You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "burak sarac (JIRA)" <ji...@apache.org> on 2015/08/14 15:38:45 UTC

[jira] [Created] (SHIRO-539) User passwords visible in JVM as String

burak sarac created SHIRO-539:
---------------------------------

             Summary: User passwords visible in JVM as String
                 Key: SHIRO-539
                 URL: https://issues.apache.org/jira/browse/SHIRO-539
             Project: Shiro
          Issue Type: Brainstorming
          Components: Authentication (log-in), Authorization (access control) 
    Affects Versions: 1.2.4
            Reporter: burak sarac
            Priority: Minor


1-Run a web application server configured with Shiro.ini
2-take a memory dump
3-parse memory dump using eclipse memory analyzer
4-Open Object query tab
5- Execute 'select * from org.apache.shiro.authc.SimpleAuthenticationInfo' statement
6-As you will see in attachment user password is in human readable format.

Didnt test it yet but using char array instead of string and after zero filling and then forcing gc can help I think. I wasnt sure that this is a valid issue so I raise the ticket under brainstorming. thank you





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)