This project is to make it easy to store passwords in an encrypted form using a cipher that is constructed inside the application and is different for every instance.
This was created to mitigate the Heap_Inspection vulnerability:-
String variables are immutable - in other words, once a string variable is assigned, its value cannot be changed or removed. Thus, these strings may remain around in memory, possibly in multiple locations, for an indefinite period of time until the garbage collector happens to remove it. Sensitive data, such as passwords, will remain exposed in memory as plaintext with no control over their lifetime.
A breaking change is introduced with version 2.0.0 which is Java 17 upgrade.
Jakarta EE 9 a new top-level jakarta package, replacing EE 8’s javax top-level package. For example, the Servlet specification in Jakarta EE 8 uses a javax.servlet package but this has changed to jakarta.servlet in EE 9.
Generally speaking, it’s not possible to mix Java EE and Jakarta EE APIs in the same project. You need to ensure that your own code, as well as all third-party libraries are using jakarta.* package imports.
properties entry in pom
<properties>
<dwp.securestrings.version>x.x</dwp.securestrings.version>
</properties>
dependency reference
<dependency>
<groupId>uk.gov.dwp.crypto</groupId>
<artifactId>secure-strings</artifactId>
<version>${dwp.securestrings.version}</version>
</dependency>
import uk.gov.dwp.crypto.SecureStrings;
import javax.crypto.SealedObject;
Standard implementation
public class Pojo {
private SecureStrings secureStrings = new SecureStrings();
private SealedObject password = null;
public String getPassword() {
return secureStrings.revealString(password);
}
public void setPassword(String password) {
this.password = secureStrings.sealString(password);
}
}
Injected class
public class Pojo {
private SecureStrings secureStrings = null;
private SealedObject password = null;
@Inject
public Pojo(SecureStrings secureStrings) {
this.secureStrings = secureStrings;
}
public String getPassword() {
return secureStrings.revealString(password);
}
public void setPassword(String password) {
this.password = secureStrings.sealString(password);
}
}