Java 为什么JPasswordField.getPassword()创建一个包含密码的字符串?
Swing的方法返回一个char数组。我的理解是,数组可以在使用后立即归零,这样就不会让敏感的东西在内存中长时间挂起。旧的检索密码的方法是使用Java 为什么JPasswordField.getPassword()创建一个包含密码的字符串?,java,security,swing,passwords,Java,Security,Swing,Passwords,Swing的方法返回一个char数组。我的理解是,数组可以在使用后立即归零,这样就不会让敏感的东西在内存中长时间挂起。旧的检索密码的方法是使用getText(),它返回一个字符串对象,但已被弃用 所以,我的问题是,为什么Java在检索过程中使用getPassword()???更清楚地说,我在调试我的测试应用程序,做其他事情**,我跟着电话,砰的一声getText(),当然,已经创建了一个带有我的密码的字符串对象,现在它挂在内存中 自己试试看: public class PasswordTest(
getText()
,它返回一个字符串对象,但已被弃用
所以,我的问题是,为什么Java在检索过程中使用getPassword()
???更清楚地说,我在调试我的测试应用程序,做其他事情**,我跟着电话,砰的一声<调用了JPasswordField
中的code>getText(),当然,已经创建了一个带有我的密码的字符串对象,现在它挂在内存中
自己试试看:
public class PasswordTest() {
public static void main(String[] args) {
JFrame frame = new JFrame();
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
JPasswordField passField = new JPasswordField();
pass.addActionListener(new ActionListener() {
public ActionPerformed(ActionEvent evt) {
char[] p = passField.getPassword(); // put breakpoint
// do something with the array
}
});
frame.add(passField);
frame.setVisible(true);
frame.pack();
}
}
后续问题:这种使用getText()
的“隐藏”用法是否有任何危险?当然,如果专用攻击者破坏了系统,它将获得您的密码,我指的是一个不太专用的攻击者;)
**我在寻找一种不使用
字符串
对象而在Swing组件上实际显示一些敏感数据的方法时遇到了这个问题。显然,除非我愿意重写Swing API的一部分(全部?),否则没有办法做到这一点。。不会发生。实际上,这里是getPassword()的Sun实现。
:
其中唯一的getText
是对的调用,该调用将字符直接复制到段的缓冲区中。没有正在那里创建的字符串
然后,将段
的缓冲区复制到返回值中,并在方法返回之前将其归零
换句话说:任何地方都没有额外的密码副本。只要您按照指示使用,它是完全安全的。Swing实现太复杂,无法手动检查。你需要测试
public class Pwd {
public static void main(String[] args) {
java.awt.EventQueue.invokeLater(new Runnable() {
public void run() {
new javax.swing.JFrame("Pwd") {{
add(new javax.swing.JPasswordField() {
@Override public String getText() {
System.err.println("Awoooga!!");
return super.getText();
}
{
addActionListener(
new java.awt.event.ActionListener() {
public void actionPerformed(
java.awt.event.ActionEvent event
) {
// Nice.
