I agree with using char[] for this due to the overwriting of contents that Remko explained. Here's a neat Stack Overflow post to back us up: https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords
On 5 May 2017 at 04:50, Remko Popma <remko.po...@gmail.com> wrote: > String objects containing a password stay resident in memory even after > being garbage collected and can be obtained by reading the memory from an > external process. > > char [] arrays are mutable so their content can be nulled out after > authentication is complete. This is not possible with String objects. > > > > (Shameless plug) Every java main() method deserves http://picocli.info > > > On May 5, 2017, at 17:35, l Ståldal <mikael.stal...@magine.com> wrote: > > > > OK. > > > > On Fri, May 5, 2017 at 10:33 AM, Gary Gregory <garydgreg...@gmail.com> > > wrote: > > > >> Subclasses can still make the same mistake as long as it is a String. > It is > >> just something I consider good practice. > >> > >> Gary > >> > >> On May 5, 2017 1:30 AM, "Mikael Ståldal" <mikael.stal...@magine.com> > >> wrote: > >> > >>> What about a custom implementation of StoreConfiguration.toString which > >>> does not include the password? > >>> > >>> On Fri, May 5, 2017 at 10:28 AM, Gary Gregory <garydgreg...@gmail.com> > >>> wrote: > >>> > >>>> Usually toString on an object that includes a password String can end > >> up > >>> in > >>>> places like logs that it should not be. A char[] toString does not > >>> display > >>>> its contents. > >>>> > >>>> Gary > >>>> > >>>> On May 5, 2017 12:41 AM, "Mikael Ståldal" <mikael.stal...@magine.com> > >>>> wrote: > >>>> > >>>>> What are those security reasons? > >>>>> > >>>>> On Fri, May 5, 2017 at 2:06 AM, Gary Gregory <garydgreg...@gmail.com > >>> > >>>>> wrote: > >>>>> > >>>>>> Hi, > >>>>>> > >>>>>> I think I'd like to change the type > >>>>>> of org.apache.logging.log4j.core.net.ssl.StoreConfiguration. > >> password > >>>>> from > >>>>>> String to char[] for the usual security reason. > >>>>>> > >>>>>> Thoughts? > >>>>>> > >>>>>> Gary > >>>>>> > >>>>>> -- > >>>>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org > >>>>>> Java Persistence with Hibernate, Second Edition > >>>>>> <https://www.amazon.com/gp/product/1617290459/ref=as_li_ > >>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1617290459& > >>>>>> linkCode=as2&tag=garygregory-20&linkId= > >>> cadb800f39946ec62ea2b1af9fe6a2 > >>>> b8> > >>>>>> > >>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t= > >>> garygregory-20&l=am2&o=1&a= > >>>>>> 1617290459> > >>>>>> JUnit in Action, Second Edition > >>>>>> <https://www.amazon.com/gp/product/1935182021/ref=as_li_ > >>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182021& > >>>>>> linkCode=as2&tag=garygregory-20&linkId= > >>> 31ecd1f6b6d1eaf8886ac902a24de4 > >>>>> 18%22 > >>>>>>> > >>>>>> > >>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t= > >>> garygregory-20&l=am2&o=1&a= > >>>>>> 1935182021> > >>>>>> Spring Batch in Action > >>>>>> <https://www.amazon.com/gp/product/1935182951/ref=as_li_ > >>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182951& > >>>>>> linkCode=%7B%7BlinkCode%7D%7D&tag=garygregory-20&linkId=%7B% > >>>>>> 7Blink_id%7D%7D%22%3ESpring+Batch+in+Action> > >>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t= > >>> garygregory-20&l=am2&o=1&a= > >>>>>> 1935182951> > >>>>>> Blog: http://garygregory.wordpress.com > >>>>>> Home: http://garygregory.com/ > >>>>>> Tweet! http://twitter.com/GaryGregory > >>>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> [image: MagineTV] > >>>>> > >>>>> *Mikael Ståldal* > >>>>> Senior software developer > >>>>> > >>>>> *Magine TV* > >>>>> mikael.stal...@magine.com > >>>>> Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com > >>>>> > >>>>> Privileged and/or Confidential Information may be contained in this > >>>>> message. If you are not the addressee indicated in this message > >>>>> (or responsible for delivery of the message to such a person), you > >> may > >>>> not > >>>>> copy or deliver this message to anyone. In such case, > >>>>> you should destroy this message and kindly notify the sender by reply > >>>>> email. > >>>>> > >>>> > >>> > >>> > >>> > >>> -- > >>> [image: MagineTV] > >>> > >>> *Mikael Ståldal* > >>> Senior software developer > >>> > >>> *Magine TV* > >>> mikael.stal...@magine.com > >>> Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com > >>> > >>> Privileged and/or Confidential Information may be contained in this > >>> message. If you are not the addressee indicated in this message > >>> (or responsible for delivery of the message to such a person), you may > >> not > >>> copy or deliver this message to anyone. In such case, > >>> you should destroy this message and kindly notify the sender by reply > >>> email. > >>> > >> > > > > > > > > -- > > [image: MagineTV] > > > > *Mikael Ståldal* > > Senior software developer > > > > *Magine TV* > > mikael.stal...@magine.com > > Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com > > > > Privileged and/or Confidential Information may be contained in this > > message. If you are not the addressee indicated in this message > > (or responsible for delivery of the message to such a person), you may > not > > copy or deliver this message to anyone. In such case, > > you should destroy this message and kindly notify the sender by reply > > email. > -- Matt Sicker <boa...@gmail.com>
