Google Git
Sign in
apache / logging-log4j-site / 9755b12b39efbc0142688f9b1a11ec68db89f97b / . / 2.13.1 / log4j-core / xref / org / apache / logging / log4j / core / net / ssl / EnvironmentPasswordProvider.html
blob: 10c1413629992c99c9538af97ff1c146f5e3a930 [file] [log] [blame]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>EnvironmentPasswordProvider xref</title>
<link type="text/css" rel="stylesheet" href="../../../../../../../stylesheet.css" />
</head>
<body>
<div id="overview"><a href="../../../../../../../../apidocs/org/apache/logging/log4j/core/net/ssl/EnvironmentPasswordProvider.html">View Javadoc</a></div><pre>
<a class="jxr_linenumber" name="L1" href="#L1">1</a> <em class="jxr_comment">/*</em>
<a class="jxr_linenumber" name="L2" href="#L2">2</a> <em class="jxr_comment"> * Licensed to the Apache Software Foundation (ASF) under one or more</em>
<a class="jxr_linenumber" name="L3" href="#L3">3</a> <em class="jxr_comment"> * contributor license agreements. See the NOTICE file distributed with</em>
<a class="jxr_linenumber" name="L4" href="#L4">4</a> <em class="jxr_comment"> * this work for additional information regarding copyright ownership.</em>
<a class="jxr_linenumber" name="L5" href="#L5">5</a> <em class="jxr_comment"> * The ASF licenses this file to You under the Apache license, Version 2.0</em>
<a class="jxr_linenumber" name="L6" href="#L6">6</a> <em class="jxr_comment"> * (the "License"); you may not use this file except in compliance with</em>
<a class="jxr_linenumber" name="L7" href="#L7">7</a> <em class="jxr_comment"> * the License. You may obtain a copy of the License at</em>
<a class="jxr_linenumber" name="L8" href="#L8">8</a> <em class="jxr_comment"> *</em>
<a class="jxr_linenumber" name="L9" href="#L9">9</a> <em class="jxr_comment"> * <a href="http://www.apache.org/licenses/LICENSE-2." target="alexandria_uri">http://www.apache.org/licenses/LICENSE-2.</a>0</em>
<a class="jxr_linenumber" name="L10" href="#L10">10</a> <em class="jxr_comment"> *</em>
<a class="jxr_linenumber" name="L11" href="#L11">11</a> <em class="jxr_comment"> * Unless required by applicable law or agreed to in writing, software</em>
<a class="jxr_linenumber" name="L12" href="#L12">12</a> <em class="jxr_comment"> * distributed under the License is distributed on an "AS IS" BASIS,</em>
<a class="jxr_linenumber" name="L13" href="#L13">13</a> <em class="jxr_comment"> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</em>
<a class="jxr_linenumber" name="L14" href="#L14">14</a> <em class="jxr_comment"> * See the license for the specific language governing permissions and</em>
<a class="jxr_linenumber" name="L15" href="#L15">15</a> <em class="jxr_comment"> * limitations under the license.</em>
<a class="jxr_linenumber" name="L16" href="#L16">16</a> <em class="jxr_comment"> */</em>
<a class="jxr_linenumber" name="L17" href="#L17">17</a> <strong class="jxr_keyword">package</strong> org.apache.logging.log4j.core.net.ssl;
<a class="jxr_linenumber" name="L18" href="#L18">18</a>
<a class="jxr_linenumber" name="L19" href="#L19">19</a> <strong class="jxr_keyword">import</strong> java.util.Objects;
<a class="jxr_linenumber" name="L20" href="#L20">20</a>
<a class="jxr_linenumber" name="L21" href="#L21">21</a> <em class="jxr_javadoccomment">/**</em>
<a class="jxr_linenumber" name="L22" href="#L22">22</a> <em class="jxr_javadoccomment"> * PasswordProvider implementation that obtains the password value from a system environment variable.</em>
<a class="jxr_linenumber" name="L23" href="#L23">23</a> <em class="jxr_javadoccomment"> * &lt;p&gt;</em>
<a class="jxr_linenumber" name="L24" href="#L24">24</a> <em class="jxr_javadoccomment"> * This implementation is not very secure because the Java interface to obtain system environment variable values</em>
<a class="jxr_linenumber" name="L25" href="#L25">25</a> <em class="jxr_javadoccomment"> * requires us to use String objects. String objects are immutable and Java does not provide a way to erase this</em>
<a class="jxr_linenumber" name="L26" href="#L26">26</a> <em class="jxr_javadoccomment"> * sensitive data from the application memory. The password data will stay resident in memory until the String object</em>
<a class="jxr_linenumber" name="L27" href="#L27">27</a> <em class="jxr_javadoccomment"> * and its associated char[] array object are garbage collected and the memory is overwritten by another object.</em>