}
}
);
}
});
setDefaultCloseOperation(DISPOSE_ON_CLOSE);
pack();
setVisible(true);
}};
}
});
}
}
看起来像是(无意义)操作事件的命令字符串。也会有其他方式造成这种影响
一个模糊不清的现代虚拟机无论如何都会移动内存中的对象,所以清除char[]
不一定有效。好的,我的坏。。。当我看到对getText()的调用时,所有的铃声都开始响起,而没有注意到它实际上是由我用动作监听器引入的
PasswordTest$1.getText() line: 14
PasswordTest$1(JTextField).fireActionPerformed() line: not available
PasswordTest$1(JTextField).postActionEvent() line: not available
JTextField$NotifyAction.actionPerformed(ActionEvent) line: not available
SwingUtilities.notifyAction(Action, KeyStroke, KeyEvent, Object, int) line: not available
以下是使用的代码:
import java.awt.event.*;
import javax.swing.*;
public class PasswordTest {
public static void main(String[] args) {
JFrame frame = new JFrame();
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
final JPasswordField passField = new JPasswordField() {
@Override
public String getText() {
System.err.println("Awhooa: " + super.getText()); //breakpoint
return null;
}
};
passField.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent evt) {
char[] p = passField.getPassword();
System.out.println(p);
}
});
frame.add(passField);
frame.setVisible(true);
frame.pack();
}
}
以下是控制台输出:
Awhooa: secret
secret
对于getPassword()的实际调用,可能我遗漏了什么,但段的缓冲区在哪里归零?我看到一个数组副本,但没有清零。返回的数组将由我自己归零,但段的数组仍然存在
import java.util.Arrays;
public class ZeroingTest {
public static void main(String[] args) {
char[] a = {'a','b','c'};
char[] b = new char[a.length];
System.arraycopy(a, 0, b, 0, b.length);
System.out.println("Before zeroing: " + Arrays.toString(a) + " " + Arrays.toString(b));
Arrays.fill(a, '\0');
System.out.println("After zeroing: " + Arrays.toString(a) + " " + Arrays.toString(b));
}
}
以及输出:
Before zeroing: [a, b, c] [a, b, c]
After zeroing: [?, ?, ?] [a, b, c]
(我在那里打了问号,因为我不能超过无法打印的字符)
-M
**我是在寻找一种不使用字符串对象而在Swing组件上实际显示一些敏感数据的方法时遇到这个问题的。显然,除非我愿意重写Swing API的一部分(全部?),否则没有办法做到这一点。。不会发生的
通过调用field.setEchoChar('\0')
,可以告诉JPasswordField
显示字符。这保留了JPasswordField
(无String
s,无剪切/复制)提供的其余保护。这对我很有用,可以帮助您构建字符串化密码:
String passText = new String(passField.getPassword());
import javax.swing.*;
公共类登录扩展了javax.swing.JFrame{
MainProg main=新的MainProg();
公共登录(){
初始化组件();
}
/**
*从构造函数中调用此方法来初始化表单。
*警告:不要修改此代码。此方法的内容始终为
*由表单编辑器重新生成。
*/
@抑制警告(“未选中”)
//
私有组件(){
jLabel1=newjavax.swing.JLabel();
jLabel2=newjavax.swing.JLabel();
txtUser=newjavax.swing.JTextField();
txtPassword=newjavax.swing.JTextField();
jButton1=newjavax.swing.JButton();
setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);
setTitle(“登录”);
挫折背景(新java.awt.Color(255、204、204));
可设置大小(假);
jLabel1.setText(“用户名:”);
jLabel2.setText(“密码:”);
setBackground(新java.awt.Color(204204204204));
jButton1.setText(“输入”);
jButton1.setOpaque(false);
jButton1.addActionListener(新java.awt.event.ActionListener(){
public void actionPerformed(java.awt.event.ActionEvent evt){
jButton1ActionPerformed(evt);
}
});
javax.swing.GroupLayout=newjavax.swing.GroupLayout(getContentPane());
getContentPane().setLayout(布局);
layout.setHorizontalGroup(
createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addContainerGap()
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.training)
.addComponent(jButton1)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING,false)
.addGroup(layout.createSequentialGroup()
.addComponent(jLabel1)
.addGap(18,18,18)
.addComponent(txtUser,javax.swing.GroupLayout.PREFERRED_SIZE,210,javax.swing.GroupLayout.PREFERRED_SIZE))
.addGroup(layout.createSequentialGroup()
.addComponent(jLabel2)
.addGap(20,20,20)
.addComponent(txtPassword)))
.addContainerGap(62,简称最大值))
);
layout.setVerticalGroup(
洛杉矶
String passText = new String(passField.getPassword());
import javax.swing.*;
public class login extends javax.swing.JFrame {
MainProg main = new MainProg();
public login() {
initComponents();
}
/**
* This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is always
* regenerated by the Form Editor.
