堆栈内存溢出
  简体   繁体   English

使用Spark Java(webserver)从内存中删除敏感数据

[英]Removing sensitive data from memory when using Spark Java (webserver)

 原文  2016-04-16 18:58:36       java/ security/ web/ passwords/ spark-java

问题描述

I'm using SparkJava and I'm conserned when dealing with Passwords. 我正在使用SparkJava ,在处理密码时我很感到安慰。 The idea is to pass the password (in plain text) to the server (under https obviously), then hash and salt server side, and store the salt and hash on the server for the user. 这个想法是将密码(以纯文本形式)传递给服务器(显然是在https下),然后是哈希和盐服务器端,并将salt和hash存储在服务器上供用户使用。 However according to this post the plain text password should never be stored as a String in memory for security reasons. 但是,根据这篇文章 ,出于安全原因,绝不应将纯文本密码存储为内存中的String。

However when accessing the http protocol body from a POST request using SparkJava, the API returns a String, which has the plaintext password. 但是,当使用SparkJava从POST请求访问http协议体时,API会返回一个具有明文密码的String。 

Route post = (request, response) -> {
    String dataWithPassword = request.body();
    //     ^-- Stays in memory until GC kicks in 
}

How should I do to make sure that the plaintext password that was received from a client is not stored as a String serverside, so this might never be a potential security hole? 我该怎么做才能确保从客户端收到的明文密码不会存储为String服务器端,所以这可能永远不会成为潜在的安全漏洞? Or is there something else I can do to make sure that the memory is cleared and the plaintext password doesn't linger in memory? 或者我还能做些什么来确保内存被清除并且明文密码不会留在内存中?

1 个解决方案

解决方案1
 0  2016-04-17 14:51:53

The way you are doing it's already guaranteed that this password will never be stored in a file, like a server log. 你这样做的方式已经保证,这个密码永远不会存储在文件中,比如服务器日志。 But in Java there's no official way to clear the memory. 但在Java中,没有官方的方法可以清除内存。 There's nothing you can do to guarantee that the memory that holds the plain text password is cleared. 您无法保证清除保存纯文本密码的内存。 You could even set the reference dataWithPassword to null and call System.gc() which suggest that now is a good time to run the garbage collector, but it would not be guaranteed to get that memory cleared. 您甚至可以将引用dataWithPassword设置为null并调用System.gc(),这表示现在是运行垃圾收集器的好时机,但不能保证清除该内存。 I see that a possible security issue in your approach is to send the password in plain text from the client to the server, even by using https (I strongly not suggest this). 我发现您的方法中可能存在的安全问题是将密码以纯文本形式从客户端发送到服务器,即使使用https(我强烈建议不要这样做)。 The best thing you could do is to require the client o give you the password already encrypted, so that you wouldn't need to worry about this value in memory and you're going to get a lot more safety cause network sniffers and proxies would not now what the password is. 您可以做的最好的事情是要求客户端o给您已加密的密码,这样您就不必担心内存中的这个值,并且您将获得更多安全性,因为网络嗅探器和代理将会不是现在密码是什么。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从树中删除节点时出现java内存问题 - java memory issues when removing nodes from a tree 使用 Spark 和 JAVA 从 HBase 读取数据 - read data from HBase by using Spark with JAVA 从Java程序存储/读取敏感数据 - Storing/Reading sensitive data from Java program 将敏感数据从C传递到Java - Passing sensitive data from C to Java Java-存储敏感数据 - Java - store sensitive data 当数据来自mySQL时,在Java中的Spinner中删除重复项 - Removing duplicates in a Spinner in java when data comes from mySQL Spark Java中的减去方法区分大小写 - subtract method in spark java is case sensitive 使用 SPARK 写入 CSV 时从字符串类型数据中删除双引号 - Removing Double Quotes from String type data while writing CSV using SPARK 使用Java生成Mongdb数据 - Spark mongdb data using Java 使用 java 对 spark 进行数据处理 - Data processing on spark using java
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM