Passwords stored in String instead of char arrays in Fuse APIs
Issue
- Several APIs available in JBoss FUSE are expecting passwords in String. This is not good practice as String is an immutable type.
-
That means the memory will stay in memory even after use (and potentially for a very long time).
-
Apache httpcomponents/httpclient-osgi
e.g.: Credentials.getPassword() -
Apache activeMQ/activeMQ-osgi
e.g.: ActiveMQConnectionFactory.setPassword() API -
Apache sshd
e.g.: ClientSession.addPasswordIdentity() API -
JMX API
-
Environment
- Red Hat JBoss Fuse
- 6.3.0
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.