You're supposed to generate a secret key and store it in a key file using a separate tool, then load it in your application using KeyStore.
If you google Java KeyStore you can probably easily find more info on how to do this.
I see. I understand that I will pass the keystore file, and the password to obtain a KeyStore object.
Can you please explain as to what specifically in the code needs to get processed by my external library?
I'm a little unclear as to how this integrates with my existing code.
Stephan van Hulst wrote:You don't need an external library.
You can just use the keytool command to generate a key store file, and you use KeyStore from within your application to retrieve the secret you generated.
I see. But this is an enterprise application where no such ability will be provided to the user - or the user may not be that savvy to be able to do that.
How is the vulnerability mitigated in that case? (and when I say mitigated, I mean to make the static code analyzer happy)