<a class="jxr_linenumber" name="L28" href="#L28">28</a> <em class="jxr_javadoccomment"> * &lt;/p&gt;&lt;p&gt;</em>
<a class="jxr_linenumber" name="L29" href="#L29">29</a> <em class="jxr_javadoccomment"> * This is slightly more secure than {@link MemoryPasswordProvider} because the actual password string does not</em>
<a class="jxr_linenumber" name="L30" href="#L30">30</a> <em class="jxr_javadoccomment"> * need to be passed to the application.</em>
<a class="jxr_linenumber" name="L31" href="#L31">31</a> <em class="jxr_javadoccomment"> * The actual password string is not pulled into memory until it is needed</em>
<a class="jxr_linenumber" name="L32" href="#L32">32</a> <em class="jxr_javadoccomment"> * (so the password string does not need to be passed in from the command line or in a configuration file).</em>
<a class="jxr_linenumber" name="L33" href="#L33">33</a> <em class="jxr_javadoccomment"> * This gives an attacker a smaller window of opportunity to obtain the password from a memory dump.</em>
<a class="jxr_linenumber" name="L34" href="#L34">34</a> <em class="jxr_javadoccomment"> * &lt;/p&gt;&lt;p&gt;</em>
<a class="jxr_linenumber" name="L35" href="#L35">35</a> <em class="jxr_javadoccomment"> * A more secure implementation is {@link FilePasswordProvider}.</em>
<a class="jxr_linenumber" name="L36" href="#L36">36</a> <em class="jxr_javadoccomment"> * &lt;/p&gt;</em>
<a class="jxr_linenumber" name="L37" href="#L37">37</a> <em class="jxr_javadoccomment"> */</em>
<a class="jxr_linenumber" name="L38" href="#L38">38</a> <strong class="jxr_keyword">class</strong> <a href="../../../../../../../org/apache/logging/log4j/core/net/ssl/EnvironmentPasswordProvider.html">EnvironmentPasswordProvider</a> <strong class="jxr_keyword">implements</strong> <a href="../../../../../../../org/apache/logging/log4j/core/net/ssl/PasswordProvider.html">PasswordProvider</a> {
<a class="jxr_linenumber" name="L39" href="#L39">39</a> <strong class="jxr_keyword">private</strong> <strong class="jxr_keyword">final</strong> String passwordEnvironmentVariable;
<a class="jxr_linenumber" name="L40" href="#L40">40</a>
<a class="jxr_linenumber" name="L41" href="#L41">41</a> <em class="jxr_javadoccomment">/**</em>
<a class="jxr_linenumber" name="L42" href="#L42">42</a> <em class="jxr_javadoccomment"> * Constructs a new EnvironmentPasswordProvider with the specified environment variable name</em>
<a class="jxr_linenumber" name="L43" href="#L43">43</a> <em class="jxr_javadoccomment"> * @param passwordEnvironmentVariable name of the system environment variable that holds the password</em>
<a class="jxr_linenumber" name="L44" href="#L44">44</a> <em class="jxr_javadoccomment"> */</em>
<a class="jxr_linenumber" name="L45" href="#L45">45</a> <strong class="jxr_keyword">public</strong> <a href="../../../../../../../org/apache/logging/log4j/core/net/ssl/EnvironmentPasswordProvider.html">EnvironmentPasswordProvider</a>(<strong class="jxr_keyword">final</strong> String passwordEnvironmentVariable) {
<a class="jxr_linenumber" name="L46" href="#L46">46</a> <strong class="jxr_keyword">this</strong>.passwordEnvironmentVariable = Objects.requireNonNull(
<a class="jxr_linenumber" name="L47" href="#L47">47</a> passwordEnvironmentVariable, <span class="jxr_string">"passwordEnvironmentVariable"</span>);
<a class="jxr_linenumber" name="L48" href="#L48">48</a> }
<a class="jxr_linenumber" name="L49" href="#L49">49</a>
<a class="jxr_linenumber" name="L50" href="#L50">50</a> @Override
<a class="jxr_linenumber" name="L51" href="#L51">51</a> <strong class="jxr_keyword">public</strong> <strong class="jxr_keyword">char</strong>[] getPassword() {
<a class="jxr_linenumber" name="L52" href="#L52">52</a> <strong class="jxr_keyword">final</strong> String password = System.getenv(passwordEnvironmentVariable);
<a class="jxr_linenumber" name="L53" href="#L53">53</a> <strong class="jxr_keyword">return</strong> password == <strong class="jxr_keyword">null</strong> ? <strong class="jxr_keyword">null</strong> : password.toCharArray();
<a class="jxr_linenumber" name="L54" href="#L54">54</a> }
<a class="jxr_linenumber" name="L55" href="#L55">55</a> }
</pre>
<hr/>
<div id="footer">Copyright &#169; 1999&#x2013;2020 <a href="https://www.apache.org/">The Apache Software Foundation</a>. All rights reserved.</div>
</body>
</html>