[SHIRO-539] User passwords visible in JVM as String - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Brainstorming
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 1.2.4
Fix Version/s: None
Component/s: Authentication (log-in), Authorization (access control)
Labels:
- features
- security

Description

1-Run a web application server configured with Shiro.ini
2-take a memory dump
3-parse memory dump using eclipse memory analyzer
4-Open Object query tab
5- Execute 'select * from org.apache.shiro.authc.SimpleAuthenticationInfo' statement
6-As you will see in attachment user password is in human readable format.

Didnt test it yet but using char array instead of string and after zero filling and then forcing gc can help I think. I wasnt sure that this is a valid issue so I raise the ticket under brainstorming. thank you

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: burak sarac

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Aug/15 13:37

Updated:: 20/Jan/20 18:49