[
https://issues.apache.org/jira/browse/SHIRO-539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019684#comment-17019684
]
Benjamin Marwell commented on SHIRO-539:
----------------------------------------
I think this is what https://issues.apache.org/jira/browse/SHIRO-349 wants to
fix.
> User passwords visible in JVM as String
> ---------------------------------------
>
> Key: SHIRO-539
> URL: https://issues.apache.org/jira/browse/SHIRO-539
> Project: Shiro
> Issue Type: Brainstorming
> Components: Authentication (log-in), Authorization (access control)
> Affects Versions: 1.2.4
> Reporter: burak sarac
> Priority: Minor
> Labels: features, security
>
> 1-Run a web application server configured with Shiro.ini
> 2-take a memory dump
> 3-parse memory dump using eclipse memory analyzer
> 4-Open Object query tab
> 5- Execute 'select * from org.apache.shiro.authc.SimpleAuthenticationInfo'
> statement
> 6-As you will see in attachment user password is in human readable format.
> Didnt test it yet but using char array instead of string and after zero
> filling and then forcing gc can help I think. I wasnt sure that this is a
> valid issue so I raise the ticket under brainstorming. thank you
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
