Hello,
recently a question came up that brought up an old question. How should the
password be represented in code.
Here is how it is now:
public class User extends FortEntity implements Constraint, Serializable
{
private String userId;
private char[] password;
…
}
I changed it to a char[] years ago due to perceived concerns wrt security, and
the immutability of Strings staying resident in memory until GC’d.
But this creates difficulties when squirting into / out of xml in fortress rest
function. For example here is how the password is sent over the wire:
> <FortRequest>
> <contextId>HOME</contextId>
> <entity xsi:type="user"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
> <userId>test</userId>
> <password>112</password>
> <password>97</password>
> <password>115</password>
> <password>115</password>
> <password>119</password>
> <password>111</password>
> <password>114</password>
> <password>100</password>
> </entity>
> </FortRequest>
which smells really bad. I propose we change it back to a string as the risk
in nominal and not worth the trouble.
Thoughts?
Shawn
