That's a good point! Pre-side note/history: on a pure PasswordCipher aspect it was not an issue until recently (j8 something) cause constant pool was not used/usable for all strings.
On a pure technical aspect and our API: most of modern API use a String (datasources, JavaEE API like HttpServletRequest...or JavaSE with DriverManager) so we can't really help in our own API (ie we can fix it but then you get the same issue elswhere). So yes there is potentially an issue but if you think more to which kind of attack you can get I would worry about a lot of other things before worrying about password since it requires already advanced accesses to the box. Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber <http://www.tomitribe.com> 2015-06-10 10:17 GMT+02:00 Alex Soto <[email protected]>: > One thing about PasswordCipher, because you are planning to rework :) My > security team (which sometimes are a bit crazy) noticed me that this > interface deals with passwords as Strings. This can be a security problem > since Strings are immutable and not destroyed (they are pooled), so it can > be a security problem since instances are always live. > In fact in my company we always treat passwords as byte[]. > > We even transform char[] using this algorithm: > > ByteBuffer bb = CHARSET.encode(CharBuffer.wrap(password)); > byte[] asBytes = new byte[bb.remaining()]; > bb.get(asBytes); > > So paranoic level is high I know, but at the end it is about security. > > WDYT? > > El dc., 10 juny 2015 a les 10:01, Romain Manni-Bucau (< > [email protected]>) > va escriure: > > > yeah, fully agree. > > > > The few points which make PasswordCipher different are: > > - they are "prototype" (short live instances) > > - they are not bound to any application by default (so no cdi) > > > > That said it shouldnt be hard to get a PasswordCipher which is actually a > > cdi bridge one (ie we dont add cdi by default but allow to ask for it): > > cipher:cdi:org.supercompany.SuperPwdCipher:encoded. The bridge would: > > 1) ensure there is a "current" cdi context > > 2) create the instance > > 3) decode as expected > > 4) release the creation context is the instance was not normal scoped > > > > In term of impl it can just be a plain olf proxy delegating to an > > invocation handler with this logic. > > > > wdyt? Do you want to have a try? Any other idea we could use? > > > > > > > > > > > > > > Romain Manni-Bucau > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > <http://rmannibucau.wordpress.com> | Github < > > https://github.com/rmannibucau> | > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > > <http://www.tomitribe.com> > > > > 2015-06-10 9:48 GMT+02:00 Jonathan Gallimore <[email protected]>: > > > > > Go for it :) - not sure what's involved off the top of my head, but am > > > happy to help dig into the code. > > > > > > Jon > > > > > > On Wed, Jun 10, 2015 at 7:42 AM, Alex Soto <[email protected]> wrote: > > > > > > > Ok no problem at all because I will implement the logic I need as a > JDK > > > > service, but I think that will be great to have all classes that can > be > > > > extended in TomEE by a developer to be CDI aware like AbstractRouter. > > > > > > > > If you want I can send this on devel mailing list. > > > > > > > > Alex > > > > > > > > El dt., 9 juny 2015 a les 21:41, Jean-Louis Monteiro (< > > > > [email protected]>) va escriure: > > > > > > > > > No supported at the minute > > > > > > > > > > -- > > > > > Jean-Louis Monteiro > > > > > http://twitter.com/jlouismonteiro > > > > > http://www.tomitribe.com > > > > > > > > > > On Tue, Jun 9, 2015 at 4:41 PM, Romain Manni-Bucau < > > > > [email protected]> > > > > > wrote: > > > > > > > > > > > think it is not supported > > > > > > > > > > > > > > > > > > Romain Manni-Bucau > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > > > > <http://rmannibucau.wordpress.com> | Github < > > > > > > https://github.com/rmannibucau> | > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > > > > > > <http://www.tomitribe.com> > > > > > > > > > > > > 2015-06-09 16:39 GMT+02:00 Alex Soto <[email protected]>: > > > > > > > > > > > > > Hi guys, can I use CDI annotations in implementations of > > > > > > > > > > > > > > org.apache.openejb.cipher.PasswordCipher using OpenEJB 4.7.2? I > > > have > > > > > > tried > > > > > > > but no injection occurs, and to know if it is because I am > doing > > > > > > something > > > > > > > wrong or simply it is not supported. > > > > > > > > > > > > > > > > > > > > > Alex. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Jonathan Gallimore > > > http://twitter.com/jongallimore > > > http://www.tomitribe.com > > > > > >
