Tuesday, May 3, 2011

How do I erase passwords from memory when using Username tokens with JBossWS?

I'm using JBoss Web Services for a payment service application. At some point I need to make remote SOAP calls to a payment service provider, and I need to authenticate with a Username token.

The only way I know how to do this with JBossWS is like this:

Map<String, Object> requestContext = ((BindingProvider)port).getRequestContext();
requestContext.put(BindingProvider.USERNAME_PROPERTY, "foobar");
requestContext.put(BindingProvider.PASSWORD_PROPERTY, "changeme");

But the problem here is that the "changeme" password is now in memory as a String object and I have no control on when, if ever, it will be garbage collected. If an attacker dumps memory at this point he can find the credentials.

Is there another way to make secure SOAP calls with JBossWS, where I can control how long a password remains in memory?

From stackoverflow
  • I'm pretty sure there isnt a way. Strings are immutable in Java, so you wont be able to rewrite the String. You could use a byte array to store the password, and that byte array could be rewritten. But you will probably have to convert it to a String at some point anyway ...

    On the other side, if an attacker has enoug access to your machine to get a memory dump, than you are screwed anyway. If the attacker already has that much access, he can do pretty much whatever he wants ...


Post a Comment