On Mon, 18 Apr 2022 15:21:18 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> Please review this password cleanup enhancement in the PasswordCallback >> implementation. This is one of the effort to clean up the buffered >> passwords. >> >> The PasswordCallback.setPassword() clones the password, but is not >> registered for cleanup. An application could call clearPassword() for the >> purpose, but it would be nice to cleanup the buffer as well if >> clearPassword() was not called in an application. And, if the setPassword() >> get called multiple times, the clearPassword() should also be called the >> same times if not relying on finalization. It could be fragile in practice. > > Xue-Lei Andrew Fan has updated the pull request incrementally with one > additional commit since the last revision: > > Update test case I am not quite seeing the rationale for this change. Are you trying to protect against callers forgetting to call `clearPassword`? Is that really our responsibility? Even if so, then @stuart-marks suggestion about clearing interim passwords is relevant and this solution seems incomplete. But I think trying to fix that will necessitate some specification changes and also possibly some added implementation complexity to detect if code has or has not called `clearPassword`. ------------- PR: https://git.openjdk.java.net/jdk/pull/8272