I think there should be only a singleton SingnalHandler for all signals to avoid registering duplicate handlers, which maybe won't get unregistered at shutdown.

A distinct event-store for each signal type would also enable better tracking of incoming signals of different kinds. This would allow a more reliable prompting process and ensuring, that the user has interacted with a prompt.

The example source code fails to execute on JDK8 due to the following error:

Exception in thread "main" java.lang.NoSuchMethodError: java.nio.ByteBuffer.rewind()Ljava/nio/ByteBuffer;
at org.freedesktop.secret.Secret.clear(Secret.java:166)
at org.freedesktop.secret.Secret.toBytes(Secret.java:128)
at org.freedesktop.secret.TransportEncryption.encrypt(TransportEncryption.java:109)
at org.freedesktop.secret.simple.SimpleCollection.createItem(SimpleCollection.java:258)
at org.freedesktop.secret.simple.SimpleCollection.createItem(SimpleCollection.java:291)

This is because maven has been setup using JDK9 or later and is using the source and target options instead of the newer 'release' flag. https://www.baeldung.com/maven-java-version

In JDK8 the ByteBuffer inherits a rewind method from Buffer:
https://docs.oracle.com/javase/8/docs/api/java/nio/ByteBuffer.html

In JDK9 a covariant return was added to ByteBuffer:
https://docs.oracle.com/javase/9/docs/api/java/nio/ByteBuffer.html#rewind--

When terminating a test, the "Closing Message Writer" Thread can't unregister a signal anymore.

Exception in thread "Thread-1" [Thread-2] INFO org.freedesktop.dbus.MessageWriter - Closing Message Writer
java.util.concurrent.RejectedExecutionException: Task org.freedesktop.dbus.connections.AbstractConnection$1@6002cb94 rejected from java.util.concurrent.ThreadPoolExecutor@29c1d7a6[Terminated, pool size = 1, active threads = 0, queued tasks = 0, completed tasks = 21]
	at java.base/java.util.concurrent.ThreadPoolExecutor$AbortPolicy.rejectedExecution(ThreadPoolExecutor.java:2080)
	at java.base/java.util.concurrent.ThreadPoolExecutor.reject(ThreadPoolExecutor.java:832)
	at java.base/java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1365)
	at org.freedesktop.dbus.connections.AbstractConnection.sendMessage(AbstractConnection.java:308)
	at org.freedesktop.dbus.RemoteInvocationHandler.executeRemoteMethod(RemoteInvocationHandler.java:147)
	at org.freedesktop.dbus.RemoteInvocationHandler.invoke(RemoteInvocationHandler.java:226)
	at com.sun.proxy.$Proxy11.RemoveMatch(Unknown Source)
	at org.freedesktop.dbus.connections.impl.DBusConnection.removeSigHandler(DBusConnection.java:752)
	at org.freedesktop.dbus.connections.AbstractConnection.removeSigHandler(AbstractConnection.java:330)
	at org.freedesktop.secret.handlers.SignalHandler.disconnect(SignalHandler.java:69)
	at org.freedesktop.secret.handlers.SignalHandler.lambda$new$0(SignalHandler.java:32)
	at java.base/java.lang.Thread.run(Thread.java:844)

Distro: AlmaLinux 8 container on top of Ubuntu 20.04 with privilege
secret-service version: 1.6.2
Error shows that

Exception in thread "main" java.lang.RuntimeException: java.io.IOException: The secret service is not available.

Caused by: java.io.IOException: The secret service is not available.
	at org.freedesktop.secret.simple.SimpleCollection.init(SimpleCollection.java:277)
	at org.freedesktop.secret.simple.SimpleCollection.<init>(SimpleCollection.java:57)

The org.freedesktop.secrets.service and org.gnome.keyring.service exist.

ls /usr/share/dbus-1/services/
ca.desrt.dconf.service                  org.freedesktop.secrets.service            org.gnome.keyring.SystemPrompter.service
org.freedesktop.systemd1.service           org.gnome.keyring.service
org.a11y.Bus.service                    org.gnome.keyring.PrivatePrompter.service  org.gtk.GLib.PACRunner.service

gnome-keyring is also running

ps aux | grep gnome-keyring
user    1217  0.0  0.0 154656  4864 ?        Sl   01:12   0:00 gnome-keyring-daemon --daemonize --login
user    1222  0.0  0.1 302364  9232 ?        Sl   01:12   0:00 gnome-keyring-daemon --unlock
user    1227  0.0  0.0      0     0 ?        Z    01:12   0:00 [gnome-keyring-d] <defunct>
user    1517  0.0  0.0   9220  1204 ?        S    01:13   0:00 grep gnome-keyring

We also have some keyring related tests running successfully in the container.

