Edit - Stack Overflow

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

Rev

17

Not secure by default. If we're talking a web application, most web containers will pass the password into the HttpServletRequest object in plaintext. If the JVM version is 1.6 or lower, it'll be in permgen space. If it's in 1.7, it'll still be readable until it gets collected. (Whenever that is.)

avgvstvs
– avgvstvs

2016-02-05 15:19:41 +00:00
Commented Feb 5, 2016 at 15:19
7

@avgvstvs: strings are not automatically moved to the permgen space, that only applies to intern'ed strings. Besides that, the permgen space is also subject to garbage collection, just at a lower rate. The real issue with the permgen space is it’s fixed size, which is exactly the reason why no one should mindlessly call intern() on arbitrary strings. But you are right in that the String instances exist in the first place (until collected) and turning them into char[] arrays afterwards doesn’t change it.

Holger
– Holger

2017-03-09 10:04:48 +00:00
Commented Mar 9, 2017 at 10:04
4

@Holger see docs.oracle.com/javase/specs/jvms/se6/html/… "Otherwise, a new instance of class String is created containing the sequence of Unicode characters given by the CONSTANT_String_info structure; that class instance is the result of string literal derivation. Finally, the intern method of the new String instance is invoked." In 1.6, the JVM would call intern for you when it detected identical sequences.

avgvstvs
– avgvstvs

2017-03-09 16:43:12 +00:00
Commented Mar 9, 2017 at 16:43
4

@Holger, you are correct I conflated constant pool and string pool, but it is also false that permgen space only applied to interned strings. Prior to 1.7, both the constant_pool and the string_pool resided in permgen space. That means the only class of Strings that were allocated to the heap were as you said, new String() or StringBuilder.toString() I managed applications with lots of string constants, and we had lots of permgen creep as a result. Until 1.7.

avgvstvs
– avgvstvs

2017-03-11 18:43:21 +00:00
Commented Mar 11, 2017 at 18:43
7

@avgvstvs: well, string constants are, as the JLS mandates, always interned, hence the statement that interned strings ended up in the permgen space, applied to string constants implicitly. The only difference is that string constants were created in the permgen space in the first place, whereas calling intern() on an arbitrary string could cause the allocation of an equivalent string in the permgen space. The latter could get GC’ed, if there was no literal string of the same contents sharing that object…

Holger
– Holger

2017-03-13 11:20:49 +00:00
Commented Mar 13, 2017 at 11:20

| Show 5 more comments

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author

create code fences with backticks ` or tildes ~
```
like so
```
add language identifier to highlight code
```python
def function(foo):
print(foo)
```
put returns between paragraphs
for linebreak add 2 spaces at end
_italic_ or **bold**
indent code by 4 spaces
backtick escapes `like _so_`
quote by placing > at start of line
to make links (use https whenever possible)

<https://example.com>

[example](https://example.com)

<a href="https://example.com">example</a>

formatting help »
answering help »

Collectives™ on Stack Overflow