This discussion is archived
0 Replies Latest reply: Oct 1, 2012 9:10 AM by ManojBandarupally RSS

Secure password in java while connecting to weblogic server

ManojBandarupally Newbie
Currently Being Moderated
The below code will get the username and password
    
    String username = getUserName(someParams); // CSF API
    char[] password = getPassword(someParams); // CSF API
    String url      = "t3://localhost:9001";
Now, I have to connect to the weblogic sever by using WLSTInterpreter and providing username, password, url
    org.python.util.InteractiveInterpreter interpreter = new weblogic.management.scripting.utils.WLSTInterpreter ();
    StringBuffer buffer = new StringBuffer();
    buffer.append("connect('" + username + "','");
    buffer.append(password);
    buffer.append("','" + url + "'");
    interpreter.exec(buffer.toString());
    // code here to empty out the password char array //
    // can not delete/clear up the memory of string object created by toString //
The issue here is : when buffer.toString() is called a new String object is created and the reference variable is of the exec method's. So eventually the password is part of this string which is immutable and is kind of a security issue compared to when stored in a char array

How can we solve this? I know there is a concept of key/config files in weblogic as explained here : http://docs.oracle.com/cd/E24329_01/web.1211/e24491/using_wlst.htm#autoId10 but that is not a desired solution for the reason: Key/Config files have to be created outside of this java program (probably using jython script) as the same issue of password in string persists.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points