You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@logging.apache.org by "Gary Gregory (JIRA)" <ji...@apache.org> on 2017/08/15 21:36:00 UTC
[jira] [Comment Edited] (LOG4J2-1896) Update classes in
org.apache.logging.log4j.core.net.ssl in APIs from String to char[] for
passwords
[ https://issues.apache.org/jira/browse/LOG4J2-1896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16127908#comment-16127908 ]
Gary Gregory edited comment on LOG4J2-1896 at 8/15/17 9:35 PM:
---------------------------------------------------------------
I updated the classes in {{org.apache.logging.log4j.core.net.ssl}} to use {{char[]}} instead of {{String}}. I added methods and constructors for {{char[]}} and deprecated the ones with {{String}}. It's debatable whether we should simply _remove_ the {{String}} APIs or leave them as deprecated.
WRT to storing the password, it's in a {{char[]}} for now, we could additionally obfuscate it the same way Jetty does with its {{org.eclipse.jetty.util.security.Password}} class.
was (Author: garydgregory):
I updated the classes in {{org.apache.logging.log4j.core.net.ssl}} to use {{char[]}} instead of {{String}}. I added methods and constructors for {{char[]}} deprecated the ones with {{String}}. It's debatable whether we should simply _remove_ the {{String}} APIs or leave them as deprecated.
WRT to storing the password, it's in a {{char[]}} for now, we could additionally obfuscate it the same way Jetty does with its {{org.eclipse.jetty.util.security.Password}} class.
> Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String to char[] for passwords
> ---------------------------------------------------------------------------------------------------
>
> Key: LOG4J2-1896
> URL: https://issues.apache.org/jira/browse/LOG4J2-1896
> Project: Log4j 2
> Issue Type: Improvement
> Components: Configurators
> Reporter: Gary Gregory
> Assignee: Gary Gregory
> Fix For: 2.9
>
>
> Update {{org.apache.logging.log4j.core.net.ssl.StoreConfiguration}} from a {{String}} to {{char[]}} to represent its password.
> The goal is to reduce the security risk of using a String for a password. See https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)