Don't use Strings when handling Secrets
Issue #330
new
The Secret
class seems to be introduced to promote safe handling of sensitive material, like passwords. Internally, it stores a secret as byte[]
and it has an erase()
method to prevent sensitive material to be stored in memory for a long time.
However, it does have a constructor accepting a String
and a getValue()
returning a String
. Additionally, it does not have a constructor accepting a byte[]
, so when using the class, I’m forced to put credentials in a String
(or use the constructor that generates a random password and overwrite the values of the byte[]
with the sensitive material).
At a minimum, I’d like to see:
- A
Secret(byte[] value)
constructor - The remainder of the library not have the sensitive material converted to
String
, e.g.ResourceOwnerPasswordCredentialsGrant.toParameters()
.
Preferably, to promote safe handling of sensitive material by users of the library:
- Deprecate the
Secret(String value)
constructor andString getValue()
method
Thanks Mark for these suggestions.
Making use of byte[] within Secret will solve the issue internally with the Secret class, but I’m not sure how we can have no Strings appearing elsewhere, e.g. in
ResourceOwnerPasswordCredentialsGrant.toParameters()
you mention. Have you got any ideas?