Class EnvironmentPasswordProvider
- java.lang.Object
-
- org.apache.logging.log4j.core.net.ssl.EnvironmentPasswordProvider
-
- All Implemented Interfaces:
PasswordProvider
class EnvironmentPasswordProvider extends java.lang.Object implements PasswordProvider
PasswordProvider implementation that obtains the password value from a system environment variable.This implementation is not very secure because the Java interface to obtain system environment variable values requires us to use String objects. String objects are immutable and Java does not provide a way to erase this sensitive data from the application memory. The password data will stay resident in memory until the String object and its associated char[] array object are garbage collected and the memory is overwritten by another object.
This is slightly more secure than
MemoryPasswordProvider
because the actual password string does not need to be passed to the application. The actual password string is not pulled into memory until it is needed (so the password string does not need to be passed in from the command line or in a configuration file). This gives an attacker a smaller window of opportunity to obtain the password from a memory dump.A more secure implementation is
FilePasswordProvider
.
-
-
Field Summary
Fields Modifier and Type Field Description private java.lang.String
passwordEnvironmentVariable
-
Constructor Summary
Constructors Constructor Description EnvironmentPasswordProvider(java.lang.String passwordEnvironmentVariable)
Constructs a new EnvironmentPasswordProvider with the specified environment variable name
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description char[]
getPassword()
Returns a new char[] array with the password characters.
-
-
-
Constructor Detail
-
EnvironmentPasswordProvider
public EnvironmentPasswordProvider(java.lang.String passwordEnvironmentVariable)
Constructs a new EnvironmentPasswordProvider with the specified environment variable name- Parameters:
passwordEnvironmentVariable
- name of the system environment variable that holds the password
-
-
Method Detail
-
getPassword
public char[] getPassword()
Description copied from interface:PasswordProvider
Returns a new char[] array with the password characters.It is the responsibility of the caller to erase this data by calling
Arrays.fill(char[], char)
immediately when authentication is complete and the password data is no longer needed.- Specified by:
getPassword
in interfacePasswordProvider
- Returns:
- a copy of the password
-
-