users@glassfish.java.net

Re: Password aliases: just for passwords, or...?

From: Laird Nelson <ljnelson_at_gmail.com>
Date: Mon, 26 Mar 2012 08:37:24 -0400

On Mon, Mar 26, 2012 at 1:09 AM, Anissa Lam <anissa.lam_at_oracle.com> wrote:

> On 3/25/12 5:36 PM, Laird Nelson wrote:
>
> I used [a password alias] in setting up an LDAP realm. The command line
> worked great. I did notice that the actual password value is present in
> the GUI.
>
> I assume you are using the console to create this LDAP realm. You specify
> the property value to be ${ALIAS=the-alias-name-i-use}, and then when you
> look at the page again, the property value is decoded to be the actual
> password.
>

Yes, except that I actually used the command line (on Linux):

asadmin --port=7048
create-auth-realm<http://docs.oracle.com/cd/E26576_01/doc.312/e24938/create-auth-realm.htm#create-auth-realm-1>--classname
"com.sun.enterprise.security.auth.realm.ldap.LDAPRealm"
--property "jaas-context=ldapRealm:directory=ldap\://myhost.goes.here\:389
:base-dn=ou\=Users,ou\=SomeOrgUnit,o\=mycompany.com:search-filter=cn\=%s
:group-base-dn=ou\=Roles,ou\=SomeOrgUnit,o\=mycompany.com
:group-search-filter=member\=%d:group-target=cn:search-bind-dn=
cn\=adminuser,ou\=Users,ou\=SomeOrgUnit,o\=mycompany.com:search-bind-password=${ALIAS=ldaprealm-password}"
"MyRealm"

I did run into some troubles with equals signs (as you might expect), but a
combination of backslashes and quoting solved the problem (as you also
might expect :-)). In reality, I can't remember whether the --property
option was quoted with single quotes or double quotes; I believe that
actually as I have it written above there's still going to be a case where
the shell wants to jump in and try to expand ${ALIAS=ldaprealm-password} in
some way; I may be missing a backslash or two above. (This formulation
above is the only record I have of a series of attempts I made.)


> I tried and experience the same thing as you are seeing.
> I notice that even though the console is passing in
> ${ALIAS=the-alias-name-i-choose} to the backend to create the realm, it is
> written out to domain.xml with the value decoded.
>

Oh, I didn't even check that...

{time passes}

...yep; here too.


> I am seeing this in domain.xml after the creation:
>
> <auth-realm name="myLdapRealm"
> classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
> <property name="directory" value="/tmp"></property>
> <property name="base-dn" value="C=US"></property>
> * <property name="TEST" value="abc"></property>*
> <property name="jaas-context"
> value="ldapRealm"></property>
> </auth-realm>
>

Yes.


> Please file a bug on this. create-auth-realm command should not decode
> and write out the password in plain text in domain.xml when user is using a
> password alias.
>

Good; I didn't think so. Bug filed:
http://java.net/jira/browse/GLASSFISH-18557

Best,
Laird

-- 
http://about.me/lairdnelson