String.valueOf()的实习
[英]Interning of String.valueOf()
问题描述
Whilst handling passwords in Java, its my understanding that they should always be handled in char[]'s to allow GC and remove hanging references. 
虽然在Java中处理密码,但我的理解是它们应该始终在char []中处理以允许GC并删除挂起的引用。
My question is would, 我的问题是,
char[] password = String.valueOf(authentication.getCredentials()).toCharArray();
Could the value of authentication.getCredentials() to be interned or not? 是否可以实现authentication.getCredentials()的值?
2 个解决方案
解决方案1
2 2015-09-30 08:47:11
It's not a question of interning the String, any security concerns around using Strings to store passwords arise from the amount of time they are present in memory. 这不是一个实现字符串的问题,使用字符串来存储密码的任何安全问题都源于它们在内存中存在的时间量。
With a char array you have the ability to wipe the contents once you've finished reading them. 使用char数组,您可以在阅读完内容后擦除内容。 With a String (which is immutable) you're left relying on the garbage collector, this means that if someone has access to your server and dumps the memory there may be password visible. 使用String(这是不可变的)你依赖垃圾收集器,这意味着如果有人访问你的服务器并转储内存,可能会有密码可见。
解决方案2
1 已采纳 2015-09-30 08:43:11
String.valueOf() doesn't intern Strings. String.valueOf()没有实习字符串。 The only way to intern Strings during runtime is with password.intern() . 在运行时实习生字符串的唯一方法是使用password.intern() 。
There's no need to use
char[] for passwords.
没有必要使用
Using char[]作为密码。
char[] allows you to clear the array directly after use, narrowing the attacker's timeframe to dump the memory and retrieve the plaintext password. 使用char[]允许您在使用后直接清除阵列,缩小攻击者的时间范围以转储内存并检索明文密码。
A String by itself is nothing special to the GC. 字符串本身对GC来说并不特别。 Interning affects it a bit, but in regular use you wouldn't encounter anything out of the ordinary. 实习会对它产生影响,但在常规使用中,您不会遇到任何异常情况。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.