as this one (java.io.Reader):
public int read(char[] cbuf)
throws IOException
Reads characters into an array. This method will block until some input is available, an I/O error occurs, or the end of the stream is reached.
Parameters:
- cbuf - Destination buffer
- Returns: The number of characters read, or -1 if the end of the stream has been reached
- Throws: IOException - If an I/O error occurs
Instead of returning a String they ask you to pass in a char[] to use as a buffer to write the result into. The reason is efficiency.
Thilo
- 257,207
- 101
- 511
- 656
1
You might be knowing String is immutable and how Substring can cause memory leak in Java. Since Strings are immutable in Java if you store password as plain text it will be available in memory until Garbage collector clears it and since String are used in String pool for reusability there is pretty high chance that it will be remain in memory for long duration, which pose a security threat. Since any one who has access to memory dump can find the password in clear text. Since Strings are immutable there is no way contents of Strings can be changed because any change will produce new String, while if you char[] you can still set all his element as blank or zero. So Storing password in character array clearly mitigates security risk of stealing password.
Imran Afzal
- 134
- 1
- 9
-
2I was reading a thread on SO related to this topic and found interesting comment related to password security. "If someone got access to the memory where application is running, whether or not to store passwords in a String is a least problem at the moment" – Maxim Sep 22 '18 at 10:57