Here's the syntax that I use with the bash shell:
asadmin create-auth-realm --classname
com.sun.enterprise.security.auth.realm.ldap.LDAPRealm --property
'TEST=${ALIAS\=myalias}:jaas-context=ldapRealm:base-dn=foo:directory=/tmp'
ldap2
Note the use of single quotes (') around the property list and the
escaped equal sign (=) in the alias.
The command line with csh might be different - I don't typically use csh.
Tom
On 3/26/2012 12:09 AM, Anissa Lam wrote:
> Hi Laird,
>
> On 3/25/12 5:36 PM, Laird Nelson wrote:
>> On Wed, Mar 21, 2012 at 12:29 PM, Tom Mueller <tom.mueller_at_oracle.com
>> <mailto:tom.mueller_at_oracle.com>> wrote:
>>
>> Only domain.xml.
>>
>>
>> Thanks, Tom. One last question about password aliases.
>>
>> I used one in setting up an LDAP realm. The command line worked
>> great. I did notice that the actual password value is present in the
>> GUI. That is, the text box in question under the Additional
>> Properties tab contains the actual password *value*, not the literal
>> string ${ALIAS=the-alias-name-I-chose}.
> I assume you are using the console to create this LDAP realm. You
> specify the property value to be ${ALIAS=the-alias-name-i-use}, and
> then when you look at the page again, the property value is decoded
> to be the actual password.
>
> I tried and experience the same thing as you are seeing.
> I notice that even though the console is passing in
> ${ALIAS=the-alias-name-i-choose} to the backend to create the realm,
> it is written out to domain.xml with the value decoded.
> I am seeing this in domain.xml after the creation:
>
> <auth-realm name="myLdapRealm"
> classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
> <property name="directory" value="/tmp"></property>
> <property name="base-dn" value="C=US"></property>
> *<property name="TEST" value="abc"></property>*
> <property name="jaas-context" value="ldapRealm"></property>
> </auth-realm>
>
> with the REST request
> [#|2012-03-25T21:40:19.176-0700|FINEST|glassfish3.1.2|org.glassfish.admingui|_ThreadID=25;_ThreadName=admin-thread-pool-4848(6);ClassName=org.glassfish.admingui.common.util.RestUtil;MethodName=restRequest;|restRequest:
> endpoint=http://localhost:4848/management/domain/configs/config/server-config/security-service/auth-realm
> attrs={name=myLdapRealm,
> classname=com.sun.enterprise.security.auth.realm.ldap.LDAPRealm,
> target=server-config,
> property=T*EST="${ALIAS=the-alias-name-i-choose}"*:jaas-context=ldapRealm:base-dn="C=US":directory="/tmp":}
> method=post|#]
>
> thats why you are seeing the decoded value in the console after the
> creation.
>
> I see that this happens only when creating the realm. If the
> property is added AFTER the realm is created, ie during editing, then
> it will be written out to domain.xml as the alias and console will
> also show that correctly.
>
> Please file a bug on this. create-auth-realm command should not
> decode and write out the password in plain text in domain.xml when
> user is using a password alias.
>
> I tried to see how it behaves when using CLI to create the realm.
> Unfortunately, I cannot get CLI to work correctly although i think
> thats the correct syntax.
>
> I tried:
> %asadmin create-auth-realm --classname
> com.sun.enterprise.security.auth.realm.ldap.LDAPRealm --property
> *TEST="${ALIAS=the-alias-name-i-choose}"*:jaas-context=ldapRealm:base-dn=foo:directory=/tmp
> ldap2
> Command create-auth-realm executed successfully.
>
> and see this in domain.xml
> <auth-realm name="ldap2"
> classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm">
> <property name="directory" value="/tmp"></property>
> <property name="base-dn" value="foo"></property>
> *<property name="TEST" value="the-alias-name-i-choose"></property> *
> <property name="jaas-context" value="ldapRealm"></property>
> </auth-realm>
>
> Tom, am i using the correct syntax or if this is another issue with
> create-auth-realm when using password alias ?
>
> thanks
> Anissa.
>
>> The good news is of course that the password alias decoding obviously
>> worked, as the value present in this box is correct. The bad
>> news--or much more likely my simple misunderstanding--is that the raw
>> password value itself is now present in the admin console.
>>
>> Obviously in order to create a password alias in the first place you
>> need to have the admin password, but it's still kind of jarring to
>> see this plaintext value in the GUI. Was that by design, or should I
>> file a bug?
>> I would have expected to see the literal string
>> ${ALIAS=the-alias-name-I-chose} in the GUI, but perhaps I'm missing
>> something.
>
>>
>> Thanks,
>> Laird
>>
>> --
>> http://about.me/lairdnelson
>>
>