On Mon, 18 Apr 2022 16:39:36 GMT, Stuart Marks <sma...@openjdk.org> wrote:
>> Xue-Lei Andrew Fan has updated the pull request incrementally with one >> additional commit since the last revision: >> >> Update test case > > src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java > line 123: > >> 121: cleanable = CleanerFactory.cleaner().register( >> 122: this, cleanerFor(inputPassword)); >> 123: } > > If `setPassword` is called twice in succession, should the previous password > be cleaned before the new one is assigned and registered? I can see why that might be a good idea. Would require a specification change though. I also think it is fine to keep the behavior the same, and place the responsibility on the application to call `clearPassword` before setting a new one. We could add a warning though, something like: "Note: `clearPassword` should be called to clear any prior password before calling `setPassword` multiple times on the same `PasswordCallback` instance." ------------- PR: https://git.openjdk.java.net/jdk/pull/8272
