[
https://issues.apache.org/jira/browse/LOG4J2-1896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15999942#comment-15999942
]
Remko Popma commented on LOG4J2-1896:
-------------------------------------
LOG4J2-1898 is about the builder pattern. I am not really concerned about
replacing constructors with builders.
>From a user perspective, the ticket description says "The goal is to reduce
>the security risk of using a String for a password", but the risk has not been
>reduced so I would not mention the changes just yet.
We could technically close this ticket if the {{StoreConfiguration}}
constructor took a char[] instead of a String, but it might cause
misunderstandings if we report progress when the problem is not yet resolved.
It's probably better to increase the scope of this ticket to also cover the
other XXXStoreConfigurations and nulling out the memory when done.
> Update org.apache.logging.log4j.core.net.ssl.StoreConfiguration from a String
> to char[] to represent its password
> -----------------------------------------------------------------------------------------------------------------
>
> Key: LOG4J2-1896
> URL: https://issues.apache.org/jira/browse/LOG4J2-1896
> Project: Log4j 2
> Issue Type: Improvement
> Components: Configurators
> Reporter: Gary Gregory
> Assignee: Gary Gregory
> Fix For: 2.9
>
>
> Update {{org.apache.logging.log4j.core.net.ssl.StoreConfiguration}} from a
> {{String}} to {{char[]}} to represent its password.
> The goal is to reduce the security risk of using a String for a password. See
> https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
