1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one or more
3 * contributor license agreements. See the NOTICE file distributed with
4 * this work for additional information regarding copyright ownership.
5 * The ASF licenses this file to You under the Apache license, Version 2.0
6 * (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the license for the specific language governing permissions and
15 * limitations under the license.
16 */
17 package org.apache.logging.log4j.core.net.ssl;
18
19 import java.util.Objects;
20
21 /**
22 * PasswordProvider implementation that obtains the password value from a system environment variable.
23 * <p>
24 * This implementation is not very secure because the Java interface to obtain system environment variable values
25 * requires us to use String objects. String objects are immutable and Java does not provide a way to erase this
26 * sensitive data from the application memory. The password data will stay resident in memory until the String object
27 * and its associated char[] array object are garbage collected and the memory is overwritten by another object.
28 * </p><p>
29 * This is slightly more secure than {@link MemoryPasswordProvider} because the actual password string does not
30 * need to be passed to the application.
31 * The actual password string is not pulled into memory until it is needed
32 * (so the password string does not need to be passed in from the command line or in a configuration file).
33 * This gives an attacker a smaller window of opportunity to obtain the password from a memory dump.
34 * </p><p>
35 * A more secure implementation is {@link FilePasswordProvider}.
36 * </p>
37 */
38 class EnvironmentPasswordProvider implements PasswordProvider {
39 private final String passwordEnvironmentVariable;
40
41 /**
42 * Constructs a new EnvironmentPasswordProvider with the specified environment variable name
43 * @param passwordEnvironmentVariable name of the system environment variable that holds the password
44 */
45 public EnvironmentPasswordProvider(final String passwordEnvironmentVariable) {
46 this.passwordEnvironmentVariable = Objects.requireNonNull(
47 passwordEnvironmentVariable, "passwordEnvironmentVariable");
48 }
49
50 @Override
51 public char[] getPassword() {
52 final String password = System.getenv(passwordEnvironmentVariable);
53 return password == null ? null : password.toCharArray();
54 }
55 }