Le 11/10/16 à 16:17, Shawn McKinney a écrit : >> On Oct 10, 2016, at 12:31 PM, Kiran Ayyagari <[email protected]> wrote: >> >> +1 to change it to string. We can always explicitly mark that as "null" >> after using it. >> >> (IMO if the attacker gained access to the OS then we have a bigger >> operational security issues than >> implementation) > Kiran, thanks for weighing in. I want to make sure I am understanding…. > > So at the end of an operation, i.e. createSession ( User user ) we’d do > something like this: > > user.setPassword(null);
That does not help. It just tells the GC 'you can discard the String', but it does not enforce this removal from memory.
