Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4261940

In DefaultCallbackHandler, no way to clear password bytearray

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P3 P3
    • 1.2.1
    • 1.3.0
    • core-libs
    • None
    • 1.2.1
    • generic
    • generic

      In DefaultCallbackHandler, the constructor receives credentials, converts
      them to a byte-array and stores them in a private byte-array (passwd).
      However, there is no way to clear this byte-array if and when this
      information is not needed anymore. Giving a means to clear this
      sensitive information will decrease the chances of an attack outside
      the JVM, which inspects the heap looking for credentials, to succeed.

            rleesunw Rosanna Lee (Inactive)
            dhendlersunw Danny Hendler (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: