0

I wrote an application with Java Swing that requires the user to log in with their username and password before continuing. The application then sends an HTTP request to generate an access token.

I know that you shouldn't use the .getText method for a password field and instead the .getPassword method, still I need the password as a string, in order to make a HTTP request (okhttp3) with the password value in the request body (which is a string). How can I manage the security then?

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
endlessdeep
  • 1
  • 2
    I'm assuming `getPassword` returns a `char[]` instead of a `String` so that you can clear it later? In most cases, that's quite useless anyway. It only works if *every single place* that password goes is memory you have control over and can overwrite later. So if, like you're saying, the password needs to go into something that wants a `String`, there's no point in doing that any more. And it's not super-important anyway: You can only leak the password this way if another process gets access to your memory. If that happens, you have bigger problems. – Jorn Aug 17 '23 at 08:35

0 Answers0