On Thu, 21 Apr 2022 06:55:22 GMT, Xue-Lei Andrew Fan <[email protected]> wrote:
>> Please review this password cleanup enhancement in the PasswordCallback
>> implementation. This is one of the effort to clean up the buffered
>> passwords.
>>
>> The PasswordCallback.setPassword() clones the password, but is not
>> registered for cleanup. An application could call clearPassword() for the
>> purpose, but it would be nice to cleanup the buffer as well if
>> clearPassword() was not called in an application. And, if the setPassword()
>> get called multiple times, the clearPassword() should also be called the
>> same times if not relying on finalization. It could be fragile in practice.
>
> Xue-Lei Andrew Fan has updated the pull request incrementally with one
> additional commit since the last revision:
>
> Code clean up per feedback
test/jdk/javax/security/auth/callback/PasswordCleanup.java line 58:
> 56: }
> 57:
> 58: private static void clearWithMethod() throws Exception {
This looks like the exact same test as `clearAtCollection`.
test/jdk/javax/security/auth/callback/PasswordCleanup.java line 74:
> 72: }
> 73:
> 74: private static void checkClearing() throws Exception {
How is this test testing that the password is cleared?
test/jdk/javax/security/auth/callback/PasswordCleanup.java line 83:
> 81: // Check if the object has been collected.
> 82: if (weakHashMap.size() > 0) {
> 83: throw new RuntimeException("GSSName object is not released");
Did you mean to say "PasswordCallback object is not released"?
-------------
PR: https://git.openjdk.java.net/jdk/pull/8272
