RFR: 8284910: Buffer clean in PasswordCallback [v2]
Sean Mullan
mullan at openjdk.java.net
Mon Apr 18 17:30:52 UTC 2022
On Mon, 18 Apr 2022 16:39:36 GMT, Stuart Marks <smarks at openjdk.org> wrote:
>> Xue-Lei Andrew Fan has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Update test case
>
> src/java.base/share/classes/javax/security/auth/callback/PasswordCallback.java line 123:
>
>> 121: cleanable = CleanerFactory.cleaner().register(
>> 122: this, cleanerFor(inputPassword));
>> 123: }
>
> If `setPassword` is called twice in succession, should the previous password be cleaned before the new one is assigned and registered?
I can see why that might be a good idea. Would require a specification change though. I also think it is fine to keep the behavior the same, and place the responsibility on the application to call `clearPassword` before setting a new one. We could add a warning though, something like: "Note: `clearPassword` should be called to clear any prior password before calling `setPassword` multiple times on the same `PasswordCallback` instance."
-------------
PR: https://git.openjdk.java.net/jdk/pull/8272
More information about the security-dev
mailing list