diff --git a/src/main/java/redis/clients/jedis/DefaultJedisClientConfig.java b/src/main/java/redis/clients/jedis/DefaultJedisClientConfig.java index 25a4737ec0..e83db275b9 100644 --- a/src/main/java/redis/clients/jedis/DefaultJedisClientConfig.java +++ b/src/main/java/redis/clients/jedis/DefaultJedisClientConfig.java @@ -83,6 +83,11 @@ public String getPassword() { return password == null ? null : new String(password); } + @Override + public char[] getPasswordAsChars() { + return credentialsProvider.get().getPassword().clone(); + } + @Override public Supplier getCredentialsProvider() { return credentialsProvider; @@ -157,6 +162,7 @@ public static class Builder { private String user = null; private String password = null; + private char[] passwordAsChars = null; private Supplier credentialsProvider; private int database = Protocol.DEFAULT_DATABASE; private String clientName = null; @@ -227,11 +233,21 @@ public Builder user(String user) { return this; } + /** + * @deprecated This method is deprecated in favor of {@link #passwordAsChars(char[])} due to security concerns. + * Storing passwords as Strings can lead to security risks since Strings are immutable and stay in memory + * until garbage collected. Use {@link #passwordAsChars(char[])} instead to handle passwords more securely. + */ public Builder password(String password) { this.password = password; return this; } + public Builder passwordAsChars(char[] password) { + this.passwordAsChars = password; + return this; + } + public Builder credentials(RedisCredentials credentials) { this.credentialsProvider = new DefaultRedisCredentialsProvider(credentials); return this; @@ -357,6 +373,7 @@ public static DefaultJedisClientConfig copyConfig(JedisClientConfig copy) { } else { builder.user(copy.getUser()); builder.password(copy.getPassword()); + builder.passwordAsChars(copy.getPasswordAsChars()); } builder.database(copy.getDatabase()); diff --git a/src/main/java/redis/clients/jedis/JedisClientConfig.java b/src/main/java/redis/clients/jedis/JedisClientConfig.java index ce7fd82de4..ce0c8d5149 100644 --- a/src/main/java/redis/clients/jedis/JedisClientConfig.java +++ b/src/main/java/redis/clients/jedis/JedisClientConfig.java @@ -42,10 +42,18 @@ default String getUser() { return null; } + /** + * @deprecated This method is deprecated in favor of {@link #getPasswordAsChars()} due to security concerns. + * Storing passwords as Strings can lead to security risks since Strings are immutable and stay in memory + * until garbage collected. Use {@link #getPasswordAsChars()} instead to handle passwords more securely. + */ + @Deprecated default String getPassword() { return null; } + default char[] getPasswordAsChars() { return null; } + // TODO: return null default Supplier getCredentialsProvider() { return new DefaultRedisCredentialsProvider(