Sunday, 4 January 2009

Tomcat Does Not Love You

« Kingdom of the Future | Main | Twitter Continues to Be Caught With Their Pants Down »
Java String objects are immutable, so you can't guarantee sensitive data is removed from memory if you put that sensitive data in a String object. Once data is in a String, it's up to the VM to deallocate the object and then put it back into play as something else, and that might happen sooner, later, or not at all.

That's why paranoid Java programmers don't put secrets (passwords, crypto keys) into String objects. Instead, they treat them as arrays of bytes or characters so they can manually zero out the juicy stuff. At first blush, it appears that Tomcat supports this level of paranoia in the org.apache.catalina.Realm interface:

    public Principal authenticate(String username, byte[] credentials)

But the RealmBase class, the base class that everyone actually uses, just yanks the rug right out from under your feet:
org/apache/catalina/realm/RealmBase.java: 
  342       public Principal authenticate(String username, byte[] credentials) {   343      344           return (authenticate(username, credentials.toString()));   345      346       }
Yup, that's right, it converts your credentials (read: password) from a byte array into a String. It would be unthinking for Tomcat to provide no way to authenticate without using a String, but providing an interface and then intentionally subverting it seems like calculated cruelty.
Posted by bchess at 10:20 PM in Random
Responses (0)

 

[Trackback URL for this entry]

Your comment:

 
Generate another code
SCode

Please enter the code as seen in the image above to post your comment.
 
 

Live Comment Preview: