> > We just need to avoid using any method that accepts or returns a String in > StringBuilder, > to avoid intermediate level Strings.
I believe you are well aware about why the Strings and other sort of objects being discouraged to be used for passwords and other valuable information. It simply not to retain any information anywhere in heap or other intermediate volatile memory. Arrays can be quickly garbage collected and that valuable information can not be extracted again. http://stackoverflow.com/q/8881291/4506140 Hope it helps :) Regards, Jude On Thu, Mar 23, 2017 at 3:42 PM, Ayoma Wijethunga <ay...@wso2.com> wrote: > Yes. That seems to address the requirement. > > We can accept InputStream as a parameter and then use the input stream to > read characters into a StringBuilder. I hope this was what you were > suggesting and this is supported with MSF4J. > > We just need to avoid using any method that accepts or returns a String in > StringBuilder, > to avoid intermediate level Strings. > > Best Regards, > Ayoma. > > On Thu, Mar 23, 2017 at 3:17 PM, Thusitha Thilina Dayaratne < > thusit...@wso2.com> wrote: > >> Hi All, >> >> AFAIU char[] is not compliant with neither QueryParam nor FormParam >> according to [1]. Therefore from MSF4J (as a JAXRS engine) IMHO we couldn't >> support char[]. >> What if we use StringBuilder instead of String. Then we can delete the >> StringBuilder as we want. WDYT? >> >> [1] - http://docs.oracle.com/javaee/7/api/javax/ws/rs/FormParam.html >> >> Thanks >> >> On Thu, Mar 23, 2017 at 3:10 PM, Denuwanthi De Silva <denuwan...@wso2.com >> > wrote: >> >>> Hi, >>> >>> I have a micro service which calls a password validation back end. >>> For that, it passes the password as microservice parameter. >>> >>> Due to security concerns we need to pass password as a char array >>> instead of a String[1]. >>> >>> The password value is retrieved using jquery input field call and passed >>> as a char array. >>> Then it is passed to the microservice via an ajax call. But the >>> micorservice method Params does not support char[] type[1]. >>> >>> Is there a way we can handle this without involving String type in the >>> intermediate level? >>> >>> >>> >>> [1]https://nvisium.com/blog/2016/03/31/secure-password-strings/ >>> [2]https://jersey.java.net/apidocs/2.7/jersey/javax/ws/rs/Qu >>> eryParam.html >>> >>> >>> Thanks, >>> -- >>> Denuwanthi De Silva >>> Senior Software Engineer; >>> WSO2 Inc.; http://wso2.com, >>> Email: denuwan...@wso2.com >>> Blog: https://denuwanthi.wordpress.com/ >>> >> >> >> >> -- >> Thusitha Dayaratne >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> Mobile +94712756809 <+94%2071%20275%206809> >> Blog alokayasoya.blogspot.com >> About http://about.me/thusithathilina >> <http://wso2.com/signature> >> >> > > > -- > Ayoma Wijethunga > Software Engineer > Platform Security Team > WSO2, Inc.; http://wso2.com > lean.enterprise.middleware > > Mobile : +94 (0) 719428123 <+94+(0)+719428123> > Blog : http://www.ayomaonline.com > LinkedIn: https://www.linkedin.com/in/ayoma > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
