It was observed in several cases, where we write custom java code for OIM (adapter, event handler, UI code , scheduler etc) with password as string value. If we store the password as java.lang.String, it is kept in memory as a clear text password and stays in memory at least until it is garbage collected. Code reviewer will always reject such code, if they find any password as java.lang.String.
GuardedString class can eliminate this problem by storing the password as characters in memory in an encrypted form. The encryption key will be a randomly-generated key. In their serialized form, Guarded String will be encrypted using a known default key. This is to provide a minimum level of protection regardless of the transport. For communications with the Remote Connector Framework it is recommended that deployments enable SSL for true encryption.
In this example I will explained how you can use Guarded String in OIM custom code.
GuardedString class is the member of org.identityconnectors.common.security package and can be found in framework-1.3.2.jar. That means in your java project you have to import framework-1.3.2.jar as a library.
Below code sample describe how to store string password in GuardedString.
import org.identityconnectors.common.security.GuardedString;
String password = "abcd1234";
char[] passwordToChar = password.toCharArray();
GuardedString guardedPassword = new GuardedString(passwordToChar);
Below code sample describe how to get the password from GuardedString
guardedPassword.access(new GuardedString.Accessor() {
@Override
public void access(char[] clearChars) {
System.out.println( "String password::::::::::::::::::::::::"+new String(clearChars)); //print the password.
}
});
retrivePassword.dispose(); // dispose the GuardedString after use.
it is always better to dispose the GuardedString after authentication operation is done using dispose() method.
GuardedString class can eliminate this problem by storing the password as characters in memory in an encrypted form. The encryption key will be a randomly-generated key. In their serialized form, Guarded String will be encrypted using a known default key. This is to provide a minimum level of protection regardless of the transport. For communications with the Remote Connector Framework it is recommended that deployments enable SSL for true encryption.
In this example I will explained how you can use Guarded String in OIM custom code.
GuardedString class is the member of org.identityconnectors.common.security package and can be found in framework-1.3.2.jar. That means in your java project you have to import framework-1.3.2.jar as a library.
Below code sample describe how to store string password in GuardedString.
import org.identityconnectors.common.security.GuardedString;
String password = "abcd1234";
char[] passwordToChar = password.toCharArray();
GuardedString guardedPassword = new GuardedString(passwordToChar);
Below code sample describe how to get the password from GuardedString
guardedPassword.access(new GuardedString.Accessor() {
@Override
public void access(char[] clearChars) {
System.out.println( "String password::::::::::::::::::::::::"+new String(clearChars)); //print the password.
}
});
retrivePassword.dispose(); // dispose the GuardedString after use.
it is always better to dispose the GuardedString after authentication operation is done using dispose() method.
No comments:
Post a Comment