File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Questions for the authors of Java Coding GuideLines: Is the First Example secure Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Questions for the authors of Java Coding GuideLines: Is the First Example secure" Watch "Questions for the authors of Java Coding GuideLines: Is the First Example secure" New topic
Author

Questions for the authors of Java Coding GuideLines: Is the First Example secure

Sean Sell
Greenhorn

Joined: Dec 12, 2006
Posts: 9
Gentleman, I realize that the question and answer period is over but I hope you are still around to enterain an additional question. I went out and purchased your book which arrived yesterday and it seems to me that the very first example violates the pricipal you are trying to demonstrate "Limit the Lifetime of Sensitive Data". Your "compliant solution" throws a security exception prior to clearing the password entered by the user. While your assumption may be that the password entered is not valid, in an actual authentication process many other things could prevent the authentication from happening which would result in the valid password potentially being left in memory. The most disturbing would be a denial of service attack against the authentication source in order to exploit this created vulnerability.

Is there some other protection afforded here that I am not concidering, I don't believe that garbage collection is immediate after an exception or that the Console.readPassword() method would help in this situation.

I'm hopeful that the rest of the book is valuable and the examples don't create exposures that I cannot pickup.

--Sean Sell
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Questions for the authors of Java Coding GuideLines: Is the First Example secure
 
Similar Threads
Authentication in JSF
Basic Authenication with SSL?
IIS Integrated Authentication + Tomcat Form-based (or basic) Authentication
Using Social Programming platform for identification and authentication
Issue with lookup