According to the thread about Strings and security in java, the String type can be dangerous when used for password attributes mainly because strings are immutable (could be found in the VM image) and could be logged.
As I'm using Thrift to generate Java classes, is there a thrift type or option that can generate a char [] (char array) so that I could avoid manipulating the generated Java classes directly ?
Not a char array... but you could get close with IDL like this:
namespace java array.test
struct Test {
1: list<byte> passwd;
2: binary passwd2;
}
list<byte> will generate a java.util.List<Byte> field in Java.
binary will generate a java.nio.ByteBuffer field in Java.
I think you should be able to effectively blank out either of those to achieve what is described in your linked question.
This is what thrift --help says for Java:
java (Java):
beans: Members will be private, and setter methods will return void.
private-members: Members will be private, but setter methods will return 'this' like usual.
nocamel: Do not use CamelCase field accessors with beans.
fullcamel: Convert underscored_accessor_or_service_names to camelCase.
android: Generated structures are Parcelable.
android_legacy: Do not use java.io.IOException(throwable) (available for Android 2.3 and above).
option_type: Wrap optional fields in an Option type.
java5: Generate Java 1.5 compliant code (includes android_legacy flag).
reuse-objects: Data objects will not be allocated, but existing instances will be used (read and write).
sorted_containers:
Use TreeSet/TreeMap instead of HashSet/HashMap as a implementation of set/map.
So the answer is: Currently not.
