[jira] [Commented] (SHIRO-539) User passwords visible in JVM as String

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (SHIRO-539) User passwords visible in JVM as String

Francois Papon (Jira)

    [ https://issues.apache.org/jira/browse/SHIRO-539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019684#comment-17019684 ]

Benjamin Marwell commented on SHIRO-539:

I think this is what https://issues.apache.org/jira/browse/SHIRO-349 wants to fix.

> User passwords visible in JVM as String
> ---------------------------------------
>                 Key: SHIRO-539
>                 URL: https://issues.apache.org/jira/browse/SHIRO-539
>             Project: Shiro
>          Issue Type: Brainstorming
>          Components: Authentication (log-in), Authorization (access control)
>    Affects Versions: 1.2.4
>            Reporter: burak sarac
>            Priority: Minor
>              Labels: features, security
> 1-Run a web application server configured with Shiro.ini
> 2-take a memory dump
> 3-parse memory dump using eclipse memory analyzer
> 4-Open Object query tab
> 5- Execute 'select * from org.apache.shiro.authc.SimpleAuthenticationInfo' statement
> 6-As you will see in attachment user password is in human readable format.
> Didnt test it yet but using char array instead of string and after zero filling and then forcing gc can help I think. I wasnt sure that this is a valid issue so I raise the ticket under brainstorming. thank you

This message was sent by Atlassian Jira