On Tue, Oct 11, 2016 at 7:47 PM, Shawn McKinney <smckin...@apache.org> wrote:
> > > On Oct 10, 2016, at 12:31 PM, Kiran Ayyagari <kayyag...@apache.org> > wrote: > > > > +1 to change it to string. We can always explicitly mark that as "null" > > after using it. > > > > (IMO if the attacker gained access to the OS then we have a bigger > > operational security issues than > > implementation) > > Kiran, thanks for weighing in. I want to make sure I am understanding…. > > So at the end of an operation, i.e. createSession ( User user ) we’d do > something like this: > > user.setPassword(null); > > yes, and GC will take care of clearing up the memory (this may be delayed though, as we all know) > ? > > Thanks, > Shawn Kiran