Why is it complaining about the secret service is not available?
Is there any general advice about how to run this in container?

Thank you very much.

There are problems with the 1.2.0 version on shutting down.

[DBus Sender Thread-1] INFO org.freedesktop.dbus.connections.impl.DBusConnection - Setting reply to MethodCall(0,42) { Path=>/org/freedesktop/DBus, Interface=>org.freedesktop.DBus, Member=>RemoveMatch, Destination=>org.freedesktop.DBus, Signature=>s } { type='signal',member='CollectionChanged',interface='org.freedesktop.Secret.Service' } as an error
[Thread-2] ERROR org.freedesktop.secret.handlers.SignalHandler - org.freedesktop.dbus.exceptions.DBusException: org.freedesktop.dbus.exceptions.DBusExecutionException: Message Failed to Send: Datenübergabe unterbrochen (broken pipe)
org.freedesktop.dbus.exceptions.DBusExecutionException: Message Failed to Send: Datenübergabe unterbrochen (broken pipe)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
	at org.freedesktop.dbus.errors.Error.getException(Error.java:157)
	at org.freedesktop.dbus.errors.Error.throwException(Error.java:187)
	at org.freedesktop.dbus.RemoteInvocationHandler.executeRemoteMethod(RemoteInvocationHandler.java:164)
	at org.freedesktop.dbus.RemoteInvocationHandler.invoke(RemoteInvocationHandler.java:228)
	at com.sun.proxy.$Proxy26.RemoveMatch(Unknown Source)
	at org.freedesktop.dbus.connections.impl.DBusConnection.removeSigHandler(DBusConnection.java:818)
	at org.freedesktop.dbus.connections.AbstractConnection.removeSigHandler(AbstractConnection.java:400)
	at org.freedesktop.secret.handlers.SignalHandler.disconnect(SignalHandler.java:63)
	at org.freedesktop.secret.handlers.SignalHandler.lambda$new$0(SignalHandler.java:31)
	at java.base/java.lang.Thread.run(Thread.java:834)
[Thread-2] ERROR org.freedesktop.secret.handlers.SignalHandler - Could not remove all signal handlers from the D-Bus.

The SimpleCollection uses exception catch pattern of:
log.error(e.toString(), e.getCause()); throw new IOException(e.toString(), e.getCause());

This pattern drops the important cause frames which are needed for troubleshooting. Currently the logging code produces the following output:
[02 Nov 2020 18:45:33,310] [ERROR] SimpleCollection.<init>() - java.lang.NullPointerException

This is because e.getCause() is null therefore, no throwable was passed to the logger.

However, if I change the catch pattern to the following:
log.error(e.toString(), e); throw new IOException(e.toString(), e);

The following is output is shown:
[03 Nov 2020 16:34:08,347] [ERROR] SimpleCollection.<init>() - java.lang.NullPointerException java.lang.NullPointerException: null at org.freedesktop.secret.handlers.MessageHandler.send(MessageHandler.java:50) ~[secret-service-1.2.1.jar:?] at org.freedesktop.secret.handlers.Messaging.send(Messaging.java:37) ~[secret-service-1.2.1.jar:?] at org.freedesktop.secret.Service.openSession(Service.java:29) ~[secret-service-1.2.1.jar:?] at org.freedesktop.secret.TransportEncryption.openSession(TransportEncryption.java:80) ~[secret-service-1.2.1.jar:?] at org.freedesktop.secret.simple.SimpleCollection.init(SimpleCollection.java:174) ~[secret-service-1.2.1.jar:?] at org.freedesktop.secret.simple.SimpleCollection.<init>(SimpleCollection.java:92) [secret-service-1.2.1.jar:?]

