有人告诉我们,在Java应用程序中,始终使用[
food_items: #Ecto.Query<from f in Ketchup.FoodItem,
order_by: [asc: f.row_weight, asc: f.id]>,
food_items: [
option_groups: #Ecto.Query<from o in Ketchup.OptionGroup,
join: f in Ketchup.FoodItemOptionGroup, on: o.id == f.option_group_id,
order_by: [asc: f.row_weight, asc: o.id], distinct: [asc: o.id]>
]
]
而不是FoodCategory
|> join(:inner, [fc], r in Restaurant, r.id == fc.restaurant_id)
|> join(:left, [fc, r], fi in Ketchup.FoodItem, fi.food_category_id == fc.id)
|> join(:left, [fc, r, fi], fiog in Ketchup.FoodItemOptionGroup, fiog.food_item_id == fi.id)
|> join(:left, [fc, r, fi, fiog], og in Ketchup.OptionGroup, og.id == fiog.option_group_id)
|> join(
:left,
[fc, r, fi, fiog, og],
ogfe in Ketchup.OptionGroupFoodExtra,
ogfe.option_group_id == og.id
)
|> join(
:left,
[fc, r, fi, fiog, og, ogfe],
fe in Ketchup.FoodExtra,
ogfe.food_extra_id == fe.id
)
|> where([fc], fc.restaurant_id == ^restaurant_id)
|> preload(
[fc, r, fi, fiog, og, ogfe, fe],
food_items: {fi, option_groups: {og, food_extras: fe}}
)
|> order_by([fc, r, fi, fiog, og, ogfe, fe], [fc.row_weight, fi.row_weight, fiog.row_weight])
来处理纯文本密码。由于char[]的不变性,允许攻击者制作堆快照(在GC启动之前)并从该快照中读取密码。
现在,我很惊讶地看到使用java.lang.String来传输密码的spring-security。例如。在UserDetails中。
这是一个安全问题吗?如果没有,为什么不呢?如果是,那么如何安全地使用spring-security而不在Java堆中显示密码,或者至少最小化显示密码的风险?