On Mon, 18 Apr 2022 15:21:18 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> Please review this password cleanup enhancement in the PasswordCallback >> implementation. This is one of the effort to clean up the buffered >> passwords. >> >> The PasswordCallback.setPassword() clones the password, but is not >> registered for cleanup. An application could call clearPassword() for the >> purpose, but it would be nice to cleanup the buffer as well if >> clearPassword() was not called in an application. And, if the setPassword() >> get called multiple times, the clearPassword() should also be called the >> same times if not relying on finalization. It could be fragile in practice. > > Xue-Lei Andrew Fan has updated the pull request incrementally with one > additional commit since the last revision: > > Update test case src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java line 123: > 121: cleanable = CleanerFactory.cleaner().register( > 122: this, cleanerFor(inputPassword)); > 123: } If `setPassword` is called twice in succession, should the previous password be cleaned before the new one is assigned and registered? ------------- PR: https://git.openjdk.java.net/jdk/pull/8272