如何确保在 Java 中销毁 String 对象? [英] How can I ensure the destruction of a String object in Java?

问题描述

我公司的一名员工需要通过我编写的程序修改 SQL Server 数据库中的数据.该程序最初使用 Windows 身份验证，我要求 DBA 授予该特定用户对该数据库的写入权限.

An empoyee at my company needs to modify data from a SQL Server database through a program I made. The program used Windows authentication at first, and I asked the DBAs to give this specific user write access to said database.

他们不愿意这样做，而是授予了对我的 Windows 用户帐户的写入权限.

They were not willing to do this, and instead gave write access to my Windows user account.

由于我信任这个人，但不足以让他在我的会话打开的情况下工作 90 分钟，我将向我的程序添加登录提示，要求输入用户名和密码组合，然后使用它登录 SQL Server.我会登录，并相信我的应用程序会让他只做他需要做的事情.

Since I trust the guy but not enough to let him work 90 minutes with my session open, I'll just add a login prompt to my program, asking for a username and password combination, and log in to SQL Server with it. I'll log in, and trust my application to let him do only what he needs to.

然而，这会带来很小的安全风险.密码字段教程超过 SunOracle 的站点声明密码应该在内存中保留最少的时间，为此，getPassword 方法返回一个 char[] 数组，您可以将其归零一次你已经完成了.

This, however, raises a small security risk. The password fields tutorial over SunOracle's site states that passwords should be kept the minimum amount of time required in memory, and to this end, the getPassword method returns a char[] array that you can zero once you're done with it.

然而，Java 的 DriverManager 类只接受 String 对象作为密码，所以我不能在完成密码后立即处理它.而且由于我的应用程序在分配和内存要求方面偶然非常低，谁知道它会在内存中存活多久?如上所述，该程序将运行相当长的时间.

However, Java's DriverManager class only accepts String objects as passwords, so I won't be able to dispose of the password as soon as I'm done with it. And since my application is incidentally pretty low on allocations and memory requirements, who knows how long it'll survive in memory? The program will run for a rather long time, as stated above.

当然，我无法控制 SQL Server JDBC 类使用我的密码做什么，但我希望我可以控制我使用我的密码做什么.

Of course, I can't control whatever the SQL Server JDBC classes do with my password, but I hoped I could control what I do with my password.

是否有一种可靠的方法可以使用 Java 销毁/清零 String 对象?我知道两者都反对语言(对象销毁是不确定的，并且 String 对象是不可变的)，并且 System.gc() 也有点不可预测，但仍然;有什么想法吗?

Is there a surefire way to destroy/zero out a String object with Java? I know both are kind of against the language (object destruction is non-deterministic, and String objects are immutable), and System.gc() is kind of unpredictable too, but still; any idea?

推荐答案

那么，坏消息来了.我很惊讶还没有人提到它.使用现代垃圾收集器，甚至整个 char[] 概念都被打破了.无论您使用 String 还是 char[]，数据最终都会在内存中存留不知道多长时间.这是为什么?因为现代 jvm 使用分代垃圾收集器，简而言之，到处复制对象.因此，即使您使用 char[]，它使用的实际内存也可能会被复制到堆中的不同位置，并在任何地方留下密码的副本(并且没有高性能 gc 会将旧内存清零).因此，当您将最后拥有的实例清零时，您只是将内存中的最新版本清零.

So, here's the bad news. i'm surprised no one has mentioned it yet. with modern garbage collectors, even the whole char[] concept is broken. regardless of whether you use a String or a char[], the data can end up living in memory for who-knows-how-long. why is that? because modern jvms use generational garbage collectors which, in short, copy objects all over the place. so, even if you use a char[], the actual memory it uses could get copied to various locations in the heap, leaving copies of the password everywhere it goes (and no performant gc is going to zero out old memory). so, when you zero out the instance you have at the end, you are only zeroing out the latest version in memory.

长话短说，没有万无一失的方法来处理它.你几乎必须信任这个人.

long story, short, there's no bulletproof way to handle it. you pretty much have to trust the person.

这篇关于如何确保在 Java 中销毁 String 对象?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！