3

I was working an issue where password is getting stored in java process memory since the password is stored in a String (hence getting stored in string pool). I made code changes to use char[]. Now the issue is, my application is consuming another service via POST CALL and while setting:

conn.setRequestProperty(key, headers.get(key));

I must convert the char[] to string and thereby creating an entry in string pool. So is there a way to handle this issue, i.e., no matter what the password should not get stored in process memory or in the worst case, any ways to minimize its living duration in the string pool.

abyin007
  • 361
  • 2
  • 4
  • 14
  • 1
    Would this help? https://stackoverflow.com/questions/51242150/java-equivalent-of-securestring – Harish Vishwakarma Sep 09 '19 at 06:38
  • this thing can spark pretty much a fiery discussion, such as explained [How can I ensure the destruction of a String object in Java?](https://stackoverflow.com/a/5241096/4648586). though Harish suggested to use `GuardedString`, you might still end up having string somewhere, like on that `headers` dictionary instance. – Bagus Tesa Sep 09 '19 at 06:47
  • 1
    Why don't you try encrypting and decrypting passwords when using char[]? – dgupta3091 Sep 09 '19 at 06:47
  • Only constants and interned Strings go to the String pool, not all Strings. Using `char[]` just allows you to erase the contents (which String doesn't allow, since it's immutable). – Kayaman Sep 09 '19 at 09:17
  • Sorry for off topic, but don't you think that password in http header is unsecure? So what's the sense to guard unsecure password? – Andrew Fomin Jul 06 '20 at 17:59

0 Answers0