1) Passwords are stored in the web application context (i.e: in the internal memory of the application instance)
2) Yes, they do need to be set only during the deployment process. But you have to get you mind clear about the fact that while the application-server is restarted, all the application instances in it get redeployed. So the result is that you should re-enter the passwords again.
3) Based on point 1, passwords are kept in the application internal context, so they cannot be used by other application (though, i think it depends of the kind of applications you're implementing, if they do share such context). Whats over, if you're restarting the app-server, and all your applications are inside it, then they will all be redeployed. It would make sense only if your sharing instances which reside in different servers, and i don't know if this might be possible (or recommended).
Summary: yes you have to re-enter the passwords, but normally on a production ambient you would not make many re-deployments. Even if you don't use this type of configuration, a restart would be a temporary problem for the client.