Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > comp.lang.java.security > #176

Re: passwords, Strings an

From "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this>
Subject Re: passwords, Strings an
Message-ID <a970g8j0k0y8$.dlg@kimmeringer.de> (permalink)
Newsgroups comp.lang.java.security
References <48c93561$0$25715$426a74cc@news.free.fr>
Date 2011-04-27 16:08 +0000
Organization TDS.net

Show all headers | View raw

  To: comp.lang.java.security
Fred wrote:

> I read indeed about the fact that Strings were special in Java. The 
> problem here is that I can't really figure out how to get rid of 
> Strings... :(

As I said. Assume that you can't.

> Reading the initial password (html -> servlet) is done through a String 
> (because getParameter gives its result in a String). Is there a way to 
> read an HttpServletRequest parameter without generating a String?

Not that I'm aware of but you can't answer that without knowing
what implementation of the Servlet-API you are using. That means,
you can avoid the creation of String by implementing your own
Servlet-API-implementation, e.g. by downloading Jetty and changing
the corresponding class.

> Besides this, after being read, the password is sent to a web service 
> via a method that awaits a String as parameter. The java sources for 
> accessing the web service are generated using WSDL2Java, and I'm not 
> sure that I'm able to tell that I'd rather use a character-array than a 
> String.

Using Axis you can change the generated stubs from String to
char[] and implement a Serializer and Deserializer that is
taking care of the correct handling.

On the other hand you might change the whole concept of trans-
fering passwords themselves and change to a challenge/response-
system, where the password is used for encoding the challenge.
That way you don't have passwords as Strings in HTTP-requests
and even if somebody can sniff the data-transfer the password
is not revealed.

> So I guess here that, internally, in my servlet, I would be able to 
> manage/store the password as a character-array. But the problem is more 
> in all the communication around the servlet (html -> servlet and servlet 
> -> webservice) that imply the creation of Strings. :(
> 
> any solution?

Use a JVM-implementation that stores the Strings encrypted in
the memory ;-)


Best regards, Lothar
-- 
Lothar Kimmeringer                E-Mail: spamfang@kimmeringer.de
               PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
                 questions!

---
 * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet!
--- Synchronet 3.15a-Win32 NewsLink 1.92
Time Warp of the Future BBS - telnet://time.synchro.net:24

Back to comp.lang.java.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

passwords, Strings and me "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
  Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
    Re: passwords, Strings an "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
      Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
      Re: passwords, Strings an "Wojtek" <wojtek@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
        Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
          Re: passwords, Strings an "Wojtek" <wojtek@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
        Re: passwords, Strings an "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
          Re: passwords, Strings an "Maarten Bodewes" <maarten.bodewes@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000

csiph-web