shadangi
Feb 1st, 2010, 03:57 PM
According to the Javadoc for PasswordEncoder interface (http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/authentication/encoding/PasswordEncoder.html) provided by the Spring Security, the APIs take raw passwords as String and return String too.
According to the Java standards (please see this ref. (http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx) for details) we should not be storing passwords as String rather we should use char[]. In short, because Strings are immutable and stored in a string pool, hence not cleaned from the memory unless garbage collector is ran.
This is a big deal for systems that worry about Security breaches at the system level. I was just wondering if the Spring Security designers are aware of this, and is there any work going on this in future versions? Also is there any specific reason why they are Strings?
This is one of the reasons why we are skeptical to integrate with Spring Security although it meets most of our other requirements.
Thanks in advance,
Abhishek.
According to the Java standards (please see this ref. (http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx) for details) we should not be storing passwords as String rather we should use char[]. In short, because Strings are immutable and stored in a string pool, hence not cleaned from the memory unless garbage collector is ran.
This is a big deal for systems that worry about Security breaches at the system level. I was just wondering if the Spring Security designers are aware of this, and is there any work going on this in future versions? Also is there any specific reason why they are Strings?
This is one of the reasons why we are skeptical to integrate with Spring Security although it meets most of our other requirements.
Thanks in advance,
Abhishek.