[
https://issues.apache.org/jira/browse/LOG4J2-1896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16178460#comment-16178460
]
Remko Popma commented on LOG4J2-1896:
-------------------------------------
(Note to self, still looking into this) Useful links:
*
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html
*
http://docs.oracle.com/javase/7/docs/api/index.html?javax/net/ssl/KeyStoreBuilderParameters.html
*
http://docs.oracle.com/javase/7/docs/api/index.html?java/security/KeyStore.ProtectionParameter.html
(this has both a PasswordProtection and a CallbackHandlerProtection
implementation, the latter can be used in Kerberos login modules
http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
)
> Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String
> to char[] for passwords
> ---------------------------------------------------------------------------------------------------
>
> Key: LOG4J2-1896
> URL: https://issues.apache.org/jira/browse/LOG4J2-1896
> Project: Log4j 2
> Issue Type: Improvement
> Components: Configurators
> Reporter: Gary Gregory
> Assignee: Remko Popma
> Fix For: 2.10.0
>
>
> Update {{org.apache.logging.log4j.core.net.ssl.StoreConfiguration}} from a
> {{String}} to {{char[]}} to represent its password.
> The goal is to reduce the security risk of using a String for a password. See
> https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
