Passwords stored in String instead of char arrays in Fuse APIs

Solution Verified - Updated -

Issue

  • Several APIs available in JBoss FUSE are expecting passwords in String. This is not good practice as String is an immutable type.

  • That means the memory will stay in memory even after use (and potentially for a very long time).

    • Apache httpcomponents/httpclient-osgi
      e.g.: Credentials.getPassword()

    • Apache activeMQ/activeMQ-osgi
      e.g.: ActiveMQConnectionFactory.setPassword() API

    • Apache sshd
      e.g.: ClientSession.addPasswordIdentity() API

    • JMX API

Environment

  • Red Hat JBoss Fuse
    • 6.3.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content