Vaadin PasswordField requires a String object to be created

Hi,
Can someone tell me what’s the recommended way for securely getting a password in Vaadin?

I had a look to Vaadin PasswordField but this components uses String object to store the password behind the scene while it is absolutely not recommended for security reason. This is mainly due to the fact that Strings are immutable in Java and stored in Strings pool for reusability. So, there is no way to reset their value and they have a pretty high chance to remain in memory for a long time. A simple memory dump would then give access to all the entered passwords.

Is there any other alternative I could use that would enable me to have the password stored in a char and that doesn’t require creating a String in between? I’m a bit surprised I didn’t manage to find something out of the box for dealing with this in Vaadin. Am I missing something?

Thanks in advance,
Anne-Catherine

String fields are GCed like all other objects that are no longer in use. These are not static string literals, just objects on the heap like all others.

Most likely, all input fields send their values as strings (via UIDL, JSON or traditional name-value POST) from the browser to the server over HTTP(S). These strings are all available for GC once they are no longer referenced, but they are likely copied and parsed and processed by Tomcat connectors/http processors, Vaadin itself, as well as your code.

That said, while slightly paranoid care is sometimes a good thing for security, if others can create heap dump of your Java process and transfer a copy of it from your system, you are already compromised. That is, access to the server code essentially means all bets are off if you don’t control that.