[jira] [Updated] (HTTPCLIENT-1106) Use character arrays for passwords in Credentials objects, not Strings

Wed, 29 Jun 2011 01:36:09 -0700 

     [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oleg Kalnichevski updated HTTPCLIENT-1106:
------------------------------------------

         Priority: Major  (was: Minor)
    Fix Version/s: Future

John 

I am not a security expert by any stretch of imagination but I think, while the 
premise of the article is correct, in practical terms char[] passwords are 
potentially more secure than String only if (1) they never get converted to a 
String in the process of building HTTP messages and (2) are zeroed out after 
usage. Otherwise there is simply no difference. While the first issue can be 
solved (HttpCore does not use Strings internally as elements of an HTTP 
message) I see no solution to the second issue. HttpClient cant just pop up a 
UI dialogue to make the user type in the password every time server 
authentication is required. Credentials need to be stored in memory for a 
duration of an HTTP session and HttpClient has no way of knowing when 
credentials are no longer needed and can be discarded. 

Having said all it does make sense to change the Credentials interface to use 
char[] instead of String thus giving the users an opportunity to employ a safer 
custom implementation of CredentialsProvider. However the earliest opportunity 
to do so would be 5.0.

Oleg

> Use character arrays for passwords in Credentials objects, not Strings
> ----------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1106
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1106
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpAuth
>    Affects Versions: 4.1.1
>            Reporter: John Karp
>             Fix For: Future
>
>
> Its fairly conventional to use char[] to represent passwords in Java, because 
> using Strings can present security issues:
> http://securesoftware.blogspot.com/2009/01/java-security-why-not-to-use-string.html
> http://download.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html#PBEEx

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to