2

While looking at Spring Security DaoAuthenticationProvider implementation I noticed that credentials are stored as Strings. Like in an example below:

String presentedPassword = authentication.getCredentials().toString();

that can be found here: https://github.com/spring-projects/spring-security/blob/main/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java#L75

From what I've learned a good practice is to handle passwords as byte arrays due to Strings immutability. Is there something I am not aware of regarding Strings security in Java?

Piotr Januszek
  • 37
  • 3
  • 2
    Mutable strings? Must be some new feature i am not aware of... Last time i checked [javadoc](https://docs.oracle.com/javase/7/docs/api/java/lang/String.html) it clearly states strings are **immutable**. This applies for any java version. – Chaosfire Apr 08 '22 at 14:10
  • My bad, I fixed the error, although the question is still valid. – Piotr Januszek Apr 08 '22 at 14:16
  • @Chaosfire strings are putted in the string pool. And it will be there as long as garbage collector kicks in. So, using string to access secrets and other credentials is really bad. It will be still in the heap space. So this might be a security concern. – Amimul Ehsan Rahi Apr 08 '22 at 15:28
  • 1
    @AmimulEhsanRahi I as commenting on the claim that strings are mutable, which OP fixed. I am aware of why strings are concern when it comes to passwords - it's explained in great details [here](https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords). Spring has a way to ensure that sensitive data is erased - `CredentialsContainer`, so that it becomes available for garbage collection faster. Still, i don't know, if additional steps are taken to address the issue raised by OP. I'm afraid, that i'm not qualified enough to comment on that. – Chaosfire Apr 08 '22 at 16:20
  • 2
    The same question was asked on GitHub, you can read the explanation [here](https://github.com/spring-projects/spring-security/issues/3254). – Eleftheria Stein-Kousathana Apr 13 '22 at 10:45

0 Answers0