On Mon, 18 Apr 2022 19:10:44 GMT, Roger Riggs <rri...@openjdk.org> wrote:
>> What about code that is already calling `clearPassword` between calls to >> `setPassword`? This seems to be a change in the design of this API. The >> `clearPassword` method is there to allow callers to manage and clear the >> passwords itself. > > I think its "belt and suspenders". > If the caller does not call `clearPassword` before calling a second > `setPassword,` the previous char array will still contain the previous > password and remain uncleared in memory for a (longer) indeterminate time. > It is fulfilling the same purpose as the original finalizer. Yes, exactly. I'd recommend it calling `cleanable.clean()` prior to storing the new password, so that the cleaning action for the old password is explicitly and immediately unregistered. ------------- PR: https://git.openjdk.java.net/jdk/pull/8272
