Java Reference
In-Depth Information
void readData(){
ByteBuffer buffer = ByteBuffer.allocateDirect(16 * 1024);
try (FileChannel rdr =
(new FileInputStream("file")).getChannel()) {
while (rdr.read(buffer) > 0) {
// Do something with the buffer
buffer.clear();
}
} catch (Throwable e) {
// Handle error
}
}
Notethatmanualclearingofthebufferdataismandatorybecausedirectbuffersarenot
garbage collected.
Applicability
Failure to limit the lifetime of sensitive data can lead to information leaks.
Bibliography
[API 2013]
Class
ByteBuffer
[Oracle 2013b]
“Reading ASCII Passwords from an InputStream Example” from the Java
Cryptography Architecture [JCA] Reference Guide
[Tutorials 2013]
I/O from the Command Line
2. Do not store unencrypted sensitive information on the client side
When building an application that uses a client-server model, storing sensitive informa-
tion, such as user credentials, on the client side may result in its unauthorized disclosure
if the client is vulnerable to attack.
For web applications, the most common mitigation to this problem is to provide the
client with a cookie and store the sensitive information on the server. Cookies are created
by a web server, and are stored for a period of time on the client. When the client recon-
nects to the server, it provides the cookie, which identifies the client to the server, and the
server then provides the sensitive information.
