Java string compiles

Question

Java string compiles

I am writing an application that uploads files using FTP. The code is as follows:

String username = "username"; String password = "password";

But after compilation, I can see the files in .class. The compiled code is as follows:

 \00username\00password

So, the problem is that I can see the password and login in the compiled code. I think this is not good. How can I compile java strings in bytecode?

+4

java string compilation

timofeiMih Jan 16 '13 at 10:38

source share

4 answers

Alex DiCarlo · Answer 1 · 2013-01-16T22:47:21+0000

There is no such thing as compiling a string literal for bytecode. However, there is a byte representation of String, however, as you have noticed, most text viewers will translate this representation of the byte into its normal ascii / unicode representation. In any case, saving even the obfuscation of the username / password is a security risk and should never be performed.

In order to safely store the username / password, you must access it from an external protected file, and not hardcode it into the program.

Sebastien lorber · Answer 2 · 2013-01-16T23:03:42+0000

Dicarlo2 said:

For reliable storage of the username / password, you must access it from an external protected file, and not hard code it into the program.

This is still better than hardcoding in Java code, but you may need to know that Strings are interned in the String pool, which could also be a security issue.

This is why Console.readPassword returns a char array instead of a string. http://docs.oracle.com/javase/tutorial/essential/io/cl.html

Secondly, readPassword returns an array of characters, not a string, so the password can be overwritten by deleting it from memory as soon as it is no longer needed.

But in real applications, passwords are often used as strings.

Rostam · Answer 3 · 2013-01-16T22:49:20+0000

You need to save the password as an encrypted value. Each access to a password-protected instance will use an encrypted password, as well as a decryption algorithm and a key, of course. Then you will not have a password in the compiled file. It is very bad to have it.

Mathsquared · Answer 4 · 2013-01-16T22:50:56+0000

Do not print hard password codes if they are not encrypted, etc.

If you want to ask the user for a password on the command line, you can use this method hosted on SO. For Swing GUI, use JPasswordField .

Hope this helps!

Java string compiles

More articles: