在查看Spring Security DaoAuthentication -Provider实现时,我注意到凭据存储为字符串。如下所示:
字符串呈现passedword = authentication.getCredentials()。toString();
可以在此处找到:
我从我学到的良好练习中以byte的方式处理密码阵列由于字符串不变。关于Java的字符串安全性,我是否不知道有些信息?
While looking at Spring Security DaoAuthenticationProvider implementation I noticed that credentials are stored as Strings. Like in an example below:
String presentedPassword = authentication.getCredentials().toString();
that can be found here: https://github.com/spring-projects/spring-security/blob/main/core/src/main/java/org/springframework/security/authentication/dao/DaoAuthenticationProvider.java#L75
From what I've learned a good practice is to handle passwords as byte arrays due to Strings immutability. Is there something I am not aware of regarding Strings security in Java?
发布评论