[
https://issues.apache.org/jira/browse/LOG4J2-1896?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Remko Popma resolved LOG4J2-1896.
---------------------------------
Resolution: Fixed
The various StoreConfiguration classes now get a reference to a
PasswordProvider instead of a {{char[]}} password.
The PasswordProvider's {{getPassword()}} method may be called multiple times as
needed, so the caller does not need to (and *should not*) keep the password
data in memory for longer than absolutely necessary. Users of this class now
erase the password array immediately when authentication is complete and the
password data is no longer needed.
I created LOG4J2-2054 for the next weak point: currently the
TrustStore/KeyStore passwords need to be specified in plain text in the log4j2
configuration.
> Update classes in org.apache.logging.log4j.core.net.ssl in APIs from String
> to char[] for passwords
> ---------------------------------------------------------------------------------------------------
>
> Key: LOG4J2-1896
> URL: https://issues.apache.org/jira/browse/LOG4J2-1896
> Project: Log4j 2
> Issue Type: Improvement
> Components: Configurators
> Reporter: Gary Gregory
> Assignee: Remko Popma
> Fix For: 2.10.0
>
>
> Update {{org.apache.logging.log4j.core.net.ssl.StoreConfiguration}} from a
> {{String}} to {{char[]}} to represent its password.
> The goal is to reduce the security risk of using a String for a password. See
> https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
