1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one or more 3 * contributor license agreements. See the NOTICE file distributed with 4 * this work for additional information regarding copyright ownership. 5 * The ASF licenses this file to You under the Apache license, Version 2.0 6 * (the "License"); you may not use this file except in compliance with 7 * the License. You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the license for the specific language governing permissions and 15 * limitations under the license. 16 */ 17 package org.apache.logging.log4j.core.net.ssl; 18 19 import java.util.Arrays; 20 21 /** 22 * Simple PasswordProvider implementation that keeps the password char[] array in memory. 23 * <p> 24 * This implementation is not very secure because the password data is resident in memory during the life of this 25 * provider object, giving attackers a large window of opportunity to obtain the password from a memory dump. 26 * A slightly more secure implementation is {@link EnvironmentPasswordProvider}, 27 * and an even more secure implementation is {@link FilePasswordProvider}. 28 * </p> 29 */ 30 class MemoryPasswordProvider implements PasswordProvider { 31 private final char[] password; 32 33 public MemoryPasswordProvider(final char[] chars) { 34 if (chars != null) { 35 password = chars.clone(); 36 } else { 37 password = null; 38 } 39 } 40 41 @Override 42 public char[] getPassword() { 43 if (password == null) { 44 return null; 45 } 46 return password.clone(); 47 } 48 49 public void clearSecrets() { 50 Arrays.fill(password, '\0'); 51 } 52 }