You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@logging.apache.org by "Remko Popma (JIRA)" <ji...@apache.org> on 2017/09/23 17:45:00 UTC

[jira] [Comment Edited] (LOG4J2-1896) Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String to char[] for passwords

    [ https://issues.apache.org/jira/browse/LOG4J2-1896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16177908#comment-16177908 ] 

Remko Popma edited comment on LOG4J2-1896 at 9/23/17 5:44 PM:
--------------------------------------------------------------

The various StoreConfiguration classes now get a reference to a PasswordProvider instead of a {{char[]}} password.

The PasswordProvider's {{getPassword()}} method may be called multiple times as needed, so the caller does not need to (and should not) keep the password data in memory for longer than absolutely necessary. Users of this class now erase the password array immediately when authentication is complete and the password data is no longer needed.

I created LOG4J2-2054 for the next weak point: currently the TrustStore/KeyStore passwords need to be specified in plain text in the log4j2 configuration.


was (Author: remkop@yahoo.com):
The various StoreConfiguration classes now get a reference to a PasswordProvider instead of a {{char[]}} password.

The PasswordProvider's {{getPassword()}} method may be called multiple times as needed, so the caller does not need to (and *should not*) keep the password data in memory for longer than absolutely necessary. Users of this class now erase the password array immediately when authentication is complete and the password data is no longer needed.

I created LOG4J2-2054 for the next weak point: currently the TrustStore/KeyStore passwords need to be specified in plain text in the log4j2 configuration.

> Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String to char[] for passwords
> ---------------------------------------------------------------------------------------------------
>
>                 Key: LOG4J2-1896
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1896
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Configurators
>            Reporter: Gary Gregory
>            Assignee: Remko Popma
>             Fix For: 2.10.0
>
>
> Update {{org.apache.logging.log4j.core.net.ssl.StoreConfiguration}} from a {{String}} to {{char[]}} to represent its password.
> The goal is to reduce the security risk of using a String for a password. See https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)