public final class GuardedByteArray extends Object
byte[]
. That is, anything
represented as a byte[]
is kept in memory in clear text and
stays in memory at least until it is garbage collected.
The GuardedByteArray class alleviates this problem by storing the bytes in memory in an encrypted form. The encryption key will be a randomly-generated key.
In their serialized form, GuardedByteArrays will be encrypted using a known default key. This is to provide a minimum level of protection regardless of the transport. For communications with the Remote Connector Framework it is recommended that deployments enable SSL for true encryption.
Applications may also wish to persist GuardedByteArrays. In the case of Identity Manager, it should convert GuardedByteArrays to EncryptedData so that they can be stored and managed using the Manage Encryption features of Identity Manager. Other applications may wish to serialize APIConfiguration as a whole. These applications are responsible for encrypting the APIConfiguration blob for an additional layer of security (beyond the basic default key encryption provided by GuardedByteArray).
Modifier and Type | Class and Description |
---|---|
static interface |
GuardedByteArray.Accessor
Callback interface for those times that it is necessary to access the
clear text of the guarded bytes.
|
Constructor and Description |
---|
GuardedByteArray()
Creates an empty secure byte array.
|
GuardedByteArray(byte[] clearBytes)
Initializes the GuardedByteArray from the given clear text bytes.
|
Modifier and Type | Method and Description |
---|---|
void |
access(GuardedByteArray.Accessor accessor)
Provides access to the clear-text value of the byte array in a controlled
fashion.
|
void |
appendByte(byte b)
Appends a single clear-text byte to the secure byte array.
|
GuardedByteArray |
copy()
Create a copy of the byte array.
|
void |
dispose()
Clears the in-memory representation of the byte array.
|
boolean |
equals(Object o) |
int |
hashCode() |
boolean |
isReadOnly()
Returns true if this byte array has been marked read-only.
|
void |
makeReadOnly()
Mark this byte array as read-only.
|
boolean |
verifyBase64SHA1Hash(String hash)
Verifies that this base-64 encoded SHA1 hash of this byte array matches
the given value.
|
public GuardedByteArray()
public GuardedByteArray(byte[] clearBytes)
clearBytes
- The clear-text bytespublic void access(GuardedByteArray.Accessor accessor)
NOTE: Callers are encouraged to use
verifyBase64SHA1Hash(String)
where possible if the intended use
is merely to verify the contents of the byte array match an expected hash
value.
accessor
- Accessor callback.IllegalStateException
- If the byte array has been disposedpublic void appendByte(byte b)
b
- The byte to append.IllegalStateException
- If the byte array is read-onlyIllegalStateException
- If the byte array has been disposedpublic void dispose()
public boolean isReadOnly()
IllegalStateException
- If the byte array has been disposedpublic void makeReadOnly()
IllegalStateException
- If the byte array has been disposedpublic GuardedByteArray copy()
IllegalStateException
- If the byte array has been disposedpublic boolean verifyBase64SHA1Hash(String hash)
hash
- The hash to verify against.IllegalStateException
- If the byte array has been disposedCopyright © 2019. All rights reserved.