On Mon, 18 Apr 2022 18:07:59 GMT, Roger Riggs <rri...@openjdk.org> wrote:
>> I can see why that might be a good idea. Would require a specification >> change though. I also think it is fine to keep the behavior the same, and >> place the responsibility on the application to call `clearPassword` before >> setting a new one. We could add a warning though, something like: "Note: >> `clearPassword` should be called to clear any prior password before calling >> `setPassword` multiple times on the same `PasswordCallback` instance." > > setPassword can/should always clear the previous password. It is an internal > copy that no one else has a reference to and is being replaced. > It will need to either explicitly call cleanable.clean() or fill/erase the > array itself. > Overwriting the cleanable will prevent the existing cleanable from being > processed. > It don't think it needs a spec change, the internal value is implementation > only. What about code that is already calling `clearPassword` between calls to `setPassword`? This seems to be a change in the design of this API. The `clearPassword` method is there to allow callers to manage and clear the passwords itself. ------------- PR: https://git.openjdk.java.net/jdk/pull/8272