io.lettuce.core.RedisURI.Builder#withPassword(java.lang.String) deprecation

[perlun]

Hi,

We're currently upgrading our application from Lettuce 5.3.x to 6.0.3, and one thing I noted (since we have "warnings as errors" enabled for our project) is that the io.lettuce.core.RedisURI.Builder#withPassword(java.lang.String) method is now marked as deprecated:

        /**
         * Configures authentication.
         *
         * @param password the password
         * @return the builder
         * @deprecated since 6.0. Use {@link #withPassword(CharSequence)} or {@link #withPassword(char[])} avoid String caching.
         */
        @Deprecated
        public Builder withPassword(String password) {

I'm generally a quite curious person and hence, I wonder a bit about this. Given that String implements the CharSequence interface, I can trivially work around this by just casing my input String to CharSequence instead and call the withPassword(CharSequence) overload isntead.

However, this must clearly not be how Lettuce intends for me to write my code, so hence the question. Is the idea to force/suggest that my calling code shouldn't cache the password in memory or what's the thinking here? If so, what is the suggested way to retrieve the password in a safe way from "whereever it is kept"?

/cc @mp911de

[mp911de]

The reason is that String has a strong caching affinity and the JVM cannot be easily GC String instances. Therefore we suggest either using char[] or a custom CharSequence (StringBuilder, netty's AsciiString). Deprecating this method should raise awareness and indicate that there are better options for password handling than String.

[perlun]

Thanks @mp911de. 👍 I'll see what will be an appropriate action on our part.

(I guess it could make sense to copy what you just wrote to an FAQ of some sort or similar.)

[mp911de]

Happy to review a pull request.

[perlun]

Here we go: #1707

[haicoder]

Dose one password string will effect GC ?
I don't understand your explanation, I'd appreciate it if you can explain it with more detail.

[perlun]

@haicoder Sorry for the late reply. The question is not about whether it affects GC or not, but the problem is that the password will remain in memory since String instances are more likely to be cached and less likely to be eligible for garbage collection. Given that the password is sensitive information, it gives more room to a potential attacker to read the memory from the process in question and extract the password that way. That, from how I understand it, is the reason why Lettuce is deprecating this method.