*/
@SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">
private void initComponents() {
jLabel1 = new javax.swing.JLabel();
jLabel2 = new javax.swing.JLabel();
txtUser = new javax.swing.JTextField();
txtPassword = new javax.swing.JTextField();
jButton1 = new javax.swing.JButton();
setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);
setTitle("Log In");
setBackground(new java.awt.Color(255, 204, 204));
setResizable(false);
jLabel1.setText("Username:");
jLabel2.setText("Password:");
jButton1.setBackground(new java.awt.Color(204, 204, 204));
jButton1.setText("Enter");
jButton1.setOpaque(false);
jButton1.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
jButton1ActionPerformed(evt);
}
});
javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());
getContentPane().setLayout(layout);
layout.setHorizontalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addContainerGap()
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING)
.addComponent(jButton1)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING, false)
.addGroup(layout.createSequentialGroup()
.addComponent(jLabel1)
.addGap(18, 18, 18)
.addComponent(txtUser, javax.swing.GroupLayout.PREFERRED_SIZE, 210, javax.swing.GroupLayout.PREFERRED_SIZE))
.addGroup(layout.createSequentialGroup()
.addComponent(jLabel2)
.addGap(20, 20, 20)
.addComponent(txtPassword))))
.addContainerGap(62, Short.MAX_VALUE))
);
layout.setVerticalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addContainerGap()
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jLabel1)
.addComponent(txtUser, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE))
.addGap(18, 18, 18)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jLabel2)
.addComponent(txtPassword, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addComponent(jButton1)
.addContainerGap(javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
);
pack();
}// </editor-fold>
private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {
String U = new String(this.txtUser.getText());
String P = new String(this.txtPass.gettext());
if(U.equals("Admin") && P.equals(Password))
{
JOptionPane.showMessageDialog(null,"Login successful!","Message",JOptionPane.INFORMATION_MESSAGE);
this.hide();
calculator.show();
}
else
{
JOptionPane.showMessageDialog(null,"Invalid username and password","Message",JOptionPane.ERROR_MESSAGE);
this.txtUser.setText("");
this.txtPassword.setText("");
}
}
/**
* @param args the command line arguments
*/
public static void main(String args[]) {
/*
* Set the Nimbus look and feel
*/
//<editor-fold defaultstate="collapsed" desc=" Look and feel setting code (optional) ">
/*
* If Nimbus (introduced in Java SE 6) is not available, stay with the
* default look and feel. For details see
* http://download.oracle.com/javase/tutorial/uiswing/lookandfeel/plaf.html
*/
try {
for (javax.swing.UIManager.LookAndFeelInfo info : javax.swing.UIManager.getInstalledLookAndFeels()) {
if ("Nimbus".equals(info.getName())) {
javax.swing.UIManager.setLookAndFeel(info.getClassName());
break;
}
}
} catch (ClassNotFoundException ex) {
java.util.logging.Logger.getLogger(login.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
} catch (InstantiationException ex) {
java.util.logging.Logger.getLogger(login.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
} catch (IllegalAccessException ex) {
java.util.logging.Logger.getLogger(login.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
} catch (javax.swing.UnsupportedLookAndFeelException ex) {
java.util.logging.Logger.getLogger(login.class.getName()).log(java.util.logging.Level.SEVERE, null, ex);
}
//</editor-fold>
/*
* Create and display the form
*/
java.awt.EventQueue.invokeLater(new Runnable() {
public void run() {
new login().setVisible(true);
}
});
}
// Variables declaration - do not modify
private javax.swing.JButton jButton1;
private javax.swing.JLabel jLabel1;
private javax.swing.JLabel jLabel2;
private javax.swing.JTextField txtPassword;
private javax.swing.JTextField txtUser;
// End of variables declaration
}
String.valueOf(txtPass.getPassword())