You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Benjamin Marwell (Jira)" <ji...@apache.org> on 2020/01/20 18:50:00 UTC
[jira] [Commented] (SHIRO-539) User passwords visible in JVM as
String
[ https://issues.apache.org/jira/browse/SHIRO-539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019684#comment-17019684 ]
Benjamin Marwell commented on SHIRO-539:
----------------------------------------
I think this is what https://issues.apache.org/jira/browse/SHIRO-349 wants to fix.
> User passwords visible in JVM as String
> ---------------------------------------
>
> Key: SHIRO-539
> URL: https://issues.apache.org/jira/browse/SHIRO-539
> Project: Shiro
> Issue Type: Brainstorming
> Components: Authentication (log-in), Authorization (access control)
> Affects Versions: 1.2.4
> Reporter: burak sarac
> Priority: Minor
> Labels: features, security
>
> 1-Run a web application server configured with Shiro.ini
> 2-take a memory dump
> 3-parse memory dump using eclipse memory analyzer
> 4-Open Object query tab
> 5- Execute 'select * from org.apache.shiro.authc.SimpleAuthenticationInfo' statement
> 6-As you will see in attachment user password is in human readable format.
> Didnt test it yet but using char array instead of string and after zero filling and then forcing gc can help I think. I wasnt sure that this is a valid issue so I raise the ticket under brainstorming. thank you
--
This message was sent by Atlassian Jira
(v8.3.4#803005)