Passwords visible in JVM dump: https://issues.apache.org/jira/browse/SHIRO-539
Technically this is a duplicate of SHIRO-349, which suggests to change the API (see my previous mails). With the ByteStreamBroker mechanism, this would not happen anymore. So maybe close as duplicate, if you like. Best regards, Ben
