-
Type:
Bug
-
Resolution: Fixed
-
Priority:
P3
-
Affects Version/s: 1.3.0
-
Component/s: core-libs
-
None
-
1.2.1
-
generic
-
generic
In DefaultCallbackHandler, the constructor receives credentials, converts
them to a byte-array and stores them in a private byte-array (passwd).
However, there is no way to clear this byte-array if and when this
information is not needed anymore. Giving a means to clear this
sensitive information will decrease the chances of an attack outside
the JVM, which inspects the heap looking for credentials, to succeed.
them to a byte-array and stores them in a private byte-array (passwd).
However, there is no way to clear this byte-array if and when this
information is not needed anymore. Giving a means to clear this
sensitive information will decrease the chances of an attack outside
the JVM, which inspects the heap looking for credentials, to succeed.