I need to perform authorization against tomcat programmatically.
The way I'm currently doing it is like that:
String username = "tomcat_admin";
char[] password = CryptoUtility.decrypt(System.getenv("TOMCAT_ADMIN_PWD"));
URL tomcat = new URL("http://localhost:8080/manager/html");
HttpURLConnection conn = (HttpURLConnection) tomcat..openConnection();
String encoded = Base64.getEncoder().encodeToString((username+":"+password).getBytes());
conn.setRequestProperty("Authorization", "Basic " + encoded);
...
The second line performs some cryptographic process, since env variable TOMCAT_ADMIN_PWD holds encrypted value of the password.
When using Fortify to scan my project, it claims that storing sensitive information, like passwords, in String object (in the "encoded" variable) is a high security risk because these immutable objects reside in memory until garbage collector decides to clean them. (Thus can be viewed in memory dump in case of crush)
The only way I found to work with char[] for basic authentication is with the Authenticator class, but I prefer not to use it since it may produce really annoying bugs like this one.
I have 2 questions:
1. Is it possible to set the header in more secure way? I've scanned the API and couldn't find anything useful.
2. Is it really a serious security issue? Is overwriting data in memory exaggerated from security point of view?
