6

I intend to use it in a spring bean as a static field, and init it inside a post construct method. A service class will inject this encryption bean and call a method exposed by it to encrypt a string using a cipher (javax.crypto.Cipher) (cipher will be initalized using the SecretKeySpec ).

Note: A new cipher instance will be fetched each time within the encrypt string method.

Edit: As @Savior noted, the field (SecretKeySpec) should not be denoted as static. If SecretKeySpec is thread safe then I will make it a bean in a configuration class and inject it into the encryption bean (marking it as a private final field and injecting it via constructor)

bobbyBo182
  • 63
  • 5
  • 1
    Could be similar: [Is Cipher thread-safe?](https://stackoverflow.com/questions/6957406/is-cipher-thread-safe) – akuzminykh May 29 '20 at 15:26
  • Side note: don't do _a spring bean as a static field_, and definitely don't do _init it inside a post construct method_. – Savior May 29 '20 at 15:28
  • @akuzminykh Appreciate the link to that post. Cipher is not thread safe, however I was wondering if the SecretKeySpec used to get a new instance of a cipher is. – bobbyBo182 May 29 '20 at 15:29
  • @Savior Apologies if the description was confusing. The spring bean is not the static field, the SecretKeySpec field inside the "encryption bean" will be marked as static. The init will be used to initialize the SecretKeySpec field of the bean. – bobbyBo182 May 29 '20 at 15:32
  • Yeah, no, that was clear. Don't do that. If Spring is managing all your injections, there's no reason for anything to be `static`. – Savior May 29 '20 at 15:33
  • @Savior Thank you for the feedback. If SecretKeySpec is thread-safe, then I can declare it as a bean in a configuration class and inject it into the encryption bean (marking SecretKeySpec as private final and injecting it via the constructor) – bobbyBo182 May 29 '20 at 15:36
  • 2
    Yes, SecretKeySpec is thread-safe, for the simple reason that it's immutable. – President James K. Polk May 29 '20 at 15:59
  • Thanks @PresidentJamesK.Polk – bobbyBo182 May 29 '20 at 17:31
  • 1
    @PresidentJamesK.Polk almost immutable, see my answer... there is the `Destroyable` interface... – Maarten Bodewes May 29 '20 at 19:13
  • @MaartenBodewes: Good catch, I missed that. – President James K. Polk May 29 '20 at 22:04

1 Answers1

10

Yes, it is. It's pretty easy to see why: there are no methods (bar one, see below) that change the state of a SecretKeySpec instance. In other words, the class is usually immutable, even if this is not specifically mentioned in the class description. Immutable classes are by definition thread safe. Actually, most if not all Key implementations are generally immutable.

There is one method that breaks the immutability (which I forgot about), and that's the newer Key.destroy() method. Don't worry though, that's not called by Cipher or any other function to my knowledge. Furthermore, the method is not implemented by SecretKeySpec (checked in the OpenJDK up to version 14).

As also noted in the comments, you should never put any dynamic information into static fields. Instead just share a reference otherwise.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263