[jira] [Comment Edited] (LOG4J2-1896) Update org.apache.logging.log4j.core.net.ssl.StoreConfiguration from a String to char[] to represent its password

[Remko Popma (JIRA)]

    [ 
https://issues.apache.org/jira/browse/LOG4J2-1896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15999942#comment-15999942
 ] 

Remko Popma edited comment on LOG4J2-1896 at 5/7/17 4:57 PM:
-------------------------------------------------------------

LOG4J2-1898 is about the builder pattern. I am not really concerned about 
replacing constructors with builders. 

>From a user perspective, the ticket description says "The goal is to reduce 
>the security risk of using a String for a password", but the risk has not been 
>reduced so I would not mention the changes just yet.

We could technically close this ticket if the {{StoreConfiguration}} 
constructor was modified to take a char[] instead of a String, but it might 
cause misunderstandings if we report progress when the problem is not yet 
resolved. It's probably better to increase the scope of this ticket to also 
cover the other XXXStoreConfigurations and nulling out the memory when done.




was (Author: rem...@yahoo.com):
LOG4J2-1898 is about the builder pattern. I am not really concerned about 
replacing constructors with builders. 

>From a user perspective, the ticket description says "The goal is to reduce 
>the security risk of using a String for a password", but the risk has not been 
>reduced so I would not mention the changes just yet.

We could technically close this ticket if the {{StoreConfiguration}} 
constructor took a char[] instead of a String, but it might cause 
misunderstandings if we report progress when the problem is not yet resolved. 
It's probably better to increase the scope of this ticket to also cover the 
other XXXStoreConfigurations and nulling out the memory when done.



> Update org.apache.logging.log4j.core.net.ssl.StoreConfiguration from a String 
> to char[] to represent its password
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: LOG4J2-1896
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1896
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Configurators
>            Reporter: Gary Gregory
>            Assignee: Gary Gregory
>             Fix For: 2.9
>
>
> Update {{org.apache.logging.log4j.core.net.ssl.StoreConfiguration}} from a 
> {{String}} to {{char[]}} to represent its password.
> The goal is to reduce the security risk of using a String for a password. See 
> https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)