You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Benjamin Marwell (Jira)" <ji...@apache.org> on 2020/01/20 18:50:00 UTC

[jira] [Commented] (SHIRO-539) User passwords visible in JVM as String

    [ https://issues.apache.org/jira/browse/SHIRO-539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019684#comment-17019684 ] 

Benjamin Marwell commented on SHIRO-539:
----------------------------------------

I think this is what https://issues.apache.org/jira/browse/SHIRO-349 wants to fix.

> User passwords visible in JVM as String
> ---------------------------------------
>
>                 Key: SHIRO-539
>                 URL: https://issues.apache.org/jira/browse/SHIRO-539
>             Project: Shiro
>          Issue Type: Brainstorming
>          Components: Authentication (log-in), Authorization (access control) 
>    Affects Versions: 1.2.4
>            Reporter: burak sarac
>            Priority: Minor
>              Labels: features, security
>
> 1-Run a web application server configured with Shiro.ini
> 2-take a memory dump
> 3-parse memory dump using eclipse memory analyzer
> 4-Open Object query tab
> 5- Execute 'select * from org.apache.shiro.authc.SimpleAuthenticationInfo' statement
> 6-As you will see in attachment user password is in human readable format.
> Didnt test it yet but using char array instead of string and after zero filling and then forcing gc can help I think. I wasnt sure that this is a valid issue so I raise the ticket under brainstorming. thank you



--
This message was sent by Atlassian Jira
(v8.3.4#803005)