How to avoid HTTP POST parameter conversion to String in Spring Boot











up vote
0
down vote

favorite












I have built a controller that receives a POST request with a username and a password (both strings) as URL encoded form values.



For security reasons I do not want to store the password as String on my heap any more, I want to have it as a CharArray so that I can overwrite it with 'XXXXXXX' after use.



So far, my controller looks like this:



@RequestMapping(
method = [POST],
value = ["/login"],
consumes = [MediaType.APPLICATION_FORM_URLENCODED_VALUE]
)
fun login(
@RequestBody
body: Map<String,String>
) {
val password = body["password"]
...
}


How can I change it so that I can be sure the password never gets converted to String anywhere inside the spring framework?










share|improve this question






















  • What if I have Spring just inject the HttpServletRequest and I do the parsing of the body myself?
    – Bastian Voigt
    Nov 8 at 10:14















up vote
0
down vote

favorite












I have built a controller that receives a POST request with a username and a password (both strings) as URL encoded form values.



For security reasons I do not want to store the password as String on my heap any more, I want to have it as a CharArray so that I can overwrite it with 'XXXXXXX' after use.



So far, my controller looks like this:



@RequestMapping(
method = [POST],
value = ["/login"],
consumes = [MediaType.APPLICATION_FORM_URLENCODED_VALUE]
)
fun login(
@RequestBody
body: Map<String,String>
) {
val password = body["password"]
...
}


How can I change it so that I can be sure the password never gets converted to String anywhere inside the spring framework?










share|improve this question






















  • What if I have Spring just inject the HttpServletRequest and I do the parsing of the body myself?
    – Bastian Voigt
    Nov 8 at 10:14













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I have built a controller that receives a POST request with a username and a password (both strings) as URL encoded form values.



For security reasons I do not want to store the password as String on my heap any more, I want to have it as a CharArray so that I can overwrite it with 'XXXXXXX' after use.



So far, my controller looks like this:



@RequestMapping(
method = [POST],
value = ["/login"],
consumes = [MediaType.APPLICATION_FORM_URLENCODED_VALUE]
)
fun login(
@RequestBody
body: Map<String,String>
) {
val password = body["password"]
...
}


How can I change it so that I can be sure the password never gets converted to String anywhere inside the spring framework?










share|improve this question













I have built a controller that receives a POST request with a username and a password (both strings) as URL encoded form values.



For security reasons I do not want to store the password as String on my heap any more, I want to have it as a CharArray so that I can overwrite it with 'XXXXXXX' after use.



So far, my controller looks like this:



@RequestMapping(
method = [POST],
value = ["/login"],
consumes = [MediaType.APPLICATION_FORM_URLENCODED_VALUE]
)
fun login(
@RequestBody
body: Map<String,String>
) {
val password = body["password"]
...
}


How can I change it so that I can be sure the password never gets converted to String anywhere inside the spring framework?







spring-mvc spring-boot security kotlin






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 8 at 9:29









Bastian Voigt

2,17322448




2,17322448












  • What if I have Spring just inject the HttpServletRequest and I do the parsing of the body myself?
    – Bastian Voigt
    Nov 8 at 10:14


















  • What if I have Spring just inject the HttpServletRequest and I do the parsing of the body myself?
    – Bastian Voigt
    Nov 8 at 10:14
















What if I have Spring just inject the HttpServletRequest and I do the parsing of the body myself?
– Bastian Voigt
Nov 8 at 10:14




What if I have Spring just inject the HttpServletRequest and I do the parsing of the body myself?
– Bastian Voigt
Nov 8 at 10:14

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53204851%2fhow-to-avoid-http-post-parameter-conversion-to-string-in-spring-boot%23new-answer', 'question_page');
}
);

Post as a guest





































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53204851%2fhow-to-avoid-http-post-parameter-conversion-to-string-in-spring-boot%23new-answer', 'question_page');
}
);

Post as a guest




















































































Popular posts from this blog

Guess what letter conforming each word

Port of Spain

Run scheduled task as local user group (not BUILTIN)