Path: csiph.com!x330-a1.tempe.blueboxinc.net!feeder1.hal-mli.net!news.glorb.com!news-out.readnews.com!news-xxxfer.readnews.com!news-out.news.tds.net!newsreading01.news.tds.net!86597e80!not-for-mail From: "Lothar Kimmeringer" Subject: Re: passwords, Strings an Message-ID: X-Comment-To: comp.lang.java.security Newsgroups: comp.lang.java.security In-Reply-To: <48c93561$0$25715$426a74cc@news.free.fr> References: <48c93561$0$25715$426a74cc@news.free.fr> Content-Type: text/plain; charset=IBM437 Content-Transfer-Encoding: 8bit X-Gateway: time.synchro.net [Synchronet 3.15a-Win32 NewsLink 1.92] Lines: 59 Date: Wed, 27 Apr 2011 16:08:35 GMT NNTP-Posting-Host: 96.60.20.240 X-Complaints-To: news@tds.net X-Trace: newsreading01.news.tds.net 1303920515 96.60.20.240 (Wed, 27 Apr 2011 11:08:35 CDT) NNTP-Posting-Date: Wed, 27 Apr 2011 11:08:35 CDT Organization: TDS.net Xref: x330-a1.tempe.blueboxinc.net comp.lang.java.security:176 To: comp.lang.java.security Fred wrote: > I read indeed about the fact that Strings were special in Java. The > problem here is that I can't really figure out how to get rid of > Strings... :( As I said. Assume that you can't. > Reading the initial password (html -> servlet) is done through a String > (because getParameter gives its result in a String). Is there a way to > read an HttpServletRequest parameter without generating a String? Not that I'm aware of but you can't answer that without knowing what implementation of the Servlet-API you are using. That means, you can avoid the creation of String by implementing your own Servlet-API-implementation, e.g. by downloading Jetty and changing the corresponding class. > Besides this, after being read, the password is sent to a web service > via a method that awaits a String as parameter. The java sources for > accessing the web service are generated using WSDL2Java, and I'm not > sure that I'm able to tell that I'd rather use a character-array than a > String. Using Axis you can change the generated stubs from String to char[] and implement a Serializer and Deserializer that is taking care of the correct handling. On the other hand you might change the whole concept of trans- fering passwords themselves and change to a challenge/response- system, where the password is used for encoding the challenge. That way you don't have passwords as Strings in HTTP-requests and even if somebody can sniff the data-transfer the password is not revealed. > So I guess here that, internally, in my servlet, I would be able to > manage/store the password as a character-array. But the problem is more > in all the communication around the servlet (html -> servlet and servlet > -> webservice) that imply the creation of Strings. :( > > any solution? Use a JVM-implementation that stores the Strings encrypted in the memory ;-) Best regards, Lothar -- Lothar Kimmeringer E-Mail: spamfang@kimmeringer.de PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81) Always remember: The answer is forty-two, there can only be wrong questions! --- * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet! --- Synchronet 3.15a-Win32 NewsLink 1.92 Time Warp of the Future BBS - telnet://time.synchro.net:24