Recommendation would be to:

1. Change the logging throwable arguments (right hand side) to log the root exception and not the cause.
2. Change the wrapping exception to wrap the caught exception instead of wrapping a cause that may not be present.
3. Update the logging message (left hand side) to include context about the operation that failed and avoid logging e.toString() as the message.

dbus-java 3.2.3 will be released shortly.
It contains a fix (dbus-java #110), that is essential for kdewallet to work correctly.

As Cryptomator includes secret-service and probably will include kdewallet as well, they need to depend on the same dbus-java version.

Thanks.

In my opinion we shouldn't consume or return any instaces of classes from dependencies, such as DBusPath. This makes it hard to migrate to a different library or library version without breaking the API.

Therefore I suggest to only return "normal" (i.e. java.lang.*) or classes from this library.

On systems without gnome-keyring installed the secret-service can't find any default collection /org/freedesktop/secrets/collection/login.

This problem relates to Cryptomator #950.

cryptomator0.log

18:31:24.707 [JavaFX Application Thread] ERROR o.f.secret.handlers.MessageHandler - org.freedesktop.dbus.exceptions.DBusException: org.freedesktop.DBus.Error.UnknownMethod: Keine derartige Schnittstelle »org.freedesktop.DBus.Properties« des Objekts im Pfad /org/freedesktop/secrets/collection/login
....
Caused by: java.lang.NullPointerException: null
	at org.freedesktop.secret.handlers.MessageHandler.getProperty(MessageHandler.java:72)
	at org.freedesktop.secret.handlers.Messaging.getProperty(Messaging.java:41)
	at org.freedesktop.secret.Collection.isLocked(Collection.java:86)
	at org.freedesktop.secret.simple.SimpleCollection.unlock(SimpleCollection.java:174)
	at org.freedesktop.secret.simple.SimpleCollection.<init>(SimpleCollection.java:47)

Suggested solution

MessageHandler.send() should not return null, but preferably raise an Exception. The high low and level API should be adapted to handle this, where the high level API may return Optionals where returning a type or pass through any Exception as IOException when not returning anything.

There are problems with versions 1.2.0-1.2.3 on shutting down the static initial connection to check whether there is a secret-service or not.

Exception in thread "DBusConnection" java.util.concurrent.RejectedExecutionException: Task org.freedesktop.dbus.connections.AbstractConnection$3@6f96a320 rejected from java.util.concurrent.ThreadPoolExecutor@231c97bd[Terminated, pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 0]
	at java.base/java.util.concurrent.ThreadPoolExecutor$AbortPolicy.rejectedExecution(ThreadPoolExecutor.java:2055)
	at java.base/java.util.concurrent.ThreadPoolExecutor.reject(ThreadPoolExecutor.java:825)
	at java.base/java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1355)
	at org.freedesktop.dbus.connections.AbstractConnection.executeInWorkerThreadPool(AbstractConnection.java:946)
	at org.freedesktop.dbus.connections.AbstractConnection.handleMessage(AbstractConnection.java:920)
	at org.freedesktop.dbus.connections.AbstractConnection.handleMessage(AbstractConnection.java:709)
	at org.freedesktop.dbus.connections.IncomingMessageThread.run(IncomingMessageThread.java:43)

The SimpleCollection has the static isAvailable()method, to check wether the running OS has the gnome keyring service installed. But looking into the method, it actually only checks if the DBUS service is available.

The string to check should be org.gnome.keyring.

Using an unlocked default collection...I'm seeing a single write take about 32 milliseconds on average and a single read take about 6.5 milliseconds on average.

Comparing this with KDE Wallet using the JAVA KDE Wallet library, I see the following on KDE Wallet:

With KWallet, I see a single write take about 0.675 milliseconds on average and a single read take about 0.489 seconds on average.

I initially thought it was due to DBus, however, KWallet also operates over DBus...so not sure why this library takes so much time.

The Secret Service API 0.2 as been a published standard for quite some time and is now implemented by other services including:

• KeepassXC
• KWallet (as of version 5.97

However, if something tries to use SimpleCollection with one of those instead of gnome-keyring, it just crashes with:

IOException(""The secret service is not available.")

because the org.gnome.keyring dbus service is not available.

Is it possible to defer that check?
To only crash if someone tries to use a gnome-specific feature?

... which leads to conflicts when using this library in any project using a different logger. Use slf4j-api instead and add slf4j-simple to test-scope.

I'm using your library. It works great, but upon program termination, I always encounter the following error:

Exception in thread "DBusConnection" java.util.concurrent.RejectedExecutionException: Task org.freedesktop.dbus.connections.AbstractConnection$1@7682e526 rejected from java.util.concurrent.ThreadPoolExecutor@710fe758[Terminated, pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 32]
	at java.base/java.util.concurrent.ThreadPoolExecutor$AbortPolicy.rejectedExecution(ThreadPoolExecutor.java:2055)
	at java.base/java.util.concurrent.ThreadPoolExecutor.reject(ThreadPoolExecutor.java:825)
	at java.base/java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1355)
	at org.freedesktop.dbus.connections.AbstractConnection.sendMessage(AbstractConnection.java:317)
	at org.freedesktop.dbus.connections.AbstractConnection.handleMessage(AbstractConnection.java:959)
	at org.freedesktop.dbus.connections.AbstractConnection.handleMessage(AbstractConnection.java:619)
	at org.freedesktop.dbus.connections.IncomingMessageThread.run(IncomingMessageThread.java:43)

I looked into this a bit and suspect that it is caused by the following refence chain: SimpleCollection -> TransportEncryption -> DBusConnection. If SimpleCollection.close() is called, DBusConnection.close() is not called.

Code like the following for SimpleCollection.close() would fix the problem:

    @Override
    public void close() {
        clear();
        if (encryption != null) {
            encryption.close();
        }
        if (encrypted != null) {
            encrypted.close();
        }
        if (session != null) {
            session.close();
        }
    }

I'm creating an instance of a SimpleCollection object for a non-default collection as follows:

SimpleCollection collection = new SimpleCollection("My Collection", "<my-secret>")

It seems that calling the lock and unlock methods on this instance don't do anything and the collection is effectively always unlocked as I am always able to create items and get items from this collection. Is this expected? What should be the expected behavior after calling lock on such a collection?

Dear Sebastian,

I would like to suggest a little re-design of the interfaces that are part of secret-service.

Right now, the interfaces in org.freedesktop.secret.interfaces are all public abstract classes. While this is no problem in having working D-Bus interfaces (and serecret-service is working very well), this has a flaw: sending these over D-Bus throws an exception.

Why is this a problem?

Generally, checking on D-Bus, if an interface is available, e.g. check for the corresponding daemon being installed and configured, is done via connection.getRemoteObject, which requires a "real" D-Bus interface instead of a public abstract class.

The advantage of having the change would be, that it would easily be possible to create a method to check whether gnome-keyring is installed and running, not more, without creating an instance of the SimpleCollectionand using the default-collection in one flush like it is now. This would make secret-service more flexible.

So, what do you think about a change like this one: purejava@ea272ba

The change passes all maven tests you have created. 😃

At the moment passwords in parameters, variables, fields and returned from methods are plain Strings.

Storing Passwords as char[]

Whenever we store passwords, we should do it in a char[], as it can be nilled at the end of the lifecycle of the instance referencing it. A String, however, can not be changed via public APIs and potentially stays in memory after being GC'ed.

Consuming Passwords as CharSequences

When we consume a password, it should be passed as a CharSequence (which can be a String but also allows the char[]-backed and therefore more secure CharBuffer:

Returning passwords as char[]

When we return a password, it should be a char[]. This allows library users to destroy the password after using it but doesn't restrict them if they still want to construct a String.

SimpleCollection is AutoCloseable i.e. it should either be used in a try-with-resource statement or wrapped in a class that is itself AutoCloseable.

SimpleService returns a single instance of SimpleCollection here:

During your unit tests you only use such instances once and dispose them afterwards, thus they work. But the API suggests reusability, which is not provided.

I.e. the following code does close() the SimpleCollection twice:

Optional<SimpleCollection> connection = new SimpleService().connect();
assert connection.isPresent();

try (SimpleCollection collection = connection.get()) {
    ...
} catch (IOException e) { ... }

// at this point the collection is already closed:
try (SimpleCollection collection = connection.get()) {
    ...
} catch (IOException e) { ... }

I suggest to design the API that can be used like this:

try (SimpleService service = SimpleService.create()) { // factory method instead of constructor, as public constructors should ideally not throw any exceptions. attempt to initialize basic dbus connection here.
    try (SimpleServiceSession session = service.createSession()) {
        session.doStuffOnKeyring();
    } catch (IOException e) { ... }

    try (SimpleServiceSession session = service.createSession()) {
        session.doOtherStuffOnKeyring();
    } catch (IOException e) { ... }
} catch (SimpleServiceUnavailableException e) { ... }

Related to cryptomator/integrations-linux#13 and #26

The behavior to auto-close the D-Bus connection was introduced to fix #26 with c386feb. This would be fine if one does not want to reuse the DBus connection for another instances of SimpleCollection, but it is a common use case to create multiple instances of SimpleCollection which use all the same DBus connection.

