Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-539

User passwords visible in JVM as String

    XMLWordPrintableJSON

    Details

      Description

      1-Run a web application server configured with Shiro.ini
      2-take a memory dump
      3-parse memory dump using eclipse memory analyzer
      4-Open Object query tab
      5- Execute 'select * from org.apache.shiro.authc.SimpleAuthenticationInfo' statement
      6-As you will see in attachment user password is in human readable format.

      Didnt test it yet but using char array instead of string and after zero filling and then forcing gc can help I think. I wasnt sure that this is a valid issue so I raise the ticket under brainstorming. thank you

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              hrgiger burak sarac
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: