You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "John Karp (JIRA)" <ji...@apache.org> on 2011/06/29 00:13:28 UTC

[jira] [Created] (HTTPCLIENT-1106) Use character arrays for passwords in Credentials objects, not Strings

Use character arrays for passwords in Credentials objects, not Strings
----------------------------------------------------------------------

                 Key: HTTPCLIENT-1106
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1106
             Project: HttpComponents HttpClient
          Issue Type: Improvement
          Components: HttpAuth
    Affects Versions: 4.1.1
            Reporter: John Karp
            Priority: Minor


Its fairly conventional to use char[] to represent passwords in Java, because using Strings can present security issues:

http://securesoftware.blogspot.com/2009/01/java-security-why-not-to-use-string.html
http://download.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

[jira] [Commented] (HTTPCLIENT-1106) Use character arrays for passwords in Credentials objects, not Strings

Posted by "Gary D. Gregory (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13429146#comment-13429146 ] 

Gary D. Gregory commented on HTTPCLIENT-1106:
---------------------------------------------

+1, I use char[] "at work" for our credentials APIs.
                
> Use character arrays for passwords in Credentials objects, not Strings
> ----------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1106
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1106
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpAuth
>    Affects Versions: 4.1.1
>            Reporter: John Karp
>             Fix For: Future
>
>
> Its fairly conventional to use char[] to represent passwords in Java, because using Strings can present security issues:
> http://securesoftware.blogspot.com/2009/01/java-security-why-not-to-use-string.html
> http://download.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

[jira] [Updated] (HTTPCLIENT-1106) Use character arrays for passwords in Credentials objects, not Strings

Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oleg Kalnichevski updated HTTPCLIENT-1106:
------------------------------------------

         Priority: Major  (was: Minor)
    Fix Version/s: Future

John 

I am not a security expert by any stretch of imagination but I think, while the premise of the article is correct, in practical terms char[] passwords are potentially more secure than String only if (1) they never get converted to a String in the process of building HTTP messages and (2) are zeroed out after usage. Otherwise there is simply no difference. While the first issue can be solved (HttpCore does not use Strings internally as elements of an HTTP message) I see no solution to the second issue. HttpClient cant just pop up a UI dialogue to make the user type in the password every time server authentication is required. Credentials need to be stored in memory for a duration of an HTTP session and HttpClient has no way of knowing when credentials are no longer needed and can be discarded. 

Having said all it does make sense to change the Credentials interface to use char[] instead of String thus giving the users an opportunity to employ a safer custom implementation of CredentialsProvider. However the earliest opportunity to do so would be 5.0.

Oleg

> Use character arrays for passwords in Credentials objects, not Strings
> ----------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1106
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1106
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpAuth
>    Affects Versions: 4.1.1
>            Reporter: John Karp
>             Fix For: Future
>
>
> Its fairly conventional to use char[] to represent passwords in Java, because using Strings can present security issues:
> http://securesoftware.blogspot.com/2009/01/java-security-why-not-to-use-string.html
> http://download.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org