View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one or more
3    * contributor license agreements. See the NOTICE file distributed with
4    * this work for additional information regarding copyright ownership.
5    * The ASF licenses this file to You under the Apache license, Version 2.0
6    * (the "License"); you may not use this file except in compliance with
7    * the License. You may obtain a copy of the License at
8    *
9    *      http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the license for the specific language governing permissions and
15   * limitations under the license.
16   */
17  package org.apache.logging.log4j.core.net.ssl;
18  
19  import java.util.Objects;
20  
21  /**
22   * PasswordProvider implementation that obtains the password value from a system environment variable.
23   * <p>
24   * This implementation is not very secure because the Java interface to obtain system environment variable values
25   * requires us to use String objects. String objects are immutable and Java does not provide a way to erase this
26   * sensitive data from the application memory. The password data will stay resident in memory until the String object
27   * and its associated char[] array object are garbage collected and the memory is overwritten by another object.
28   * </p><p>
29   * This is slightly more secure than {@link MemoryPasswordProvider} because the actual password string does not
30   * need to be passed to the application.
31   * The actual password string is not pulled into memory until it is needed
32   * (so the password string does not need to be passed in from the command line or in a configuration file).
33   * This gives an attacker a smaller window  of opportunity to obtain the password from a memory dump.
34   * </p><p>
35   * A more secure implementation is {@link FilePasswordProvider}.
36   * </p>
37   */
38  class EnvironmentPasswordProvider implements PasswordProvider {
39      private final String passwordEnvironmentVariable;
40  
41      /**
42       * Constructs a new EnvironmentPasswordProvider with the specified environment variable name
43       * @param passwordEnvironmentVariable name of the system environment variable that holds the password
44       */
45      public EnvironmentPasswordProvider(final String passwordEnvironmentVariable) {
46          this.passwordEnvironmentVariable = Objects.requireNonNull(
47                  passwordEnvironmentVariable, "passwordEnvironmentVariable");
48      }
49  
50      @Override
51      public char[] getPassword() {
52          final String password = System.getenv(passwordEnvironmentVariable);
53          return password == null ? null : password.toCharArray();
54      }
55  }