Why does Spring Security not provide character array parameters for passwords
If the best practice for handling sensitive data in Java is to use character arrays, why do most methods in Spring Security use String or CharSequence? For example, the Encryptors methods take CharSequence. In fact, looking at the source code of these methods, they actually end up converting the CharSequence to String. Since the people on this project have more life experience in these matters than ever, I feel like I am missing something. Does anyone know how to transfer sensitive data to these methods?
source to share
You really can't do much to shorten the password expiration time in the Servlet Container because HttpServletRequest returns HTTP parameters as a string. This way, Spring Security can take every step in the world to shorten the lifespan of a password, but that won't make a difference because the String already exists.
-Rob Winch (Spring Security)
source to share