Okay...
I think I need to restate the question a little bit..
Currently, a user can create a domain in one of four ways...
1. asadmin create-domain with --password option.
This is depricated because it is a security risk. The --password option is not documented. When the user creates the domain, the domain gets a saved default master-password ("changeit": for those playing along at home). The happens "silently". The user is not prompted during start-domain, since the master-password is read during start-up from the file.
2. create-domain with --savemasterpassword=true.
This prompts the user for a master password as the domain is created. It is saved in master-password. The user specified master-pasword is read during domain start-up.
3. create-domain with --passwordfile option.
I honestly don't know what this does, since I haven't tried it. I assume that the master-password is not saved to disk (unless the user gave the --savemasterpassword=true argument. The user would be prompted for the master password IF they don't apply the same --passwordfile option and value to their start-domain command.
4. plain old create-domain.
prompts for the password and master password as the domain is created. User is prompted for the master-password as the domain is started...
Will the --password option be completely deprecated in the future? Is that likely to happen in the near or long term?
Other comments in line...
----- Original Message -----
From: Kedar Mhaswade <kedar.mhaswade_at_Sun.COM>
Date: Tuesday, October 25, 2005 5:06 pm
Subject: Re: the future of the master passowrd
> For Glassfish appserver, admin password and master password are not
> required to start the domain/only-instance up. Please file a bug
> (if
> you've not done so already), if for a default domain, "asadmin
> start-domain" prompts for an admin password or a master password.
>
> Good point, though.
>
> The answer lies in what domains/instances you'd like to start (read
> manage) from within the IDE.
> - domain created by the IDE?
There are limited cases where the user is allowed to create a domain from inside the NetBeans IDE. Those instances don't run into this issue starting up [at the moment, because we create them using --password].
> - domain created by someone else?
Even a user that is in the IDE but created the instance from the CLI...
>
> For the former, IDE is already an owner of the domain and they
> better
> save the master password, if they created the domain with a non-
> default
> value ("changeit", for now) for it. It is imperative (rightfully
> so,
> IMO) that they provide the master password "on startup".
>
> For the latter, you ask for all the credentials to the person who
> owns
> the domain, so that you can start/stop/deploy to the domain.
That is part of the rub....
We currently DISCOURAGE users from entering the admin name and password when they register an instance. It is messy to crypt the password, so we want to prompt the user for those credentials whenwe need them and keep them in memory.
The master password is a variation on the same theme...
>
> In essence, no -- we are not doing away with starting a domain,
> simply
> enough. But, we are not taking away the flexibility of "only
> password
> startable domain/instance". Good, isn't it?
>
> Kedar
>
>
>