JIT Compiler:
Taking the best of two worlds - results in interpreting(converting to machine code) machine independent byte code at the cost of dynamic compilation (generates optimized code based on target machine) + caches translated code to minimize performance degradation
Tuesday, April 16, 2013
JDK vs JRE
JDK: The JDK includes the compiler and other tools needed to develop Java applications
JRE: JRE is a subset of JDK(light weight), it contains java.exe which is used to run an already compiled java application. Unlike JDK, JRE does not include java tools like compiler or other tools.
JDK vs JRE: JDK is a superset of JRE, it can be used to develop java applications, compiling and running java applications. JRE is just for running already compiled application.
Monday, March 25, 2013
Why is char[] preferred over String for passwords?
1) Strings are immutable in Java if you store password as plain text it will be available in memory until Garbage collector clears it and since Strings are used in String pool for re-usability there is pretty high chance that it will be remain in memory for long duration, which pose a security threat. Since any one who has access to memory dump can find the password in clear text
2) Java recommendation using getPassword() method of JPasswordField which returns a char[] and deprecated getText() method which returns password in clear text stating security reason.
3) toString() there is always a risk of printing plain text in log file or console but if use Array you won't print contents of array instead its memory location get printed.
String strPwd="Java1234";char[] charPwd= new char[]{'J','a','v','a','1','2','3','4'};System.out.println("String password: " + strPwd);System.out.println("Character password: " + charPwd);
String password: Unknown Character password: [C@52c8c6d9
Final thoughts: Though using char[] is not just enough you need to erase content to be more secure. I also suggest working with hash'd or encrypted password instead of plaintext and clearing it from memory as soon as authentication is completed.
Subscribe to:
Posts (Atom)