java - Issue establishing a database connection with a char array instead of a String -


as title says, i'm looking finding way use char[] array establish jdbc connection instead of creating new string object char[] array , using establish connection.

because char[] arrays more secure strings in java, i've been wanting keep things secure possible when dealing jpasswordfields.

in particular case, i'm taking char[] array contents of jpasswordfield , attempting establish jdbc connection database. works well, i'm having create new string object char[] array call getconnection method.

is there way ensure at-least security doing this, or forced create string object , continue on using in method?

this code:

/**  * construct new datamanager object it's own  * connection database.  *  * @param ipaddress ip address server on mysql running.  * @param port port use when connecting mysql.  * @param databasename database name of database connect to.  * @param username username mysql account access specified database.  * @param password password mysql account specified specified username.  */ public datamanager(final string ipaddress, final string port, final string databasename, final string username, final char[] password) throws classnotfoundexception, illegalaccessexception, instantiationexception, sqlexception {     class.forname("com.mysql.jdbc.driver").newinstance();     string url = "jdbc:mysql://" + ipaddress + ":" + port + "/" + databasename + "?noaccesstoprocedurebodies=true"; //?noaccesstoprocedurebodies=true required using stored procedures.     dbconnection = drivermanager.getconnection(url, username, new string(password)); }

sorry formatting, lines bit long , wrap.

here's java docs drivermanager class i'm using. i've checked , there doesn't seem method use char[] instead of string , that's prompted post.

thanks help/tips.

as @davids said in comments, i'm not sure using char[] more secure in meaningful way, did dig the drivermanager source see if possible use anyway.

if @ the getconnection() method you're using you'll see (along other parameter variations) collecting provided connection information in java.util.properties, string->string hash table. properties object passed needed driver on method that's defined part of long standing (and unlikely change) java.sql.driver interface, implementation of dependent on driver.

at point think have automatically assume somewhere either make copy of supplied password string or include in composition of bigger string, , can't rely on reflection go , clear out buffer. example, in postgresql jdbc driver, depending on authentication settings password may sitting out encoded byte[] , settings digest still possibly (i haven't looked extensively, , i'm not trying knock postgresql here) leave digest open being dug up.

even if no 1 ever made copy of password string , digest untouchable, still have worry fact there dangling references (through properties object) on driver's stack, , things might break in unexpected ways.

for better or worse, think we're pretty committed storing db passwords strings @ point, i'm not convinced it's big issue. don't think historical experience has been it's easier programmers securely manage life-cycle of sensitive objects opposed garbage collector. it'd nice if java gave way annotate object target more aggressive pruning, not necessary.

just writing post, had go through ~8 levels of method calls , object creation , wonder if password string short-lived enough being able manually wipe decrease attack surface area. think convenience ergonomics of java's db handling lets forget how going on behind scenes.


Comments

Post a Comment

Popular posts from this blog

toolbar - How to add link to user registration inside toobar in admin joomla 3 custom component -

im trying write component admin side , need add user creation. dont want duplicate existing codes add link. know how add task not simple link toolbar. thx help. if wanting button opens new user screen can try in component: $bar = jtoolbar::getinstance('toolbar'); $bar->appendbutton('link', 'users', 'new user','index.php?option=com_users&task=user.add'); you need add view.html.php file wherever you're creating toolbar. is need?
Read more

linux - disk space limitation when creating war file -

i have 1 gb disk space limitation hosting app , have used 700mb of it. however want create war file directory big (around 600mb) using command : jar -cvf root.war folderpath that's why encounter quota limitation , can't following. i'm looking way delete folder content when it's applying archive conserve disk space take note can't install zip tool in ssh shell ~ the code works on test directories, test first anyway, deletes files. it's not efficient. assumptions: 300mb free space, in destructively compress 600mb folderpath directory. none of files big -- if file in folderpath 300mb or larger, fail. notes: if ' $out ' file exists, nothing. first find pipes file list while , if ' $out ' doesn't exist in loop, create it, don't update -- if does exist, update it. each pass adds 1 more file, deletes unless file directory. after loop finishes delete empty directories too. unset u ; in=folderpath ; out=roo...
Read more

How to provide Authorization & Authentication using Asp.net, C#? -

Image
i have asp.net application in c#. i have provide page authorization specific user/usergroup. i have created 2 tables in database: 1) pagename 2)permissions[insert, update, view, delete] but i'm unable match tables , permissions assigning... can 1 please me, how created tables in database , how coding. please me. you can below explanation. configure access specific file , folder, set forms-based authentication. request page in application redirected logon.aspx automatically. in web.config file, type or paste following code. this code grants users access default1.aspx page , subdir1 folder . <configuration> <system.web> <authentication mode="forms" > <forms loginurl="login.aspx" name=".aspnetauth" protection="none" path="/" timeout="20" > </forms> </authentication> <!-- section denies access files in...
Read more