Uploaded image for project: 'Couchbase Java Client'
  1. Couchbase Java Client
  2. JCBC-1700

String password argument in PasswordAuthenticator.create()

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Major
    • None
    • None
    • None
    • None
    • 1

    Description

      This API takes a String password argument.  There should not be any String passwords anywhere as a String cannot be zeroed out after use and will be left in the JVM memory and could be captured in a core dump.   I realize that scenario is a bit of a stretch, but anyone auditing for security will find this and complain.

      /**

      • Creates a new password authenticator with the default settings.
        *
      • @param username the username to use for all authentication.
      • @param password the password to use alognside the username.
      • @return the instantiated {@link PasswordAuthenticator}.
        */
        public static PasswordAuthenticator create(final String username, final String password) { return builder().username(username).password(password).build(); }

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            daschl Michael Nitschinger
            michael.reiche Michael Reiche
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty