ProtexServerProxy + SimpleCallbackHandler doesn't clear password when finished

[runer112]

It appears that ProtexServerProxy was made to implement Closeable so the close method could clear out any password fields stored in memory. However, the current implementation merely clears the reference to the CallbackHandler. If this is a SimpleCallbackHandler, it will eventually be garbage collected, but the char array it uses to store the password is never explicitly cleared.

I'm aware of two decent solutions currently, both of which involve SimpleCallbackHandler implementing Closeable and having its close method clear out the password field:

1. If constructing a SimpleCallbackHandler in ProtexServerProxy, store its reference in a SimpleCallbackHandler field. In ProtexServerProxy.close, if this is not null, invoke its close method.
2. In ProtexServerProxy.close, check if the callback handler is an instance of Closeable. If so, invoke its close method. This has the upside of working with any other CallbackHandler implementations that implement Closeable (are there any cases where this would be bad?).

However, this is all somewhat pointless because SimpleCallbackHandler exists as a bridge for the legacy ProtexServerProxy constructor that accepts the username and password as strings, so the password will always exist uncleared in that string... unless you want to go all out and clear that as well with reflection, recognizing that you're breaking the immutable string model to enforce security.

[romeara]

I would recommend keeping a boolean tracking if the callback is created/managed internally, and only closing in that instance in the ProtexServerProxy.close method - if provided to the proxy by an outside client, we should not close the resource, as some close methods throw an exception is called multiple times and provided items are expected to be managed by the caller