This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Security and the fly likes Questions for the authors of Java Coding GuideLines: Is the First Example secure Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Questions for the authors of Java Coding GuideLines: Is the First Example secure" Watch "Questions for the authors of Java Coding GuideLines: Is the First Example secure" New topic
Author

Questions for the authors of Java Coding GuideLines: Is the First Example secure

Sean Sell
Greenhorn

Joined: Dec 12, 2006
Posts: 9
Gentleman, I realize that the question and answer period is over but I hope you are still around to enterain an additional question. I went out and purchased your book which arrived yesterday and it seems to me that the very first example violates the pricipal you are trying to demonstrate "Limit the Lifetime of Sensitive Data". Your "compliant solution" throws a security exception prior to clearing the password entered by the user. While your assumption may be that the password entered is not valid, in an actual authentication process many other things could prevent the authentication from happening which would result in the valid password potentially being left in memory. The most disturbing would be a denial of service attack against the authentication source in order to exploit this created vulnerability.

Is there some other protection afforded here that I am not concidering, I don't believe that garbage collection is immediate after an exception or that the Console.readPassword() method would help in this situation.

I'm hopeful that the rest of the book is valuable and the examples don't create exposures that I cannot pickup.

--Sean Sell
 
Don't get me started about those stupid light bulbs.
 
subject: Questions for the authors of Java Coding GuideLines: Is the First Example secure
 
Similar Threads
IIS Integrated Authentication + Tomcat Form-based (or basic) Authentication
Using Social Programming platform for identification and authentication
Issue with lookup
Authentication in JSF
Basic Authenication with SSL?