users@connector-spec.java.net

[connector-spec-users] [jsr322-experts] Supporting password aliases in Confidential Properties and the Password Property

From: Sivakumar Thyagarajan <sivakumar.thyagarajan_at_oracle.com>
Date: Tue, 04 Dec 2012 09:23:49 +0530

Hi experts

In EE7, the platform specification defines [1] the ability to reference
a moniker or token instead of an actual password in configuration,
annotations. The application server is responsible for resolving the
token and passing the clear-text password at runtime.
This is particularly useful in scenarios where enterprise security
policies require not to use passwords in plain text in the file-system
or application code.

In Connectors 1.6, a new property "config-property-confidential" was
introduced for Configuration Properties, and Section 5.3.7.6 suggested
the application server to use this attribute to provide specific visual
aids (a Password text field) while accepting values for these
properties. The Connectors specification have also standardized
"Password" as a standard Property for accepting user passwords for
establishing connections in the EIS in Section 20.5.4.

Could we require application servers to support the specification (and
resolution) of Password aliases in all Configuration Properties of a
JavaBean that are marked as confidential, and the standard "Password"
Configuration Property?

*Impact*
With this change, while a value for a configuration property for a
JavaBean such as Resource Adapter, MCF or ActivationSpec is specified
by a user, the user could use a password alias. The application server
is required to resolve this alias and pass the resolved plain-text
password to the resource adapter.

*Spec Impact*
Section 5.3.7.6: Add the following lines: "A Password alias may be used
while configuring confidential properties. The application server is
responsible for resolving the alias and passing the clear text password
to the JavaBean. For more details on the Password Alias feature and its
format, see Section EE.3.7 "Password Aliasing and Management" of the
Java EE 7 platform specification."

Section 20.5.4: Add the following lines: "The application server must
support the specification of password aliases in the Password standard
Property. For more details on the Password Alias feature and its
format, see Section EE.3.7 "Password Aliasing and Management" of the
Java EE 7 platform specification"

Thanks
--Siva.

[1] Original Proposal thread in javaee-spec
http://java.net/projects/javaee-spec/lists/jsr342-experts/archive/2012-01/message/37
and Section EE.3.7 in
http://java.net/projects/javaee-spec/downloads/download/JavaEE_Platform_Spec_EDR2.pdf