-
Type:
Enhancement
-
Resolution: Unresolved
-
Priority:
P4
-
Affects Version/s: 8
-
Component/s: security-libs
-
None
Password::readPassword reads passwords using System.console(). When System.console() returns null, the method falls back to reading from System.in. In JDK-8354469, this was improved so that when System.console() is null but stdin is still a TTY, an internal console is used. However, there are still cases where neither console is available, and the method still falls back to System.in.
Most tools that prompt for a password fail when no reliable console is available. For example, sudo and openssl both exit when stdin is not a TTY.
Java can adopt a similar approach and disallow reading password from System.in. This can be introduced in a multiple step approach, where it can be disallowed at the beginning but is still allowed by default, then in another release switch the default to disallow, and finally always disallow it.
We do not have a plan to provide alternative options to read password from System.in. keytool and jarsigner already support options such as -storepass:env and -storepass:file.
Most tools that prompt for a password fail when no reliable console is available. For example, sudo and openssl both exit when stdin is not a TTY.
Java can adopt a similar approach and disallow reading password from System.in. This can be introduced in a multiple step approach, where it can be disallowed at the beginning but is still allowed by default, then in another release switch the default to disallow, and finally always disallow it.
We do not have a plan to provide alternative options to read password from System.in. keytool and jarsigner already support options such as -storepass:env and -storepass:file.
- links to
-
Review(master)
openjdk/jdk/29490