You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@logging.apache.org by "Remko Popma (JIRA)" <ji...@apache.org> on 2017/09/24 00:40:00 UTC

[jira] [Reopened] (LOG4J2-1896) Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String to char[] for passwords

     [ https://issues.apache.org/jira/browse/LOG4J2-1896?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Remko Popma reopened LOG4J2-1896:
---------------------------------

As per discussion in LOG4J2-2054, I will replace the {{PasswordProvider}} interface with a generic {{SecretProvider<T>}} interface and move it to {{core.util}}. 

The interface will still have only one method so on Java 8 it can be conveniently implemented with a lambda. 

The {{MemoryPasswordProvider}} implementation can remain as it is (after changing it to {{implement SecretProvider<char[]>}}. 

> Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String to char[] for passwords
> ---------------------------------------------------------------------------------------------------
>
>                 Key: LOG4J2-1896
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1896
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Configurators
>            Reporter: Gary Gregory
>            Assignee: Remko Popma
>             Fix For: 2.10.0
>
>
> Update {{org.apache.logging.log4j.core.net.ssl.StoreConfiguration}} from a {{String}} to {{char[]}} to represent its password.
> The goal is to reduce the security risk of using a String for a password. See https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)