Tracking here: https://issues.apache.org/jira/browse/LOG4J2-1896
Gary On Fri, May 5, 2017 at 12:46 PM, Matt Sicker <boa...@gmail.com> wrote: > I agree with using char[] for this due to the overwriting of contents that > Remko explained. Here's a neat Stack Overflow post to back us up: > https://stackoverflow.com/questions/8881291/why-is-char- > preferred-over-string-for-passwords > > On 5 May 2017 at 04:50, Remko Popma <remko.po...@gmail.com> wrote: > > > String objects containing a password stay resident in memory even after > > being garbage collected and can be obtained by reading the memory from an > > external process. > > > > char [] arrays are mutable so their content can be nulled out after > > authentication is complete. This is not possible with String objects. > > > > > > > > (Shameless plug) Every java main() method deserves http://picocli.info > > > > > On May 5, 2017, at 17:35, l Ståldal <mikael.stal...@magine.com> wrote: > > > > > > OK. > > > > > > On Fri, May 5, 2017 at 10:33 AM, Gary Gregory <garydgreg...@gmail.com> > > > wrote: > > > > > >> Subclasses can still make the same mistake as long as it is a String. > > It is > > >> just something I consider good practice. > > >> > > >> Gary > > >> > > >> On May 5, 2017 1:30 AM, "Mikael Ståldal" <mikael.stal...@magine.com> > > >> wrote: > > >> > > >>> What about a custom implementation of StoreConfiguration.toString > which > > >>> does not include the password? > > >>> > > >>> On Fri, May 5, 2017 at 10:28 AM, Gary Gregory < > garydgreg...@gmail.com> > > >>> wrote: > > >>> > > >>>> Usually toString on an object that includes a password String can > end > > >> up > > >>> in > > >>>> places like logs that it should not be. A char[] toString does not > > >>> display > > >>>> its contents. > > >>>> > > >>>> Gary > > >>>> > > >>>> On May 5, 2017 12:41 AM, "Mikael Ståldal" < > mikael.stal...@magine.com> > > >>>> wrote: > > >>>> > > >>>>> What are those security reasons? > > >>>>> > > >>>>> On Fri, May 5, 2017 at 2:06 AM, Gary Gregory < > garydgreg...@gmail.com > > >>> > > >>>>> wrote: > > >>>>> > > >>>>>> Hi, > > >>>>>> > > >>>>>> I think I'd like to change the type > > >>>>>> of org.apache.logging.log4j.core.net.ssl.StoreConfiguration. > > >> password > > >>>>> from > > >>>>>> String to char[] for the usual security reason. > > >>>>>> > > >>>>>> Thoughts? > > >>>>>> > > >>>>>> Gary > > >>>>>> > > >>>>>> -- > > >>>>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org > > >>>>>> Java Persistence with Hibernate, Second Edition > > >>>>>> <https://www.amazon.com/gp/product/1617290459/ref=as_li_ > > >>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1617290459& > > >>>>>> linkCode=as2&tag=garygregory-20&linkId= > > >>> cadb800f39946ec62ea2b1af9fe6a2 > > >>>> b8> > > >>>>>> > > >>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t= > > >>> garygregory-20&l=am2&o=1&a= > > >>>>>> 1617290459> > > >>>>>> JUnit in Action, Second Edition > > >>>>>> <https://www.amazon.com/gp/product/1935182021/ref=as_li_ > > >>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182021& > > >>>>>> linkCode=as2&tag=garygregory-20&linkId= > > >>> 31ecd1f6b6d1eaf8886ac902a24de4 > > >>>>> 18%22 > > >>>>>>> > > >>>>>> > > >>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t= > > >>> garygregory-20&l=am2&o=1&a= > > >>>>>> 1935182021> > > >>>>>> Spring Batch in Action > > >>>>>> <https://www.amazon.com/gp/product/1935182951/ref=as_li_ > > >>>>>> tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182951& > > >>>>>> linkCode=%7B%7BlinkCode%7D%7D&tag=garygregory-20&linkId=%7B% > > >>>>>> 7Blink_id%7D%7D%22%3ESpring+Batch+in+Action> > > >>>>>> <http:////ir-na.amazon-adsystem.com/e/ir?t= > > >>> garygregory-20&l=am2&o=1&a= > > >>>>>> 1935182951> > > >>>>>> Blog: http://garygregory.wordpress.com > > >>>>>> Home: http://garygregory.com/ > > >>>>>> Tweet! http://twitter.com/GaryGregory > > >>>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> -- > > >>>>> [image: MagineTV] > > >>>>> > > >>>>> *Mikael Ståldal* > > >>>>> Senior software developer > > >>>>> > > >>>>> *Magine TV* > > >>>>> mikael.stal...@magine.com > > >>>>> Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com > > >>>>> > > >>>>> Privileged and/or Confidential Information may be contained in this > > >>>>> message. If you are not the addressee indicated in this message > > >>>>> (or responsible for delivery of the message to such a person), you > > >> may > > >>>> not > > >>>>> copy or deliver this message to anyone. In such case, > > >>>>> you should destroy this message and kindly notify the sender by > reply > > >>>>> email. > > >>>>> > > >>>> > > >>> > > >>> > > >>> > > >>> -- > > >>> [image: MagineTV] > > >>> > > >>> *Mikael Ståldal* > > >>> Senior software developer > > >>> > > >>> *Magine TV* > > >>> mikael.stal...@magine.com > > >>> Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com > > >>> > > >>> Privileged and/or Confidential Information may be contained in this > > >>> message. If you are not the addressee indicated in this message > > >>> (or responsible for delivery of the message to such a person), you > may > > >> not > > >>> copy or deliver this message to anyone. In such case, > > >>> you should destroy this message and kindly notify the sender by reply > > >>> email. > > >>> > > >> > > > > > > > > > > > > -- > > > [image: MagineTV] > > > > > > *Mikael Ståldal* > > > Senior software developer > > > > > > *Magine TV* > > > mikael.stal...@magine.com > > > Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com > > > > > > Privileged and/or Confidential Information may be contained in this > > > message. If you are not the addressee indicated in this message > > > (or responsible for delivery of the message to such a person), you may > > not > > > copy or deliver this message to anyone. In such case, > > > you should destroy this message and kindly notify the sender by reply > > > email. > > > > > > -- > Matt Sicker <boa...@gmail.com> > -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition <https://www.amazon.com/gp/product/1617290459/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1617290459&linkCode=as2&tag=garygregory-20&linkId=cadb800f39946ec62ea2b1af9fe6a2b8> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1617290459> JUnit in Action, Second Edition <https://www.amazon.com/gp/product/1935182021/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182021&linkCode=as2&tag=garygregory-20&linkId=31ecd1f6b6d1eaf8886ac902a24de418%22> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182021> Spring Batch in Action <https://www.amazon.com/gp/product/1935182951/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=1935182951&linkCode=%7B%7BlinkCode%7D%7D&tag=garygregory-20&linkId=%7B%7Blink_id%7D%7D%22%3ESpring+Batch+in+Action> <http:////ir-na.amazon-adsystem.com/e/ir?t=garygregory-20&l=am2&o=1&a=1935182951> Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory
