1

I am working on an application where I need to retrieve password from external REST API and transmit that password to the end user.Using Spring boot Webclient I was able to retrieve the password from external API. My code looks like this

WebClient.create()
         .post().uri(baseURL+passwordvalueURL.replace("<account_id>", id))
         .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
         .header(HttpHeaders.AUTHORIZATION, token)
         .body(Mono.just("{\"reason\" : \"Retrieve password for end user\"}"), String.class).retrieve()
         .bodyToMono(char[].class).block();

I get an error message like this

org.springframework.web.reactive.function.UnsupportedMediaTypeException: Content type 'text/html;charset=utf-8' not supported for bodyType=char[]

But when I change the response body to String API works fine.

(bodyToMono(char[].class) to bodyToMono(String.class))

My concern here is I don't want to store the password in a String since its immutable. How can I overcome this security issue. Any help is much appreciated.

burm87
  • 768
  • 4
  • 17
Giri
  • 103
  • 2
  • 16
  • What is the security issue here? Can you explain what do you mean by "String since its immutable"? – Ashish Gupta Dec 22 '20 at 15:37
  • If I have passwords saved in String , even if there isn't any reference it will be available in memory (we can't guarantee when GC will run) if the process crashes it will be available in system logs or attacker can take heap dump and get the password from memory – Giri Dec 22 '20 at 17:34
  • https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords – Giri Dec 22 '20 at 17:35

0 Answers0