使用 JDBC 时密码的字符串或字符 []?

2022-01-12 00:00:00 string char passwords jdbc java

这是从安全的角度出发的.最佳实践是不要使用字符串来存储密码,而是使用 char[].这是否适用于任何时候使用密码?例如,使用 JDBC 时是否可以使用 String 来保存密码?

This comes from a security point of view.Best practice says not to use a String to store a password, but a char[]. Does this apply to using a password at any time? For example, it is acceptable to use a String to hold a password when using JDBC?

public final void Login(String username, String password){
...
conn = DriverManager.getConnection(url, username, password);
...
}

或者这里可以使用 char[] 来代替字符串吗?

Or could a char[] be used here in place of the String?

推荐答案

我不知道我是否接受你的前提,即 char [] 在 a 的上下文中比 String 更安全系统资源(例如 JDBC 数据库连接).无论如何,您都可以使用连接管理器(或连接池,以适合您的容器为准),然后连接管理器(并且只有连接管理器)可以看到底层数据库用户名/密码.

I don't know that I accept your premise that a char [] is more secure than a String in the context of a system(s) resource (e.g. JDBC database connection). Regardless, you can use a connection manager (or connection pool, whichever is appropriate to your container) and then the connection manager (and only the connection manager) has visibility to the underlying databse username / password.

相关文章