在不使用字符串的情况下从用户获取字符数组 [英] Getting a char array from the user without using a String

问题描述

我想从 Android 用户那里获取密码字符串.

I want to acquire a password string from the user on Android.

我不希望这个字符串在从用户键入它到它以字符或字节数组形式到达我的代码的任何位置的过程中存储在 Java 字符串中.

I do not want this string to be stored in a Java String at any point in the process from when the user types it, to where it arrives in my code in a char or byte array.

这样做的原因是 Sun 禁止将 Java 字符串用于敏感数据.String 类型的对象是不可变的，即没有定义任何方法允许您在使用后更改(覆盖)或将 String 的内容清零.此功能使 String 对象不适合存储安全敏感信息，例如用户密码.您应该始终在字符数组中收集和存储安全敏感信息."http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx

The reason for this is Sun's injunction against using Java Strings for sensitive data. "Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords. You should always collect and store security sensitive information in a char array instead." http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx

所以我不能使用 EditText，因为它在内部使用字符串(即使它返回一个 Editable，可以想象它可以由 char[] 或 Char[] 支持?).

So I can't use EditText, because that uses Strings internally (even though it returns an Editable which could conceivably be backed by char[] or Char[]?).

从用户那里接受字符数组的最简单方法是什么?我猜是在一个 Canvas 上监听关键事件?

What is the simplest way to accept a char array from the user? I'm guessing a Canvas on which I listen for key events?

推荐答案

我没有看到 EditText.java (API 17) 在内部使用 String.它只是 2 页长的代码.当然，EditText 所继承的 TextView.java 文件中有 9k 行.您仍然不会看到 TextView.java 在内部使用 String 而是使用它自己的 CharWrapper for CharSequence 实现.(TextView.java 行 #8535 API 17).在这里，您可以调用 getChars 方法.你会注意到 buf 是从 mChars 复制过来的，它是 char[] 而不是 String.

I don't see the EditText.java (API 17) using the String internally. It is merely 2 pages long code. Of course, TextView.java from which EditText has inherited has 9k lines in the file. You still won't see TextView.java using the String internally but with its own implementation of CharWrapper for CharSequence. (TextView.java line #8535 API 17). Here you have the method call getChars. As you will notice that buf is copied over from mChars which is char[] and not String.

    private char[] mChars;
    public void getChars(int start, int end, char[] buf, int off) {
        if (start < 0 || end < 0 || start > mLength || end > mLength) {
            throw new IndexOutOfBoundsException(start + ", " + end);
        }

        System.arraycopy(mChars, start + mStart, buf, off, end - start);
    }

现在您要做的就是调用 getChar 并传递要填充的 char[].

Now all you have to do is call getChar and pass along the char[] to be filled in.

            int pl = mPasswordEt.length();
            char[] password = new char[pl];
            mPasswordEt.getText().getChars(0, pl, password, 0);

您拥有所需的 char[] 密码，而无需使用 String.完成工作后，您可以按如下方式从内存中清除它.

You have the desired char[] password without using String. After you have finish working with it you can clear it from memory as follow.

Arrays.fill(password, ' ');

这篇关于在不使用字符串的情况下从用户获取字符数组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！