We have a need to use security devices with our J2EE/JEE5 applications on SJSAS8.2, GF2, etc. These security devices require passwords to be typed in when accessed by the servlet or EJB.
How does one supply a password to a domain-application when the appserver starts up? I've searched documentation and the forum and the closest I've found is this:
http://wiki.glassfish.java.net/attach/GlassFishAdministrationPages/aliased-passwords.html
However, there are two problems with this:
1) It requires the password to the resource to be stored in the domain-passwords file (which can be a security risk due to dictionary-attacks/rainbow-tables even if encrypted by a master-password); and
2) The wiki page is not entirely clear about how the master password is secured other than operating system file-access mode (0600).
While we need to initially test the potential solution with the Sun Java System Application Server PE 8.2 with a J2EE application, we intend to apply the same solution to the updated JEE5 application in GF2/GF3 etc. Pointers and suggestions are appreciated. TIA.
[Message sent by forum member 'arshadnoor' (arshadnoor)]
http://forums.java.net/jive/thread.jspa?messageID=341080