Edit - Stack Overflow

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

Rev

3

Why is String-deduplication scary? It only applies when there are at least two strings having the same contents, so what danger would arise from letting these two already identical strings share the same array? Or lets ask the other way round: if there is no string-deduplication, what advantage arises from the fact that both strings have a distinct array (of the same contents)? In either case, there will be an array of that contents being alive at least as long as the longest living String of that contents is alive…

Holger
– Holger

2017-03-09 17:45:27 +00:00
Commented Mar 9, 2017 at 17:45
@Holger anything that's out of your control is a potential risk... for instance if two users have the same password this wonderful feature will store both of them in single char[] making it evident that they are the same, not sure if that's a huge risk but still

Oleg Mikheev
– Oleg Mikheev

2017-03-09 18:28:56 +00:00
Commented Mar 9, 2017 at 18:28
1

If you have access to the heap memory and both string instances, it doesn’t matter whether the strings point to the same array or to two arrays of the same contents, each is easy to find out. Especially, as it is irrelevant anyway. If you are at this point, you grab both passwords, whether identical or not. The actual error lies in using plaintext passwords instead of salted hashes.

Holger
– Holger

2017-03-09 18:35:04 +00:00
Commented Mar 9, 2017 at 18:35
5

It seems, you have a fundamental misunderstanding about String Deduplication. It doesn’t “intern strings”, all it does, is letting strings with the same contents point to the same array, which actually reduces the number of array instances containing the plaintext password, as all but one array instance can be reclaimed and overwritten by other objects immediately. These strings are still collected like any other string. Maybe it helps, if you understand that the de-duplication is actually done by the garbage collector, for strings that have survived multiple GC cycles only.

Holger
– Holger

2017-03-13 11:30:41 +00:00
Commented Mar 13, 2017 at 11:30
2

"are Spring Security guys incompetent": It's an important question in this context. I previously wondered this myself, when looking into the differences between BCrypt and BCryptPasswordEncoder. Even in the simultaneous initial commit they took an inconsistent approach: taking String for Bcrypt and taking CharSequence for BCryptPasswordEncoder (which calls Bcrypt).

Brent Bradburn
– Brent Bradburn

2019-09-17 16:58:35 +00:00
Commented Sep 17, 2019 at 16:58

| Show 1 more comment

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author

create code fences with backticks ` or tildes ~
```
like so
```
add language identifier to highlight code
```python
def function(foo):
print(foo)
```
put returns between paragraphs
for linebreak add 2 spaces at end
_italic_ or **bold**
indent code by 4 spaces
backtick escapes `like _so_`
quote by placing > at start of line
to make links (use https whenever possible)

<https://example.com>

[example](https://example.com)

<a href="https://example.com">example</a>

formatting help »
answering help »

Collectives™ on Stack Overflow