Details
-
Improvement
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
None
-
1
Description
This API takes a String password argument. There should not be any String passwords anywhere as a String cannot be zeroed out after use and will be left in the JVM memory and could be captured in a core dump. I realize that scenario is a bit of a stretch, but anyone auditing for security will find this and complain.
/**
- Creates a new password authenticator with the default settings.
* - @param username the username to use for all authentication.
- @param password the password to use alognside the username.
- @return the instantiated {@link PasswordAuthenticator}.
*/
public static PasswordAuthenticator create(final String username, final String password) { return builder().username(username).password(password).build(); }