users@glassfish.java.net

Re: Password aliases: just for passwords, or...?

From: Anissa Lam <anissa.lam_at_oracle.com>
Date: Sun, 25 Mar 2012 22:09:29 -0700

Hi Laird,

On 3/25/12 5:36 PM, Laird Nelson wrote:
> On Wed, Mar 21, 2012 at 12:29 PM, Tom Mueller <tom.mueller_at_oracle.com
> <mailto:tom.mueller_at_oracle.com>> wrote:
>
> Only domain.xml.
>
>
> Thanks, Tom. One last question about password aliases.
>
> I used one in setting up an LDAP realm. The command line worked
> great. I did notice that the actual password value is present in the
> GUI. That is, the text box in question under the Additional
> Properties tab contains the actual password *value*, not the literal
> string ${ALIAS=the-alias-name-I-chose}.
I assume you are using the console to create this LDAP realm. You
specify the property value to be ${ALIAS=the-alias-name-i-use}, and
then when you look at the page again, the property value is decoded to
be the actual password.

I tried and experience the same thing as you are seeing.
I notice that even though the console is passing in
${ALIAS=the-alias-name-i-choose} to the backend to create the realm, it
is written out to domain.xml with the value decoded.
I am seeing this in domain.xml after the creation:

<auth-realm name="myLdapRealm"
classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
<property name="directory" value="/tmp"></property>
<property name="base-dn" value="C=US"></property>
*<property name="TEST" value="abc"></property>*
<property name="jaas-context" value="ldapRealm"></property>
</auth-realm>

with the REST request
[#|2012-03-25T21:40:19.176-0700|FINEST|glassfish3.1.2|org.glassfish.admingui|_ThreadID=25;_ThreadName=admin-thread-pool-4848(6);ClassName=org.glassfish.admingui.common.util.RestUtil;MethodName=restRequest;|restRequest:
endpoint=http://localhost:4848/management/domain/configs/config/server-config/security-service/auth-realm
attrs={name=myLdapRealm,
classname=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm,
target=server-config,
property=T*EST="${ALIAS=the-alias-name-i-choose}"*:jaas-context=ldapRealm:base-dn="C=US":directory="/tmp":}
method=post|#]

thats why you are seeing the decoded value in the console after the
creation.

I see that this happens only when creating the realm. If the property
is added AFTER the realm is created, ie during editing, then it will be
written out to domain.xml as the alias and console will also show that
correctly.

Please file a bug on this. create-auth-realm command should not decode
and write out the password in plain text in domain.xml when user is
using a password alias.

I tried to see how it behaves when using CLI to create the realm.
Unfortunately, I cannot get CLI to work correctly although i think
thats the correct syntax.

I tried:
%asadmin create-auth-realm --classname
com.sun.enterprise.security.auth.realm.ldap.LDAPRealm --property
*TEST="${ALIAS=the-alias-name-i-choose}"*:jaas-context=ldapRealm:base-dn=foo:directory=/tmp
ldap2
Command create-auth-realm executed successfully.

and see this in domain.xml
<auth-realm name="ldap2"
classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
<property name="directory" value="/tmp"></property>
<property name="base-dn" value="foo"></property>
*<property name="TEST" value="the-alias-name-i-choose"></property> *
<property name="jaas-context" value="ldapRealm"></property>
</auth-realm>

Tom, am i using the correct syntax or if this is another issue with
create-auth-realm when using password alias ?

thanks
Anissa.

> The good news is of course that the password alias decoding obviously
> worked, as the value present in this box is correct. The bad news--or
> much more likely my simple misunderstanding--is that the raw password
> value itself is now present in the admin console.
>
> Obviously in order to create a password alias in the first place you
> need to have the admin password, but it's still kind of jarring to see
> this plaintext value in the GUI. Was that by design, or should I file
> a bug?
> I would have expected to see the literal string
> ${ALIAS=the-alias-name-I-chose} in the GUI, but perhaps I'm missing
> something.

>
> Thanks,
> Laird
>
> --
> http://about.me/lairdnelson
>