/* Copyright 2013 The jeo project. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package io.jeo.util; import java.security.SecureRandom; /** * Utility class for handling passwords. * <p> * This class stores passwords internally in a character array and not a {@link String}. After the * application is done with the password it should call {@link #dispose()} in order to scramble * the password to help prevent "heap dump" attacks. * </p> * @author Justin Deoliveira, OpenGeo */ public class Password { /** * Returns the password contents as a string. * <p> * Note that this method defeats the purpose of this class since it returns a string which will then * be stored and pooled in memory. Secure applications should avoid using this method and use {@link #get()} * if possible. * </p> */ public static String toString(Password passwd) { if (passwd == null) { return null; } return new String(passwd.get()); } /** * Creates a new password from a string. * <p> * Note that this method defeats the purpose of this class since it requires a string, which will * be pooled in memory. Secure applications should use the constructor of this class if possible. * </p> */ public static Password create(String passwd) { if (passwd == null) { return null; } return new Password(passwd.toCharArray()); } char[] passwd; public Password(char[] passwd) { this.passwd = passwd; } public char[] get() { return passwd; } /** * Tests the password against the specified string. * * @return True if the text matches this password. */ public boolean matches(String text) { return matches(text != null ? text.toCharArray() : null); } /** * Tests the password against the specified character array. * * @return True if the text matches this password. */ public boolean matches(char[] text) { if (passwd == null) { return text == null; } if (text == null) { return false; } if (passwd.length != text.length) { return false; } for (int i = 0; i < passwd.length; i++) { char c = text[i]; if (passwd[i] != c) { return false; } } return true; } /** * Disposes and scrambling the password. */ public void dispose() { if (passwd == null || passwd.length == 0) { // nothing to do return; } // scramble the password SecureRandom r = new SecureRandom(); for (int i = 0; i < passwd.length; i++) { passwd[i] = (char) r.nextInt(256); } } }