String objects containing a password stay resident in memory even after being 
garbage collected and can be obtained by reading the memory from an external 
process. 

char [] arrays are mutable so their content can be nulled out after 
authentication is complete. This is not possible with String objects. 



(Shameless plug) Every java main() method deserves http://picocli.info

> On May 5, 2017, at 17:35, l Ståldal <mikael.stal...@magine.com> wrote:
> 
> OK.
> 
> On Fri, May 5, 2017 at 10:33 AM, Gary Gregory <garydgreg...@gmail.com>
> wrote:
> 
>> Subclasses can still make the same mistake as long as it is a String. It is
>> just something I consider good practice.
>> 
>> Gary
>> 
>> On May 5, 2017 1:30 AM, "Mikael Ståldal" <mikael.stal...@magine.com>
>> wrote:
>> 
>>> What about a custom implementation of StoreConfiguration.toString which
>>> does not include the password?
>>> 
>>> On Fri, May 5, 2017 at 10:28 AM, Gary Gregory <garydgreg...@gmail.com>
>>> wrote:
>>> 
>>>> Usually toString on an object that includes a password String can end
>> up
>>> in
>>>> places like logs that it should not be. A char[] toString does not
>>> display
>>>> its contents.
>>>> 
>>>> Gary
>>>> 
>>>> On May 5, 2017 12:41 AM, "Mikael Ståldal" <mikael.stal...@magine.com>
>>>> wrote:
>>>> 
>>>>> What are those security reasons?
>>>>> 
>>>>> On Fri, May 5, 2017 at 2:06 AM, Gary Gregory <garydgreg...@gmail.com
>>> 
>>>>> wrote:
>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> I think I'd like to change the type
>>>>>> of org.apache.logging.log4j.core.net.ssl.StoreConfiguration.
>> password
>>>>> from
>>>>>> String to char[] for the usual security reason.
>>>>>> 
>>>>>> Thoughts?
>>>>>> 
>>>>>> Gary
>>>>>> 
>>>>>> --
>>>>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
>>>>>> Java Persistence with Hibernate, Second Edition
>>>>>> <https://www.amazon.com/gp/product/1617290459/ref=as_li_
>>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1617290459&
>>>>>> linkCode=as2&tag=garygregory-20&linkId=
>>> cadb800f39946ec62ea2b1af9fe6a2
>>>> b8>
>>>>>> 
>>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t=
>>> garygregory-20&l=am2&o=1&a=
>>>>>> 1617290459>
>>>>>> JUnit in Action, Second Edition
>>>>>> <https://www.amazon.com/gp/product/1935182021/ref=as_li_
>>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182021&
>>>>>> linkCode=as2&tag=garygregory-20&linkId=
>>> 31ecd1f6b6d1eaf8886ac902a24de4
>>>>> 18%22
>>>>>>> 
>>>>>> 
>>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t=
>>> garygregory-20&l=am2&o=1&a=
>>>>>> 1935182021>
>>>>>> Spring Batch in Action
>>>>>> <https://www.amazon.com/gp/product/1935182951/ref=as_li_
>>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182951&
>>>>>> linkCode=%7B%7BlinkCode%7D%7D&tag=garygregory-20&linkId=%7B%
>>>>>> 7Blink_id%7D%7D%22%3ESpring+Batch+in+Action>
>>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t=
>>> garygregory-20&l=am2&o=1&a=
>>>>>> 1935182951>
>>>>>> Blog: http://garygregory.wordpress.com
>>>>>> Home: http://garygregory.com/
>>>>>> Tweet! http://twitter.com/GaryGregory
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> [image: MagineTV]
>>>>> 
>>>>> *Mikael Ståldal*
>>>>> Senior software developer
>>>>> 
>>>>> *Magine TV*
>>>>> mikael.stal...@magine.com
>>>>> Grev Turegatan 3  | 114 46 Stockholm, Sweden  |   www.magine.com
>>>>> 
>>>>> Privileged and/or Confidential Information may be contained in this
>>>>> message. If you are not the addressee indicated in this message
>>>>> (or responsible for delivery of the message to such a person), you
>> may
>>>> not
>>>>> copy or deliver this message to anyone. In such case,
>>>>> you should destroy this message and kindly notify the sender by reply
>>>>> email.
>>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> [image: MagineTV]
>>> 
>>> *Mikael Ståldal*
>>> Senior software developer
>>> 
>>> *Magine TV*
>>> mikael.stal...@magine.com
>>> Grev Turegatan 3  | 114 46 Stockholm, Sweden  |   www.magine.com
>>> 
>>> Privileged and/or Confidential Information may be contained in this
>>> message. If you are not the addressee indicated in this message
>>> (or responsible for delivery of the message to such a person), you may
>> not
>>> copy or deliver this message to anyone. In such case,
>>> you should destroy this message and kindly notify the sender by reply
>>> email.
>>> 
>> 
> 
> 
> 
> -- 
> [image: MagineTV]
> 
> *Mikael Ståldal*
> Senior software developer
> 
> *Magine TV*
> mikael.stal...@magine.com
> Grev Turegatan 3  | 114 46 Stockholm, Sweden  |   www.magine.com
> 
> Privileged and/or Confidential Information may be contained in this
> message. If you are not the addressee indicated in this message
> (or responsible for delivery of the message to such a person), you may not
> copy or deliver this message to anyone. In such case,
> you should destroy this message and kindly notify the sender by reply
> email.

Reply via email to