Is static PasswordHolder problematic? #2
Description
I think using PasswordHolder is a mistake. Thats not in the original article and it breaks things when multiple DataSources are used.
I believe this page is correct: https://wiki.apache.org/tomcat/FAQ/Password
But I also have to pass an automated security audit.
I hate to even bring this up because there is so much security theater involved in trying to secure a password.
Doesn't the static string field in PasswordHolder force the decrypted password to sit in memory?
I realize the decrypted password is also probably in the string table and in the database driver and any number of other places. I guess I'm wondering, if the original article wasn't holding on to the password and it appears to work without holding on to it can't PasswordHolder just go away?