fix: mitigate storing password in the memory (#2867)

Signed-off-by: Pavel Jareš <[email protected]>
zowe · Apr 14, 2023 · 3356b7c · 3356b7c
1 parent 9159bc1
commit 3356b7c
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 18 deletions.
diff --git a/...mon/src/main/java/org/zowe/apiml/security/common/content/AbstractSecureContentFilter.java b/...mon/src/main/java/org/zowe/apiml/security/common/content/AbstractSecureContentFilter.java
@@ -72,18 +72,19 @@ protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull Ht
         Optional<AbstractAuthenticationToken> authenticationToken = extractContent(request);
 
         if (authenticationToken.isPresent()) {
+            Authentication authentication = null;
             try {
-                Authentication authentication = authenticationManager.authenticate(authenticationToken.get());
+                authentication = authenticationManager.authenticate(authenticationToken.get());
                 SecurityContextHolder.getContext().setAuthentication(authentication);
                 filterChain.doFilter(request, response);
             } catch (AuthenticationException authenticationException) {
                 failureHandler.onAuthenticationFailure(request, response, authenticationException);
             } catch (RuntimeException e) {
                 resourceAccessExceptionHandler.handleException(request, response, e);
             } finally {
-                Authentication authentication = authenticationToken.get();
+                // TODO: remove once fixed directly in Spring - org.springframework.security.core.CredentialsContainer#eraseCredentials
                 if (authentication != null) {
-                    Object credentials = authenticationToken.get().getCredentials();
+                    Object credentials = authentication.getCredentials();
                     if (credentials instanceof char[]) {
                         Arrays.fill((char[]) credentials, (char) 0);
                     }

diff --git a/...lient-spring/src/main/java/org/zowe/apiml/security/client/login/GatewayLoginProvider.java b/...lient-spring/src/main/java/org/zowe/apiml/security/client/login/GatewayLoginProvider.java
@@ -20,6 +20,7 @@
 import org.zowe.apiml.security.common.login.LoginRequest;
 import org.zowe.apiml.security.common.token.TokenAuthentication;
 
+import java.util.Arrays;
 import java.util.Optional;
 
 import static org.zowe.apiml.security.SecurityUtils.readPassword;
@@ -41,26 +42,34 @@ public class GatewayLoginProvider implements AuthenticationProvider {
     @Override
     public Authentication authenticate(Authentication authentication) {
         String username = authentication.getPrincipal().toString();
-        char[] password;
+        char[] password = null;
         char[] newPassword = null;
-        if (authentication.getCredentials() instanceof LoginRequest) {
-            LoginRequest credentials = (LoginRequest) authentication.getCredentials();
-            password = credentials.getPassword();
-            newPassword = LoginRequest.getNewPassword(authentication);
-        } else {
-            password = readPassword(authentication.getCredentials());
-        }
+        boolean cleanup = false;
+        try {
+            if (authentication.getCredentials() instanceof LoginRequest) {
+                LoginRequest credentials = (LoginRequest) authentication.getCredentials();
+                password = credentials.getPassword();
+                newPassword = LoginRequest.getNewPassword(authentication);
+            } else {
+                password = readPassword(authentication.getCredentials());
+                cleanup = !(authentication.getCredentials() instanceof char[]);
+            }
 
-        Optional<String> token = gatewaySecurityService.login(username, password, newPassword);
+            Optional<String> token = gatewaySecurityService.login(username, password, newPassword);
 
-        if (!token.isPresent()) {
-            throw new BadCredentialsException("Invalid Credentials");
-        }
+            if (!token.isPresent()) {
+                throw new BadCredentialsException("Invalid Credentials");
+            }
 
-        TokenAuthentication tokenAuthentication = new TokenAuthentication(username, token.get());
-        tokenAuthentication.setAuthenticated(true);
+            TokenAuthentication tokenAuthentication = new TokenAuthentication(username, token.get());
+            tokenAuthentication.setAuthenticated(true);
 
-        return tokenAuthentication;
+            return tokenAuthentication;
+        } finally {
+            if (cleanup) {
+                Arrays.fill(password, (char) 0);
+            }
+        }
     }
 
     @Override

diff --git a/...t-spring/src/main/java/org/zowe/apiml/security/client/service/GatewaySecurityService.java b/...t-spring/src/main/java/org/zowe/apiml/security/client/service/GatewaySecurityService.java
@@ -88,6 +88,7 @@ public Optional<String> login(String username, char[] password, char[] newPasswo
         } catch (IOException e) {
             responseHandler.handleException(e);
         } finally {
+            // TODO: remove once fixed directly in Spring - org.springframework.security.core.CredentialsContainer#eraseCredentials
             loginRequest.evictSensitiveData();
         }
         return Optional.empty();