string - Executing a process in Java with a password -
i have process needs run through java and, unfortunately password needs given process in plain-text.
since event transient , working behind massive firewalls, not worried password being transmitted subprocess this. little worried process , processbuilder classes take commands string objects, not char[] arrays. so, have rely on garbage collector destroy string objects @ discretion, allowing possibly take heap dump of program later , password.
its remote possibility, looking for:
- a better way start sub process not use string objects, char[]
- a way ensure string object destroyed after used.
(just note, due how process takes in commands, submitting password inital command way interact sub-process -- see this: java seems sending carriage returns sub-process? comments section in original post)
note- password not going main() function via commandline. password collected using swing jpasswordfield, being written processbuilder command array.
idea-- wonder if there way through reflection private final char[] value
string , erase it?
i pursued idea of using reflection erase string.value parameter manually means of object destruction. think due!
private void destroyme(string destroyme) { try { int len = destroyme.length(); field f = destroyme.getclass().getdeclaredfield("value"); f.setaccessible(true); char[] stars = new char[len]; arrays.fill(stars, '*'); f.set(destroyme, stars); f.setaccessible(false); } catch (illegalargumentexception e) { e.printstacktrace(); } catch (illegalaccessexception e) { e.printstacktrace(); } catch (securityexception e) { e.printstacktrace(); } catch (nosuchfieldexception e) { e.printstacktrace(); } }
Comments
Post a Comment