[Advanced-java] Sensitive Data -> StringgetParameter(String)Alternative

Nikolaos Giannopoulos nikolaos at solmar.ca
Fri May 2 17:12:00 2003

Previous message: [Advanced-java] Sensitive Data -> String getParameter(String)Alternative
Next message: [Advanced-java] Sensitive Data -> StringgetParameter(String ) Alternative
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jukka,

> -----Original Message-----
> From: advanced-java-bounces@lists.xcf.berkeley.edu
> [mailto:advanced-java-bounces@lists.xcf.berkeley.edu]On Behalf Of Jukka
>
> If you would tell me your real need, it would easier to help you. "We"
> have build and handled inputs and outputs of servlet so many
> different ways.


What causes me to examine this is that if our payment gateway is down card
data will queue up in memory until the gateway is back online.  Therefore it
is conceivable that in an infrequent - but realistic - scenario that
multiple (String) card numbers will be dangling around - ineligible for
garbage collection.

If this weren't the case then I would most likely not even bother with this
issue at all.  By trying to get the card number as a char[] instead of as a
String at least I won't have easily identifiable card numbers floating
around in memory.

Earnest Friedman in an offline discussion suggested doing the following:

> You could call getParameter().toCharArray(), and use the char[]; the
> String then would be collectible immediately, right?

Which is probably the best work around for the problem at hand.

If anyone has any other input or comments please feel free to jump in ;-)

Thanks,

--Nikolaos

Previous message: [Advanced-java] Sensitive Data -> String getParameter(String)Alternative
Next message: [Advanced-java] Sensitive Data -> StringgetParameter(String ) Alternative
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]