One way to fix this would be to use different DBus connections for the static lifetime (which only exist due to bad interface design in 1.x.x) and the instances. Another is to give manual control over the disconnect from global DBus connection and remove the disconnect() from the auto-close of the SimpleCollection instances.

On a retrieve password request with a locked keyring, a pop up to unlock the keyring should be shown to either unlock the keyring or dismiss the pop up and keep the keyring locked.

On configuring Cryptomator with the "Unlock vault when starting Cryptomator" setting in conjunction with autologin to your system on booting, Cryptomator should launch and a pop up to unlock the keyring should appear.

secret-service instead logs

19:49:19.049 [JavaFX Application Thread] DEBUG o.c.u.k.m.PassphraseEntryController - Unlock canceled by user.
19:49:19.058 [JavaFX Application Thread] DEBUG o.c.ui.unlock.UnlockWorkflow - Unlock of 'Test2' canceled.

but there was no pop up that got dismissed.

This issue goes back to cryptomator/cryptomator#2769.

This is a feature request that will not be downwards compatible and may require a new major version:

Could you please update dbus-java to version 4? It got modularized and offers a variety of transport implementations, including dbus-java-transport-native-unixsocket, which relies on Java's native unix sockets, so we could get rid of the dependency to the whole JNR ecosystem.

This requires to bump the JDK to 17 (technically 16, but I guess LTS makes more sense). On the long run, this is the most important step to make this library work with Java's module system.

MessageHandler logging fails to check for a null response when logging a trace message at line 50:
https://github.com/swiesend/secret-service/blob/master/src/main/java/org/freedesktop/secret/handlers/MessageHandler.java#L50

Error message with fixed logging is:
[03 Nov 2020 16:34:08,347] [ERROR] SimpleCollection.<init>() - java.lang.NullPointerException java.lang.NullPointerException: null at org.freedesktop.secret.handlers.MessageHandler.send(MessageHandler.java:50) ~[secret-service-1.2.1.jar:?] at org.freedesktop.secret.handlers.Messaging.send(Messaging.java:37) ~[secret-service-1.2.1.jar:?] at org.freedesktop.secret.Service.openSession(Service.java:29) ~[secret-service-1.2.1.jar:?] at org.freedesktop.secret.TransportEncryption.openSession(TransportEncryption.java:80) ~[secret-service-1.2.1.jar:?] at org.freedesktop.secret.simple.SimpleCollection.init(SimpleCollection.java:174) ~[secret-service-1.2.1.jar:?] at org.freedesktop.secret.simple.SimpleCollection.<init>(SimpleCollection.java:92) [secret-service-1.2.1.jar:?]

The code is:
log.trace(response.toString());

It should be changed to:
log.trace(String.valueOf(response));

Perhaps a logging guard statement should be added.

If I understand the spec correctly here

The client application should act as if it must unlock each item individually
https://specifications.freedesktop.org/secret-service/latest/ch08.html

The client must ask the application to unlock the specific item before using get to retrieve the secret. For example, Keepassxc has a configuration, that asks with a prompt if I want to provide access to a secret to the specified application. Because of this, I cannot retrieve secrets. There should be a check, if the secret is locked, before trying to get it.

When calling SimpleCollections::isAvailable, there still can be an ExceptionInInitailzerError thrown.

Exception org.freedesktop.dbus.exceptions.AddressResolvingException: Cannot Resolve Session Bus Address: MachineId file can not be found [in thread "JavaFX Application Thread"]

This is related to the static init of the DBusConnection with the getConnection()method:

The thrown exceptions AddressResolvingException extends not DBusException, but the DBusExecutionException. Unfortunately, I don't know Linux systems good enough to evaluate if the machine-id file must always be readable (see above), but a defensive programming is always benefical.

