users@glassfish.java.net

Re: Password aliases: just for passwords, or...?

From: Laird Nelson <ljnelson_at_gmail.com>
Date: Sun, 25 Mar 2012 20:36:39 -0400

On Wed, Mar 21, 2012 at 12:29 PM, Tom Mueller <tom.mueller_at_oracle.com>wrote:

> Only domain.xml.
>

Thanks, Tom. One last question about password aliases.

I used one in setting up an LDAP realm. The command line worked great. I
did notice that the actual password value is present in the GUI. That is,
the text box in question under the Additional Properties tab contains the
actual password *value*, not the literal string
${ALIAS=the-alias-name-I-chose}. The good news is of course that the
password alias decoding obviously worked, as the value present in this box
is correct. The bad news--or much more likely my simple
misunderstanding--is that the raw password value itself is now present in
the admin console.

Obviously in order to create a password alias in the first place you need
to have the admin password, but it's still kind of jarring to see this
plaintext value in the GUI. Was that by design, or should I file a bug? I
would have expected to see the literal string
${ALIAS=the-alias-name-I-chose} in the GUI, but perhaps I'm missing
something.

Thanks,
Laird

-- 
http://about.me/lairdnelson