RFR: 8374555: No need for visible input warning in s.s.u.Password when not reading from System.in
Hai-May Chao
hchao at openjdk.org
Tue Jan 6 10:51:21 UTC 2026
On Mon, 5 Jan 2026 22:20:28 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> We should only print out `[WARNING: Input may be visible on screen]` when trying to read password from `System.in`. Don't print it if the password is read from a different URL.
src/java.base/share/classes/sun/security/util/Password.java line 68:
> 66: consoleBytes = ConsoleHolder.convertToBytes(consoleEntered);
> 67: in = new ByteArrayInputStream(consoleBytes);
> 68: } else if (in == System.in && System.in.available() == 0) {
The additional check looks good as we need to make sure the password is actually read from user's standard input. Suggest to update the comment for this.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29051#discussion_r2664508342
More information about the security-dev
mailing list