Strings are immutable. That means once you've created the String
, if another process can dump memory, there's no way (aside from reflection) you can get rid of the data before garbage collection kicks in.
With an array, you can explicitly wipe the data after you're done with it. You can overwrite the array with anything you like, and the password won't be present anywhere in the system, even before garbage collection.
So yes, this is a security concern - but even using char[]
only reduces the window of opportunity for an attacker, and it's only for this specific type of attack.
As noted in the comments, it's possible that arrays being moved by the garbage collector will leave stray copies of the data in memory. I believe this is implementation-specific - the garbage collector may clear all memory as it goes, to avoid this sort of thing. Even if it does, there's still the time during which the char[]
contains the actual characters as an attack window.
First, it's kind of weird, to see you run java -jar "app"
and not java -jar app.jar
Second, to make a jar executable... you need to jar a file called META-INF/MANIFEST.MF
the file itself should have (at least) this one liner:
Main-Class: com.mypackage.MyClass
Where com.mypackage.MyClass
is the class holding the public static void main(String[] args) entry point.
Note that there are several ways to get this done either with the CLI, Maven, Ant or Gradle:
For CLI, the following command will do: (tks @dvvrt)
jar cmvf META-INF/MANIFEST.MF <new-jar-filename>.jar <files to include>
For Maven, something like the following snippet should do the trick. Note that this is only the plugin definition, not the full pom.xml:
Latest doc on this plugin: see https://maven.apache.org/plugins/maven-jar-plugin/
<build>
<plugins>
<plugin>
<!-- Build an executable JAR -->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>3.1.0</version>
<configuration>
<archive>
<manifest>
<addClasspath>true</addClasspath>
<classpathPrefix>lib/</classpathPrefix>
<mainClass>com.mypackage.MyClass</mainClass>
</manifest>
</archive>
</configuration>
</plugin>
</plugins>
</build>
(Pick a <version>
appropriate to your project.)
For Ant, the snippet below should help:
<jar destfile="build/main/checksites.jar">
<fileset dir="build/main/classes"/>
<zipfileset includes="**/*.class" src="lib/main/some.jar"/>
<manifest>
<attribute name="Main-Class" value="com.acme.checksites.Main"/>
</manifest>
</jar>
Credits Michael Niemand -
For Gradle:
plugins {
id 'java'
}
jar {
manifest {
attributes(
'Main-Class': 'com.mypackage.MyClass'
)
}
}
Best Answer
From the Java Language Specification: