You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "burak sarac (JIRA)" <ji...@apache.org> on 2015/08/14 15:38:45 UTC
[jira] [Created] (SHIRO-539) User passwords visible in JVM as
String
burak sarac created SHIRO-539:
---------------------------------
Summary: User passwords visible in JVM as String
Key: SHIRO-539
URL: https://issues.apache.org/jira/browse/SHIRO-539
Project: Shiro
Issue Type: Brainstorming
Components: Authentication (log-in), Authorization (access control)
Affects Versions: 1.2.4
Reporter: burak sarac
Priority: Minor
1-Run a web application server configured with Shiro.ini
2-take a memory dump
3-parse memory dump using eclipse memory analyzer
4-Open Object query tab
5- Execute 'select * from org.apache.shiro.authc.SimpleAuthenticationInfo' statement
6-As you will see in attachment user password is in human readable format.
Didnt test it yet but using char array instead of string and after zero filling and then forcing gc can help I think. I wasnt sure that this is a valid issue so I raise the ticket under brainstorming. thank you
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)