See also cryptomator/cryptomator#3279.

Hello, on my fedora system gnome-keyring is installed by default and secret-service uses it without any problem (fine!). But is it possible to talk to kwallet as well? And if yes, how to archive this?

As already discussed in the context of #9 and #31:

[...] Please consider using a package namespace that you have sole control over, as org.gnome.* and org.freedesktop.* etc will lead to split packages in the post-Java-8 modular world.

Convention would be for Maven group/artifact, Java module name and root package name to match.

I would suggest to move those packages to de.swiesend.secretservice.gnome.* and de.swiesend.secretservice.freedesktop.* respectively.

Since this is a breaking change, it should be considered before releasing 2.0.0.

Together with #37 and #31 you would then be ready to add a module-info.java (I would volunteer to create a PR).

On more step on the way to fully modular libs :)

I was shocked to have been prompted for a password when I had clearly passed a password as an argument to the SimpleCollection constructor. When I look at the source code, it appears that there is some encryption occurring under the covers. How can I know what to pass to SimpleCollection so that no password prompt appears at runtime?

private static final String COLLECTION_NAME = Main.class.getName();
private static final String PASSWORD = "super-secret";

public static void main(final String [] args) throws IOException {
    final String key = args[0];

    try (SimpleCollection collection = new SimpleCollection(COLLECTION_NAME, PASSWORD)) {
        collection.unlockWithUserPermission();

        try {
            Map<String, String> attributes = new HashMap<>();
            attributes.put(key, String.valueOf(key.hashCode()));
            List<String> items = collection.getItems(attributes);
            if (items != null && !items.isEmpty()) {
                System.out.println("result: " + collection.getSecret(items.get(0)));
            }
        } finally {
            collection.lock();
        }
    }

    System.out.println("no result");
    System.exit(0);
}

There are some unwanted directory entries in the jar:

$ unzip -l lib/secret-service-1.0.0-RC.3.jar 
Archive:  lib/secret-service-1.0.0-RC.3.jar
  Length      Date    Time    Name
---------  ---------- -----   ----
       97  05-07-2019 02:20   META-INF/MANIFEST.MF
        0  05-07-2019 02:20   META-INF/
        0  05-07-2019 02:19   org/
        0  05-07-2019 02:19   org/gnome/
        0  05-07-2019 02:19   org/gnome/keyring/
        0  05-07-2019 02:19   org/gnome/keyring/interfaces/
        0  05-07-2019 02:19   org/freedesktop/
        0  05-07-2019 02:19   org/freedesktop/secret/
        0  05-07-2019 02:19   org/freedesktop/secret/interfaces/
        0  05-07-2019 02:19   org/freedesktop/secret/simple/
        0  05-07-2019 02:19   org/freedesktop/secret/handlers/
        0  05-07-2019 02:19   org/freedesktop/secret/errors/
        0  05-07-2019 02:19   org/freedesktop/dbus/
...

This is bad when using the java 11 module system because it leads to the 'split jar' problem:

error: module secret.service reads package org.freedesktop.dbus from both secret.service and dbus.java

Consider the following application:

import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;

import org.freedesktop.secret.simple.SimpleCollection;

import static java.util.Optional.*;

public class Application {
  public static void main(String[] args) throws IOException {
    var collection = new SimpleCollection("My Collection", null);

    var attributes = Map.of("example", "secret");

    ofNullable(collection.getItems(attributes))
      .flatMap(matchingPaths -> matchingPaths.stream().findFirst())
      .flatMap(pathToSecret -> ofNullable(collection.getSecret(pathToSecret)))
      .ifPresentOrElse(
        secret -> System.out.println(new String(secret)),
        () -> System.out.println("Not found")
      );

    collection.lock();
    collection.close();
    System.out.println("-- Locked & closed the collection");
  }
}

I expect this application to exit after printing the last line "-- Locked & closed the collection" to the console.

The program doesn't stop, however. The Debugger shows that the DBusConnection thread is still running.

I'm writing a CLI program in which I would like to make use of this library to connect to the Gnome Keyring. I'd like to prevent having to explicitly call a System.exit(0) since I use a library to manage the lifecycle of parsing options and calling the appropriate functions after parsing the options.

It does work, however, to explicitly call System.exit(0).