logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <garydgreg...@gmail.com>
Subject Re: Track passwords internally as char[] instead of String
Date Mon, 19 Aug 2013 14:54:18 GMT
On Mon, Aug 19, 2013 at 10:52 AM, Gary Gregory <garydgregory@gmail.com>wrote:

> On Mon, Aug 19, 2013 at 10:34 AM, Ralph Goers <rgoers@apache.org> wrote:
>
>> I'm not sure how this applies to what you are suggesting, but we should
>> avoid passwords being in clear text in the configuration.  I would suggest
>> using a standard plugin interface similar to what I did with the secret key
>> provider in the Flume Appender.
>>
>
> We should at the last offer something like
> http://wiki.eclipse.org/Jetty/Howto/Secure_Passwords
>

So perhaps we need a boolean password attribute on PluginElement and
PluginAttribute

Gary


>
> Gary
>
>
>>
>> Ralph
>>
>> On Aug 19, 2013, at 7:29 AM, Gary Gregory <garydgregory@gmail.com> wrote:
>>
>> On Mon, Aug 19, 2013 at 10:25 AM, Paul Benedict <pbenedict@apache.org>wrote:
>>
>>> Do you need the password ever after authentication?
>>>
>>
>> I guess it depends on whether the code handles re-auth in case of a
>> disconnect.
>>
>> Gary
>>
>>
>>>
>>> On Mon, Aug 19, 2013 at 8:55 AM, Gary Gregory <garydgregory@gmail.com>wrote:
>>>
>>>> On Mon, Aug 19, 2013 at 7:27 AM, Ralph Goers <rgoers@apache.org> wrote:
>>>>
>>>>> What passwords?
>>>>>
>>>>
>>>> For example:
>>>>
>>>> - org.apache.logging.log4j.core.net.SMTPManager.FactoryData.password
>>>> - org.apache.logging.log4j.core.net.JMSTopicManager.password
>>>> - org.apache.logging.log4j.core.net.JMSQueueManager.FactoryData.password
>>>>
>>>> Gary
>>>>
>>>>>
>>>>> Ralph
>>>>>
>>>>> On Aug 19, 2013, at 4:22 AM, Gary Gregory <garydgregory@gmail.com>
>>>>> wrote:
>>>>>
>>>>> I've seen it done many places: Should we track passwords internally as
>>>>> char[] instead of String for ivars.
>>>>>
>>>>> This prevents Log4j spilling your secrets by accident in a toString to
>>>>> internal log call.
>>>>>
>>>>> Gary
>>>>>
>>>>> --
>>>>> E-Mail: garydgregory@gmail.com | ggregory@apache.org
>>>>> Java Persistence with Hibernate, Second Edition<http://www.manning.com/bauer3/>
>>>>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>>>>> Spring Batch in Action <http://www.manning.com/templier/>
>>>>> Blog: http://garygregory.wordpress.com
>>>>> Home: http://garygregory.com/
>>>>> Tweet! http://twitter.com/GaryGregory
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> E-Mail: garydgregory@gmail.com | ggregory@apache.org
>>>> Java Persistence with Hibernate, Second Edition<http://www.manning.com/bauer3/>
>>>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>>>> Spring Batch in Action <http://www.manning.com/templier/>
>>>> Blog: http://garygregory.wordpress.com
>>>> Home: http://garygregory.com/
>>>> Tweet! http://twitter.com/GaryGregory
>>>>
>>>
>>>
>>>
>>> --
>>> Cheers,
>>> Paul
>>>
>>
>>
>>
>> --
>> E-Mail: garydgregory@gmail.com | ggregory@apache.org
>> Java Persistence with Hibernate, Second Edition<http://www.manning.com/bauer3/>
>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>> Spring Batch in Action <http://www.manning.com/templier/>
>> Blog: http://garygregory.wordpress.com
>> Home: http://garygregory.com/
>> Tweet! http://twitter.com/GaryGregory
>>
>>
>
>
> --
> E-Mail: garydgregory@gmail.com | ggregory@apache.org
> Java Persistence with Hibernate, Second Edition<http://www.manning.com/bauer3/>
> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
> Spring Batch in Action <http://www.manning.com/templier/>
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory
>



-- 
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory

Mime
View raw message