String objects containing a password stay resident in memory even after being garbage collected and can be obtained by reading the memory from an external process.
char [] arrays are mutable so their content can be nulled out after authentication is complete. This is not possible with String objects. (Shameless plug) Every java main() method deserves http://picocli.info > On May 5, 2017, at 17:35, l Ståldal <mikael.stal...@magine.com> wrote: > > OK. > > On Fri, May 5, 2017 at 10:33 AM, Gary Gregory <garydgreg...@gmail.com> > wrote: > >> Subclasses can still make the same mistake as long as it is a String. It is >> just something I consider good practice. >> >> Gary >> >> On May 5, 2017 1:30 AM, "Mikael Ståldal" <mikael.stal...@magine.com> >> wrote: >> >>> What about a custom implementation of StoreConfiguration.toString which >>> does not include the password? >>> >>> On Fri, May 5, 2017 at 10:28 AM, Gary Gregory <garydgreg...@gmail.com> >>> wrote: >>> >>>> Usually toString on an object that includes a password String can end >> up >>> in >>>> places like logs that it should not be. A char[] toString does not >>> display >>>> its contents. >>>> >>>> Gary >>>> >>>> On May 5, 2017 12:41 AM, "Mikael Ståldal" <mikael.stal...@magine.com> >>>> wrote: >>>> >>>>> What are those security reasons? >>>>> >>>>> On Fri, May 5, 2017 at 2:06 AM, Gary Gregory <garydgreg...@gmail.com >>> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I think I'd like to change the type >>>>>> of org.apache.logging.log4j.core.net.ssl.StoreConfiguration. >> password >>>>> from >>>>>> String to char[] for the usual security reason. >>>>>> >>>>>> Thoughts? >>>>>> >>>>>> Gary >>>>>> >>>>>> -- >>>>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org >>>>>> Java Persistence with Hibernate, Second Edition >>>>>> <https://www.amazon.com/gp/product/1617290459/ref=as_li_ >>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1617290459& >>>>>> linkCode=as2&tag=garygregory-20&linkId= >>> cadb800f39946ec62ea2b1af9fe6a2 >>>> b8> >>>>>> >>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t= >>> garygregory-20&l=am2&o=1&a= >>>>>> 1617290459> >>>>>> JUnit in Action, Second Edition >>>>>> <https://www.amazon.com/gp/product/1935182021/ref=as_li_ >>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182021& >>>>>> linkCode=as2&tag=garygregory-20&linkId= >>> 31ecd1f6b6d1eaf8886ac902a24de4 >>>>> 18%22 >>>>>>> >>>>>> >>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t= >>> garygregory-20&l=am2&o=1&a= >>>>>> 1935182021> >>>>>> Spring Batch in Action >>>>>> <https://www.amazon.com/gp/product/1935182951/ref=as_li_ >>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182951& >>>>>> linkCode=%7B%7BlinkCode%7D%7D&tag=garygregory-20&linkId=%7B% >>>>>> 7Blink_id%7D%7D%22%3ESpring+Batch+in+Action> >>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t= >>> garygregory-20&l=am2&o=1&a= >>>>>> 1935182951> >>>>>> Blog: http://garygregory.wordpress.com >>>>>> Home: http://garygregory.com/ >>>>>> Tweet! http://twitter.com/GaryGregory >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> [image: MagineTV] >>>>> >>>>> *Mikael Ståldal* >>>>> Senior software developer >>>>> >>>>> *Magine TV* >>>>> mikael.stal...@magine.com >>>>> Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com >>>>> >>>>> Privileged and/or Confidential Information may be contained in this >>>>> message. If you are not the addressee indicated in this message >>>>> (or responsible for delivery of the message to such a person), you >> may >>>> not >>>>> copy or deliver this message to anyone. In such case, >>>>> you should destroy this message and kindly notify the sender by reply >>>>> email. >>>>> >>>> >>> >>> >>> >>> -- >>> [image: MagineTV] >>> >>> *Mikael Ståldal* >>> Senior software developer >>> >>> *Magine TV* >>> mikael.stal...@magine.com >>> Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com >>> >>> Privileged and/or Confidential Information may be contained in this >>> message. If you are not the addressee indicated in this message >>> (or responsible for delivery of the message to such a person), you may >> not >>> copy or deliver this message to anyone. In such case, >>> you should destroy this message and kindly notify the sender by reply >>> email. >>> >> > > > > -- > [image: MagineTV] > > *Mikael Ståldal* > Senior software developer > > *Magine TV* > mikael.stal...@magine.com > Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com > > Privileged and/or Confidential Information may be contained in this > message. If you are not the addressee indicated in this message > (or responsible for delivery of the message to such a person), you may not > copy or deliver this message to anyone. In such case, > you should destroy this message and kindly notify the sender by reply > email.