0 Replies Latest reply: Oct 1, 2012 11:10 AM by ManojBandarupally RSS

    Secure password in java while connecting to weblogic server

      The below code will get the username and password
          String username = getUserName(someParams); // CSF API
          char[] password = getPassword(someParams); // CSF API
          String url      = "t3://localhost:9001";
      Now, I have to connect to the weblogic sever by using WLSTInterpreter and providing username, password, url
          org.python.util.InteractiveInterpreter interpreter = new weblogic.management.scripting.utils.WLSTInterpreter ();
          StringBuffer buffer = new StringBuffer();
          buffer.append("connect('" + username + "','");
          buffer.append("','" + url + "'");
          // code here to empty out the password char array //
          // can not delete/clear up the memory of string object created by toString //
      The issue here is : when buffer.toString() is called a new String object is created and the reference variable is of the exec method's. So eventually the password is part of this string which is immutable and is kind of a security issue compared to when stored in a char array

      How can we solve this? I know there is a concept of key/config files in weblogic as explained here : http://docs.oracle.com/cd/E24329_01/web.1211/e24491/using_wlst.htm#autoId10 but that is not a desired solution for the reason: Key/Config files have to be created outside of this java program (probably using jython script) as the same issue of password in string persists.