[jira] [Comment Edited] (LOG4J2-1896) Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String to char[] for passwords

Sat, 23 Sep 2017 10:45:28 -0700 

    [ 
https://issues.apache.org/jira/browse/LOG4J2-1896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16177908#comment-16177908
 ] 

Remko Popma edited comment on LOG4J2-1896 at 9/23/17 5:44 PM:
--------------------------------------------------------------

The various StoreConfiguration classes now get a reference to a 
PasswordProvider instead of a {{char[]}} password.

The PasswordProvider's {{getPassword()}} method may be called multiple times as 
needed, so the caller does not need to (and should not) keep the password data 
in memory for longer than absolutely necessary. Users of this class now erase 
the password array immediately when authentication is complete and the password 
data is no longer needed.

I created LOG4J2-2054 for the next weak point: currently the 
TrustStore/KeyStore passwords need to be specified in plain text in the log4j2 
configuration.


was (Author: [email protected]):
The various StoreConfiguration classes now get a reference to a 
PasswordProvider instead of a {{char[]}} password.

The PasswordProvider's {{getPassword()}} method may be called multiple times as 
needed, so the caller does not need to (and *should not*) keep the password 
data in memory for longer than absolutely necessary. Users of this class now 
erase the password array immediately when authentication is complete and the 
password data is no longer needed.

I created LOG4J2-2054 for the next weak point: currently the 
TrustStore/KeyStore passwords need to be specified in plain text in the log4j2 
configuration.

> Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String 
> to char[] for passwords
> ---------------------------------------------------------------------------------------------------
>
>                 Key: LOG4J2-1896
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1896
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Configurators
>            Reporter: Gary Gregory
>            Assignee: Remko Popma
>             Fix For: 2.10.0
>
>
> Update {{org.apache.logging.log4j.core.net.ssl.StoreConfiguration}} from a 
> {{String}} to {{char[]}} to represent its password.
> The goal is to reduce the security risk of using a String for a password. See 
> https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to