...
This noncompliant code example reads login information from the console and stores the password as a String object. The credentials remain exposed until the garbage collector reclaims the memory associated with the String objects.
| Code Block | ||
|---|---|---|
| ||
class Password {
public static void main (String args[]) throws IOException {
Console c = System.console();
if (c == null) {
System.err.println("No console.");
System.exit(1);
}
String login = c.readLine("Enter your user name: ");
String password = c.readLine("Enter your password: ");
if (!verify(login, password)) {
throw new SecurityException("Invalid Credentials");
}
// ...
}
// Dummy verify method, always returns true
private static final boolean verify(String login, String password) {
return true;
}
}
|
...
| Code Block | ||
|---|---|---|
| ||
class Password {
public static void main (String args[]) throws IOException {
Console c = System.console();
if (c == null) {
System.err.println("No console.");
System.exit(1);
}
String login = c.readLine("Enter your user name: ");
char [] password = c.readPassword("Enter your password: ");
if (!verify(login, password)) {
throw new SecurityException("Invalid Credentials");
}
// Clear the password
Arrays.fill(password, ' ');
}
// Dummy verify method, always returns true
private static final boolean verify(String login, char[] password) {
return true;
}
}
|
...