6

I read several articles and posts about security regarding (note Comparing input password to stored hashed password in a web app or Why is char[] preferred over String for passwords?

Since to retrieve a parameter value from request uses request.getParameter("passwordFieldName") which returns a String, is there any option to retrieve a parameter from request as a char[]?

Community
  • 1
  • 1
Jordi Martí
  • 61
  • 4
  • possible duplicate of [In Java, how do I extract a password from a HttpServletRequest header without generating a String object?](http://stackoverflow.com/questions/15016250/in-java-how-do-i-extract-a-password-from-a-httpservletrequest-header-without-ge) – Raedwald May 01 '15 at 18:59

2 Answers2

0

Unfortunately I know of no way.

The request parameters are already loaded, hopefully internally as reused byte[] or char[]. But then?

So maybe one should reimplement a bit of HTTP server? Not me.

You could on the client side split the password in more than one variable and encrypt them. Whether that is better?

If you do not trust your server platform, better use OpenID or an other delegated authentication.

Joop Eggen
  • 107,315
  • 7
  • 83
  • 138
-2

You can just use the String's method toCharArray to convert it into a char[].

String str = request.getParameter("passwordFieldName");
char[] pwArr = str.toCharArray();

See the docs for more info.

thy_stack_overfloweth
  • 442
  • 3
  • 10
  • You can also use `getBytes(String charset)` to get the string as a `byte[]`. – thy_stack_overfloweth Aug 20 '13 at 15:03
  • 4
    str.toCharArray() returns a NEWLY allocated character array (see javadoc) , therefore the String password str will be present anywhere in the system, in any thread dump/heap analyzer, until garbage collection, and that's what I trying to avoid – Jordi Martí Aug 20 '13 at 15:54
  • I believe the password will be present in all cases, since it will be in memory within the request on the server. No matter what you do, the string password will be present in memory somewhere. – thy_stack_overfloweth Aug 20 '13 at 16:10
  • fwiw Restlet seems to do it better according to tihs page: https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/. Note how the Basic Auth code (there's a link to Github there for the full code) gets the secret as a char[] and writes it to the headers as such, without an interim String being created anywhere. I'm using Jersey, not Restlet but found this code while looking for answers – Rhubarb Sep 20 '17 at 09:15