Class EnvironmentPasswordProvider

  • All Implemented Interfaces:
    PasswordProvider

    class EnvironmentPasswordProvider
    extends java.lang.Object
    implements PasswordProvider
    PasswordProvider implementation that obtains the password value from a system environment variable.

    This implementation is not very secure because the Java interface to obtain system environment variable values requires us to use String objects. String objects are immutable and Java does not provide a way to erase this sensitive data from the application memory. The password data will stay resident in memory until the String object and its associated char[] array object are garbage collected and the memory is overwritten by another object.

    This is slightly more secure than MemoryPasswordProvider because the actual password string does not need to be passed to the application. The actual password string is not pulled into memory until it is needed (so the password string does not need to be passed in from the command line or in a configuration file). This gives an attacker a smaller window of opportunity to obtain the password from a memory dump.

    A more secure implementation is FilePasswordProvider.

    • Constructor Summary

      Constructors 
      Constructor Description
      EnvironmentPasswordProvider​(java.lang.String passwordEnvironmentVariable)
      Constructs a new EnvironmentPasswordProvider with the specified environment variable name
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      char[] getPassword()
      Returns a new char[] array with the password characters.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • passwordEnvironmentVariable

        private final java.lang.String passwordEnvironmentVariable
    • Constructor Detail

      • EnvironmentPasswordProvider

        public EnvironmentPasswordProvider​(java.lang.String passwordEnvironmentVariable)
        Constructs a new EnvironmentPasswordProvider with the specified environment variable name
        Parameters:
        passwordEnvironmentVariable - name of the system environment variable that holds the password
    • Method Detail

      • getPassword

        public char[] getPassword()
        Description copied from interface: PasswordProvider
        Returns a new char[] array with the password characters.

        It is the responsibility of the caller to erase this data by calling Arrays.fill(char[], char) immediately when authentication is complete and the password data is no longer needed.

        Specified by:
        getPassword in interface PasswordProvider
        Returns:
        a copy of the password